New and Changed Information
This table summarizes the new and changed features for the Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 7.x and tells you where they are documented.
Feature |
Description |
Changed in Release |
Where Documented |
---|---|---|---|
MACsec |
Added MACsec support on N9K-X9732C-FX line cards. |
NX-OS 7.0(3)I7(8) |
|
SSH Algorithm Support |
The ssh ciphers and ssh kexalgos commands were modified. The aes256-gcm keyword was added to the ssh ciphers command and ecdh-sha2-nistp384 keyword was added to the ssh kexalgos command. |
NX-OS 7.0(3)I7(8) |
|
MACsec |
Added the capability to drop CDP/LLDP packets whenever the MACsec configuration on a port with a must-secure policy is not in a secured state. |
NX-OS 7.0(3)I7(7) |
|
MACsec |
Added the ability to disable MACsec without removing the MACsec configurations for Cisco Nexus 9000 Series switches with N9K-X9732C-EXM and N9K-X9736C-FX line cards. |
NX-OS 7.0(3)I7(4) |
|
IP ACLs |
Added IPv6 wildcard mask support for access lists and object groups for Cisco Nexus 9200, 9300-EX, and 9300-FX/FX2/FXP switches and the Cisco Nexus 9364C switch. |
NX-OS 7.0(3)I7(3) |
|
MACsec fallback key |
Introduced this feature. |
NX-OS 7.0(3)I7(3) |
|
SSH |
Added new SSH commands for enabling legacy security algorithms. |
NX-OS 7.0(3)I7(3) |
|
Unicast RPF |
Introduced this feature for Cisco Nexus 9300 platform switches. |
NX-OS 7.0(3)I7(3) |
|
Unicast RPF |
Introduced this feature for Cisco Nexus 9500 Series switches with N9K-X9636C-R and N9K-X963Q-R line cards. |
7.0(3)F2(1) |
Configuring Unicast RPF |
MACsec |
Introduced this feature for Cisco Nexus 9500 Series switches with the N9K-X9736C-FX line card. |
7.0(3)I7(2) |
|
802.1X |
Introduced this feature. |
7.0(3)I7(1) |
|
Traffic storm control |
Added the ability to enable packets per second for Cisco Nexus 9500 Series switches with 94xx line cards and Cisco Nexus 9300 Series switches. |
7.0(3)I7(1) |
|
Option 82 |
Introduced this feature. |
7.0(3)I7(1) |
|
First-hop security |
Introduced this feature. |
7.0(3)I7(1) |
|
ACL TCAM regions |
Added new ACL TCAM regions for the Cisco Nexus 9300-FX Series switches. |
7.0(3)I7(1) |
|
VACL redirect |
Supports the VACL redirect option. |
7.0(3)I6(1) |
|
Storm control |
Added support for configuring the traffic storm control rate for ARP packets entering a port channel. |
7.0(3)I6(1) |
|
IPv6 ACL/UDF ERSPAN |
Added support for IPv6 ACLs with UDF-based match. |
7.0(3)I6(1) |
|
Egress rate-limiter |
Added support for the hardware rate-limiter to show statistics for outbound traffic on SPAN egress ports. |
7.0(3)I6(1) |
|
Port security over vPC |
Supports security on vPCs. |
7.0(3)I6(1) |
|
SSH |
Changed the default value of the show ssh key command to display the fingerprint in SHA256 format by default and added the md5 option if you want to see the fingerprint in MD5 format. |
7.0(3)I6(1) |
|
DHCP |
Added the ability to configure Option 82 to use encoded string format. |
7.0(3)I5(2) |
|
IPv4 ACLs |
Added UDF-based match support for port ACLs. |
7.0(3)I5(2) |
|
IPv6 RA guard |
Introduced this feature. |
7.0(3)I5(2) |
|
Port security |
Introduced this feature. |
7.0(3)I5(1) |
|
SSH |
Added support for X.509v3 certificate-based SSH authentication. |
7.0(3)I5(1) |
|
SSH |
Changed the default value of the show ssh key command to display the fingerprint in SHA256 format by default and added the md5 option if you want to see the fingerprint in MD5 format. |
7.0(3)I4(6) |
|
AAA |
Added the ability to log successful and failed login attempts. |
7.0(3)I4(1) |
|
CoPP |
Changed the police CIR rate range to start with 0 to initiate a packet drop. |
7.0(3)I4(1) |
|
IP ACLs |
Enabled access control entry (ACE) and ACL information to be displayed in the output of the show logging ip access-list cache command. |
7.0(3)I4(1) |
|
ACL TCAM regions |
Added new ACL TCAM regions for the Cisco Nexus 9200 Series switches. |
7.0(3)I3(1) |
|
ACL TCAM templates |
Added the ability to create and apply custom TCAM templates. |
7.0(3)I3(1) |
|
CoPP |
Introduced static CoPP ACLs and new show commands for the Cisco Nexus 9200 Series switches. Also added default class maps for Cisco NX-OS Release 7.0(3)I3(1) and instructions for configuring the policer rate for the Cisco Nexus 9200 Series switches in bits per second (rather than in packets per second). |
7.0(3)I3(1) |
|
DHCP |
Added the ability to program Option 82 with the VLAN + slot + port format. |
7.0(3)I3(1) |
|
IP ACLs |
Added support for Cisco Nexus 9200 Series switches. |
7.0(3)I3(1) |
|
Keychain management |
Added support for OSPFv2 HMAC-SHA authentication. |
7.0(3)I3(1) |
|
DHCP client |
Added support for the Cisco Nexus 9500 Series switches. |
7.0(3)I2(2) |
|
User accounts |
Added support for an underscore (_) as the first character in a username |
7.0(3)I2(2) |
|
AAA |
Introduced the following secure login features:
|
7.0(3)I2(1) |
|
ACL TCAM regions |
Added ACL TCAM regions for multicast PIM Bidir, network address translation (NAT), OpenFlow, sFlow, and static MPLS. Also added the ability to attach user-defined fields (UDFs) to the racl, ifacl, and vacl TCAM regions to configure UDF-based SPAN or ERSPAN. |
7.0(3)I2(1) |
|
CoPP |
Changed the behavior of the no copp profile and no service-policy input commands. If you try to disable CoPP using one of these commands, an error message appears. If you enter these commands in previous releases, packets are rate limited at 50 packets per seconds. |
7.0(3)I2(1) |
|
CoPP |
Removed the Skip CoPP policy option from the Cisco NX-OS initial setup utility. |
7.0(3)I2(1) |
|
DHCP client |
Introduced this feature for Cisco Nexus 9300 Series switches. |
7.0(3)I2(1) |
|
IP ACLs |
Added the ability to specify the length of the TCP options header in packets in HTTP method matches. |
7.0(3)I2(1) |
|
User Accounts |
Introduced SHA256 hashing support for encrypted passwords. |
7.0(3)I2(1) |
|
DHCP relay |
Added DHCP relay source interface support for IPv4. |
7.0(3)I1(2) |
|
DHCP snooping |
Added support for multiple IP addresses with the same MAC address and VLAN in static binding entries. |
7.0(3)I1(2) |
|
Switchport Blocking |
Introduced this feature. |
7.0(3)I1(2) |
|
ACL TCAM |
Added ACL TCAM regions for DAI and IPSG. |
7.0(3)I1(1) |
|
DHCP snooping |
Introduced this feature. |
7.0(3)I1(1) |
|
Dynamic ARP Inspection (DAI) |
Introduced this feature. |
7.0(3)I1(1) |
|
IP Source Guard (IPSG) |
Introduced this feature. |
7.0(3)I1(1) |