DSCP marking for RADIUS packets for administrative sessions

Allows you to configure DSCP marking for RADIUS packets for administrative sessions such as SSH and Telnet.

(Network Essentials)

Interface ID Option in DHCPv6 Relay Message

Introduces support for interface ID option in DHCPv6 Relay message. With this, the physical interface details of the client interface are included along with the VLAN number in the message.

(Network Essentials and Network Advantage)

Interface Template Support for IPv6 DHCP Guard

Enables you to add the ipv6 dhcp guard attach-policy policy_name global configuration command to an interface template. IPv6 DHCP Guard is then enabled and the policy is applied, wherever the template is applied.

(Network Advantage)

IP DHCP Server Changes to Limit IP Assignment to Next Hop only

Allows you to assign DHCP IP address only to the neighbouring device in an interface using the ip dhcp restrict next hop command. When this command is enabled, the DHCP server in the interface uses the MAC addresses in the DHCP packet and compares it with the addresses in the Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP) cache table. If the MAC addresses match, then the DHCP IP address is assigned to that device.

(Network Advantage)

Modified Trustpoints for Secure Unique Device Identity (SUDI) Certificates

Starting from Cisco IOS XE Dublin 17.12.1, the following changes have been introduced for trustpoints.

• Trustpoint names for existing SUDI certificates

  If your device supports Cisco Manufacturing CA III certificate and is not disabled, the trustpoint names are as follows.

  • For Cisco Manufacturing CA III certificate, the trustpoint name has changed from CISCO_IDEVID_SUDI to CISCO_IDEVID_CMCA3_SUDI

  • For Cisco Manufacturing CA SHA2 certificate, the trustpoint name has changed from CISCO_IDEVID_SUDI_LEGACY to CISCO_IDEVID_CMCA2_SUDI

  If your device does not support Cisco Manufacturing CA III certificate or if the certificate is disabled using no platform sudi cmca3 command, the trustpoint names are as follows.

  • For Cisco Manufacturing CA SHA2 certificate, the trustpoint name has changed from CISCO_IDEVID_SUDI to CISCO_IDEVID_CMCA2_SUDI

  • For Cisco Manufacturing CA certificate, the trustpoint name has changed from CISCO_IDEVID_SUDI_LEGACY to CISCO_IDEVID_CMCA_SUDI

• Hardware SUDI certificates

  • If your device supports High Assurance SUDI CA certificate, this certificate is loaded under CISCO_IDEVID_SUDI trustpoint.

  • If your device does not support High Assurance SUDI CA certificate, ACT2 SUDI CA certificate is loaded under CISCO_IDEVID_SUDI trustpoint.

• show ip http server status command output

  If you configure the trustpoint for the HTTP server as CISCO_IDEVID_SUDI, the output of show ip http server status command displays the operating trustpoint along with the configured trustpoint.

  The following example shows a sample output of show ip http server status command with both the configured and the operating trustpoint names. Note that if your device does not support Cisco Manufacturing CA III certificate or if the certificate is disabled, the operating trustpoint in the below output displays CISCO_IDEVID_CMCA2_SUDI.

  Device# show ip http server status
  …
  HTTP secure server trustpoint: CISCO_IDEVID_SUDI
  HTTP secure server operating trustpoint: CISCO_IDEVID_CMCA3_SUDI
  

  (Network Essentials)

Programmability:

• NETCONF-SSH Algorithms

• YANG Data Models

The following programmability features are introduced in this release:

• NETCONF-SSH Algorithms: The NETCONF-SSH server configuration file contains the list of all supported algorithms. From this release onwards, you can enable or disable these algorithms at runtime by using Cisco IOS commands or YANG models.

  (Network Essentials)

• YANG Data Models: For the list of Cisco IOS XE YANG models available with this release, navigate to: https://github.com/YangModels/yang/tree/master/vendor/cisco/xe/17121.

  (Network Advantage)

show idprom tan command

The show idprom tan command was introduced. It displays the top assembly part number and top assembly part revision number for the identification programmable read-only memory.

There are no new WebUI features in this release.