Cisco Security Configuration Guide

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x_chapter_01.html

Feature

Description

Changed in Release

Where Documented

IP ACLs

Added IPv6 wildcard mask support for access lists and object groups for Cisco Nexus 9200, 9300-EX, and 9300-FX/FX2/FXP switches and the Cisco Nexus 9364C switch.

NX-OS 7.0(3)I7(3)

Creating an IP ACL

Creating and Changing an IPv6 Address Object Group

MACsec fallback key

Introduced this feature.

NX-OS 7.0(3)I7(3)

Configuring MACsec Fallback Key

SSH

Added new SSH commands for enabling legacy security algorithms.

NX-OS 7.0(3)I7(3)

Configuring Legacy SSH Algorithm Support

Unicast RPF

Introduced this feature for Cisco Nexus 9300 platform switches.

NX-OS 7.0(3)I7(3)

Configuring Unicast RPF

Configuring System ACLs

Added support for configuring system ACLs on Cisco Nexus 9500 Series switches with -R and -RX line cards.

7.0(3)F3(4)

About System ACLs

IPv4 PACLs

Added support for configuring IPv4 PACLs in the range of 12k to 64k on Cisco Nexus 9500 Series switches with -RX line cards.

7.0(3)F3(4)

Guidelines and Limitations for IP ACLs

Unicast RPF

Introduced this feature for Cisco Nexus 9500 Series switches with N9K-X9636C-R and N9K-X963Q-R line cards.

7.0(3)F2(1)

Configuring Unicast RPF

MACsec

Introduced this feature for Cisco Nexus 9500 Series switches with the N9K-X9736C-FX line card.

7.0(3)I7(2)

Configuring MACsec

802.1X

Introduced this feature.

7.0(3)I7(1)

Configuring 802.1X

Traffic storm control

Added the ability to enable packets per second for Cisco Nexus 9500 Series switches with 94xx line cards and Cisco Nexus 9300 Series switches.

7.0(3)I7(1)

Configuring Traffic Storm Control

Option 82

Introduced this feature.

7.0(3)I7(1)

DHCP Snooping Option 82 Data Insertion

First-hop security

Introduced this feature.

7.0(3)I7(1)

Configuring IPv6 First Hop Security

ACL TCAM regions

Added new ACL TCAM regions for the Cisco Nexus 9300-FX Series switches.

7.0(3)I7(1)

ACL TCAM Regions

VACL redirect

Supports the VACL redirect option.

7.0(3)I6(1)

Configuring VLAN ACLs

Storm control

Added support for configuring the traffic storm control rate for ARP packets entering a port channel.

7.0(3)I6(1)

Configuring IP ACLs

IPv6 ACL/UDF ERSPAN

Added support for IPv6 ACLs with UDF-based match.

7.0(3)I6(1)

Configuring IP ACLs

Egress rate-limiter

Added support for the hardware rate-limiter to show statistics for outbound traffic on SPAN egress ports.

7.0(3)I6(1)

Configuring Rate Limits

Port security over vPC

Supports security on vPCs.

7.0(3)I6(1)

Configuring Port Security

SSH

Changed the default value of the show ssh key command to display the fingerprint in SHA256 format by default and added the md5 option if you want to see the fingerprint in MD5 format.

7.0(3)I6(1)

Configuring SSH and Telnet

DHCP

Added the ability to configure Option 82 to use encoded string format.

7.0(3)I5(2)

Enabling or Disabling Option 82 for the DHCP Relay Agent

IPv4 ACLs

Added UDF-based match support for port ACLs.

7.0(3)I5(2)

ACL Types and Applications

IPv6 RA guard

Introduced this feature.

7.0(3)I5(2)

Configuring IPv6 RA Guard

Port security

Introduced this feature.

7.0(3)I5(1)

Configuring Port Security

SSH

Added support for X.509v3 certificate-based SSH authentication.

7.0(3)I5(1)

Configuring SSH and Telnet

SSH

Changed the default value of the show ssh key command to display the fingerprint in SHA256 format by default and added the md5 option if you want to see the fingerprint in MD5 format.

7.0(3)I4(6)

Configuring SSH and Telnet

AAA

Added the ability to log successful and failed login attempts.

7.0(3)I4(1)

Logging Successful and Failed Login Attempts

CoPP

Changed the police CIR rate range to start with 0 to initiate a packet drop.

7.0(3)I4(1)

Configuring a Control Plane Policy Map

IP ACLs

Enabled access control entry (ACE) and ACL information to be displayed in the output of the show logging ip access-list cache command.

7.0(3)I4(1)

Configuring IPv4 ACL Logging

ACL TCAM regions

Added new ACL TCAM regions for the Cisco Nexus 9200 Series switches.

7.0(3)I3(1)

ACL TCAM Regions

ACL TCAM templates

Added the ability to create and apply custom TCAM templates.

7.0(3)I3(1)

Using Templates to Configure ACL TCAM Region Sizes

CoPP

Introduced static CoPP ACLs and new show commands for the Cisco Nexus 9200 Series switches. Also added default class maps for Cisco NX-OS Release 7.0(3)I3(1) and instructions for configuring the policer rate for the Cisco Nexus 9200 Series switches in bits per second (rather than in packets per second).

7.0(3)I3(1)

Dynamic and Static CoPP ACLs

Verifying the CoPP Configuration

Default Class Maps - For Cisco NX-OS Release 7.0(3)I3(1)

Configuring a Control Plane Policy Map

DHCP

Added the ability to program Option 82 with the VLAN + slot + port format.

7.0(3)I3(1)

Enabling or Disabling Option 82 for the DHCP Relay Agent

IP ACLs

Added support for Cisco Nexus 9200 Series switches.

7.0(3)I3(1)

Guidelines and Limitations for IP ACLs

Keychain management

Added support for OSPFv2 HMAC-SHA authentication.

7.0(3)I3(1)

Configuring Keychain Management

DHCP client

Added support for the Cisco Nexus 9500 Series switches.

7.0(3)I2(2)

Configuring DHCP

User accounts

Added support for an underscore (_) as the first character in a username

7.0(3)I2(2)

Configuring User Accounts and RBAC

AAA

Introduced the following secure login features:

  • Ability to block login attempts and enforce a quiet period.

  • Ability to restrict the maximum login sessions per user.

  • Ability to restrict the password length

  • Ability to prompt the user to enter a password after entering the username

  • Ability to hide the shared secret used for RADIUS or TACACS+authentication or accounting

7.0(3)I2(1)

Configuring AAA

ACL TCAM regions

Added ACL TCAM regions for multicast PIM Bidir, network address translation (NAT), OpenFlow, sFlow, and static MPLS. Also added the ability to attach user-defined fields (UDFs) to the racl, ifacl, and vacl TCAM regions to configure UDF-based SPAN or ERSPAN.

7.0(3)I2(1)

ACL TCAM Regions

CoPP

Changed the behavior of the no copp profile and no service-policy input commands. If you try to disable CoPP using one of these commands, an error message appears. If you enter these commands in previous releases, packets are rate limited at 50 packets per seconds.

7.0(3)I2(1)

Configuring Control Plane Policing

CoPP

Removed the Skip CoPP policy option from the Cisco NX-OS initial setup utility.

7.0(3)I2(1)

Configuring Control Plane Policing

DHCP client

Introduced this feature for Cisco Nexus 9300 Series switches.

7.0(3)I2(1)

Configuring Control Plane Policing

IP ACLs

Added the ability to specify the length of the TCP options header in packets in HTTP method matches.

7.0(3)I2(1)

Configuring IP ACLs

User Accounts

Introduced SHA256 hashing support for encrypted passwords.

7.0(3)I2(1)

Configuring User Accounts and RBAC

DHCP relay

Added DHCP relay source interface support for IPv4.

7.0(3)I1(2)

Configuring DHCP

DHCP snooping

Added support for multiple IP addresses with the same MAC address and VLAN in static binding entries.

7.0(3)I1(2)

Configuring DHCP

Switchport Blocking

Introduced this feature.

7.0(3)I1(2)

Configuring Switchport Blocking

ACL TCAM

Added ACL TCAM regions for DAI and IPSG.

7.0(3)I1(1)

ACL TCAM Regions

DHCP snooping

Introduced this feature.

7.0(3)I1(1)

Configuring DHCP

Dynamic ARP Inspection (DAI)

Introduced this feature.

7.0(3)I1(1)

Configuring Dynamic ARP Inspection

IP Source Guard

(IPSG)

Introduced this feature.

7.0(3)I1(1)

Configuring IP Source Guard

阅读更多
版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/cnbird2008/article/details/79444128
上一篇OpenWPM
下一篇Microsoft 威胁情报平台
想对作者说点什么? 我来说一句

没有更多推荐了,返回首页

关闭
关闭
关闭