Cisco Security Configuration Guide

最新推荐文章于 2023-07-25 14:44:01 发布

cnbird2008

最新推荐文章于 2023-07-25 14:44:01 发布

阅读量939

点赞数

本文链接：https://blog.csdn.net/cnbird2008/article/details/79444128

版权

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x_chapter_01.html

Feature	Description	Changed in Release	Where Documented
IP ACLs	Added IPv6 wildcard mask support for access lists and object groups for Cisco Nexus 9200, 9300-EX, and 9300-FX/FX2/FXP switches and the Cisco Nexus 9364C switch.	NX-OS 7.0(3)I7(3)	Creating an IP ACL Creating and Changing an IPv6 Address Object Group
MACsec fallback key	Introduced this feature.	NX-OS 7.0(3)I7(3)	Configuring MACsec Fallback Key
SSH	Added new SSH commands for enabling legacy security algorithms.	NX-OS 7.0(3)I7(3)	Configuring Legacy SSH Algorithm Support
Unicast RPF	Introduced this feature for Cisco Nexus 9300 platform switches.	NX-OS 7.0(3)I7(3)	Configuring Unicast RPF
Configuring System ACLs	Added support for configuring system ACLs on Cisco Nexus 9500 Series switches with -R and -RX line cards.	7.0(3)F3(4)	About System ACLs
IPv4 PACLs	Added support for configuring IPv4 PACLs in the range of 12k to 64k on Cisco Nexus 9500 Series switches with -RX line cards.	7.0(3)F3(4)	Guidelines and Limitations for IP ACLs
Unicast RPF	Introduced this feature for Cisco Nexus 9500 Series switches with N9K-X9636C-R and N9K-X963Q-R line cards.	7.0(3)F2(1)	Configuring Unicast RPF
MACsec	Introduced this feature for Cisco Nexus 9500 Series switches with the N9K-X9736C-FX line card.	7.0(3)I7(2)	Configuring MACsec
802.1X	Introduced this feature.	7.0(3)I7(1)	Configuring 802.1X
Traffic storm control	Added the ability to enable packets per second for Cisco Nexus 9500 Series switches with 94xx line cards and Cisco Nexus 9300 Series switches.	7.0(3)I7(1)	Configuring Traffic Storm Control
Option 82	Introduced this feature.	7.0(3)I7(1)	DHCP Snooping Option 82 Data Insertion
First-hop security	Introduced this feature.	7.0(3)I7(1)	Configuring IPv6 First Hop Security
ACL TCAM regions	Added new ACL TCAM regions for the Cisco Nexus 9300-FX Series switches.	7.0(3)I7(1)	ACL TCAM Regions
VACL redirect	Supports the VACL redirect option.	7.0(3)I6(1)	Configuring VLAN ACLs
Storm control	Added support for configuring the traffic storm control rate for ARP packets entering a port channel.	7.0(3)I6(1)	Configuring IP ACLs
IPv6 ACL/UDF ERSPAN	Added support for IPv6 ACLs with UDF-based match.	7.0(3)I6(1)	Configuring IP ACLs
Egress rate-limiter	Added support for the hardware rate-limiter to show statistics for outbound traffic on SPAN egress ports.	7.0(3)I6(1)	Configuring Rate Limits
Port security over vPC	Supports security on vPCs.	7.0(3)I6(1)	Configuring Port Security
SSH	Changed the default value of the show ssh key command to display the fingerprint in SHA256 format by default and added the md5 option if you want to see the fingerprint in MD5 format.	7.0(3)I6(1)	Configuring SSH and Telnet
DHCP	Added the ability to configure Option 82 to use encoded string format.	7.0(3)I5(2)	Enabling or Disabling Option 82 for the DHCP Relay Agent
IPv4 ACLs	Added UDF-based match support for port ACLs.	7.0(3)I5(2)	ACL Types and Applications
IPv6 RA guard	Introduced this feature.	7.0(3)I5(2)	Configuring IPv6 RA Guard
Port security	Introduced this feature.	7.0(3)I5(1)	Configuring Port Security
SSH	Added support for X.509v3 certificate-based SSH authentication.	7.0(3)I5(1)	Configuring SSH and Telnet
SSH	Changed the default value of the show ssh key command to display the fingerprint in SHA256 format by default and added the md5 option if you want to see the fingerprint in MD5 format.	7.0(3)I4(6)	Configuring SSH and Telnet
AAA	Added the ability to log successful and failed login attempts.	7.0(3)I4(1)	Logging Successful and Failed Login Attempts
CoPP	Changed the police CIR rate range to start with 0 to initiate a packet drop.	7.0(3)I4(1)	Configuring a Control Plane Policy Map
IP ACLs	Enabled access control entry (ACE) and ACL information to be displayed in the output of the show logging ip access-list cache command.	7.0(3)I4(1)	Configuring IPv4 ACL Logging
ACL TCAM regions	Added new ACL TCAM regions for the Cisco Nexus 9200 Series switches.	7.0(3)I3(1)	ACL TCAM Regions
ACL TCAM templates	Added the ability to create and apply custom TCAM templates.	7.0(3)I3(1)	Using Templates to Configure ACL TCAM Region Sizes
CoPP	Introduced static CoPP ACLs and new show commands for the Cisco Nexus 9200 Series switches. Also added default class maps for Cisco NX-OS Release 7.0(3)I3(1) and instructions for configuring the policer rate for the Cisco Nexus 9200 Series switches in bits per second (rather than in packets per second).	7.0(3)I3(1)	Dynamic and Static CoPP ACLs Verifying the CoPP Configuration Default Class Maps - For Cisco NX-OS Release 7.0(3)I3(1) Configuring a Control Plane Policy Map
DHCP	Added the ability to program Option 82 with the VLAN + slot + port format.	7.0(3)I3(1)	Enabling or Disabling Option 82 for the DHCP Relay Agent
IP ACLs	Added support for Cisco Nexus 9200 Series switches.	7.0(3)I3(1)	Guidelines and Limitations for IP ACLs
Keychain management	Added support for OSPFv2 HMAC-SHA authentication.	7.0(3)I3(1)	Configuring Keychain Management
DHCP client	Added support for the Cisco Nexus 9500 Series switches.	7.0(3)I2(2)	Configuring DHCP
User accounts	Added support for an underscore (_) as the first character in a username	7.0(3)I2(2)	Configuring User Accounts and RBAC
AAA	Introduced the following secure login features: Ability to block login attempts and enforce a quiet period. Ability to restrict the maximum login sessions per user. Ability to restrict the password length Ability to prompt the user to enter a password after entering the username Ability to hide the shared secret used for RADIUS or TACACS+authentication or accounting	7.0(3)I2(1)	Configuring AAA
ACL TCAM regions	Added ACL TCAM regions for multicast PIM Bidir, network address translation (NAT), OpenFlow, sFlow, and static MPLS. Also added the ability to attach user-defined fields (UDFs) to the racl, ifacl, and vacl TCAM regions to configure UDF-based SPAN or ERSPAN.	7.0(3)I2(1)	ACL TCAM Regions
CoPP	Changed the behavior of the no copp profile and no service-policy input commands. If you try to disable CoPP using one of these commands, an error message appears. If you enter these commands in previous releases, packets are rate limited at 50 packets per seconds.	7.0(3)I2(1)	Configuring Control Plane Policing
CoPP	Removed the Skip CoPP policy option from the Cisco NX-OS initial setup utility.	7.0(3)I2(1)	Configuring Control Plane Policing
DHCP client	Introduced this feature for Cisco Nexus 9300 Series switches.	7.0(3)I2(1)	Configuring Control Plane Policing
IP ACLs	Added the ability to specify the length of the TCP options header in packets in HTTP method matches.	7.0(3)I2(1)	Configuring IP ACLs
User Accounts	Introduced SHA256 hashing support for encrypted passwords.	7.0(3)I2(1)	Configuring User Accounts and RBAC
DHCP relay	Added DHCP relay source interface support for IPv4.	7.0(3)I1(2)	Configuring DHCP
DHCP snooping	Added support for multiple IP addresses with the same MAC address and VLAN in static binding entries.	7.0(3)I1(2)	Configuring DHCP
Switchport Blocking	Introduced this feature.	7.0(3)I1(2)	Configuring Switchport Blocking
ACL TCAM	Added ACL TCAM regions for DAI and IPSG.	7.0(3)I1(1)	ACL TCAM Regions
DHCP snooping	Introduced this feature.	7.0(3)I1(1)	Configuring DHCP
Dynamic ARP Inspection (DAI)	Introduced this feature.	7.0(3)I1(1)	Configuring Dynamic ARP Inspection
IP Source Guard (IPSG)	Introduced this feature.	7.0(3)I1(1)	Configuring IP Source Guard