Cisco Nexus Switch Series

2024: Hackers hijacked Cisco switches for years over equipment hole from factory

On July 1, 2024, Cisco announced the discovery of a zero-day vulnerability in its NX-OS operating system, which is used on Nexus series switches. It is known that attackers have used this gap for years to seize control of the network equipment of the American manufacturer.

The problem described in the CVE-2024-20399 bulletin was notified by Sygnia, a company specializing in information security. The hole gives attackers the ability to execute arbitrary commands with root rights in the underlying operating system of the attacked device. The vulnerability is related to the NX-OS command line interface, which allows data center administrators to troubleshoot and perform maintenance operations on network equipment.

ETB Technologies

According to the results of the Sygnia investigation, the breach is being exploited by the Velvet Ant cyber group, which could be linked to China. After hacking the switches, attackers inject previously unknown malicious software on them. It downloads additional files and executes arbitrary code.

It is noted that Cisco Nexus switches are widespread in corporate environments, especially in data centers. Therefore, successful attacks on such devices can have serious consequences. The problem affects the following devices:

• MDS 9000 Series Multilayer Switches;
• Nexus 3000 Series Switches;
• Nexus 5500 Platform Switches;
• Nexus 5600 Platform Switches;
• Nexus 6000 Series Switches;
• Nexus 7000 Series Switches;
• Nexus 9000 Series Switches offline NX-OS.

Cisco has released software updates that fix the vulnerability. It is recommended to install the update as soon as possible.^[1]

2016: Cisco Nexus 9000

The Nexus 9000 is a Cisco Nexus 9000 series switch that provides the foundation for an application-oriented infrastructure (ACI).

On March 3, 2016, Cisco introduced Cisco HyperFlex Systems. The Nexus 9000 is part of this product line.

Nexus 9000 Switches (2015)

This family of switches provides high scalability, performance, and energy efficiency. The company considers them an ideal solution for deploying at the aggregation and access level in the networks of large enterprises, service providers and cloud networks

Features of Nexus 9000 switches:

• 100 Gb/s performance, 25% increase in non-blocking performance with half the cost, higher reliability, and lower power consumption compared to similar solutions
• Real-time network telemetry at 100 Gb/s link speed, enabling NetFlow network security and troubleshooting across the factory
• 10x scalability across IP addresses and endpoints for cloud networks, supporting over a million containers per rack;
• Unique cloud services with adaptive capacity and congestion control that enable customers to maintain guaranteed IP storage traffic, hyperconverged and converged infrastructures in a single unified fabric, reducing application completion times by half compared to traditional similar platforms
• A perspective on the cloud economy to move to hyperconverged infrastructure and applications based on microservices and containers.

Opportunities

The 9000 series switches are available in a modular and fixed 10/40/100 Gb/s Ethernet configuration and are designed to operate in one of two modes:

• Cisco NX mode for backward compatibility and consistency with the current Cisco Nexus suite of solutions;
• ACI mode to take full advantage of services based on ACI infrastructure automation policies and features.

Support ACI

• Support for next-generation Cisco data centers built on an application-centric strategy.
• Simplify application deployment, ease of use, adaptability, and flexibility.

Programmability

• APIs for controlling the switch via remote procedure call (JavaScript Object Notation or XML) over HTTP or HTTPS.
• Access to the Linux shell and use containers to configure controls and controls.

Scalability

• Up to 30 Tbit/s of non-blocking bandwidth with a delay of less than 5 microseconds.
• Up to 1152 non-blocking 10 Gb/s Ethernet ports or 288 non-blocking 40 Gb/s Layer 2 and 3 ports.
• Supports relay, routing, and gateways in the VXLAN network at the wire rate.

High availability

• Full support for nondisruptive software updates (ISSUs) and nondisruptive software patches.
• Use Cisco and third-party ASICs to improve reliability and performance.

Energy efficiency

• A chassis without an intermediate board optimizes airflow and reduces power consumption.
• An optimized solution with fewer dedicated ICs reduces power consumption.
• 80 Plus Platinum Certified Power Supplies.

The Cisco Nexus 9200 is a next-generation Top of Rack switch that pushes the boundaries of what is possible and surpasses the performance of existing solutions. These switches meet the needs of dense, hyperconverged applications with high compute power and intensive I/O for which VCE VxRack Systems is intended. For example, customers with hundreds or thousands of VxRack nodes are not unusual in millions of IOPS and hundreds of gigabits per second system bandwidth. This problem is solved by the Cisco Nexus 9200. Trey Layton, Senior Vice President, Chief Technology Officer, VCE

2014: Cisco Nexus 9500

The Cisco Nexus 9500 is a modular non-blocking Layer 2 and 3 switch with 8 slots for 13 racks (13RU) with Ethernet and FCoE support. Throughput over 30 Tbit/s on the backbone. The switch supports interfaces 1, 10, 40. In the future, 100 Gigabit Ethernet via a comprehensive set of modular network cards.

The switch can be equipped with 1152 Gigabit Ethernet ports 10 or 288 Gigabit Ethernet ports 40, whereby it has sufficient power to implement both access and aggregation layer functions.

Cisco 9500 Platform Components, 2014

Cisco provides two modes of operation for Nexus 9000 series switches. Organizations can use the Cisco NX-OS operating system to deploy to standard Cisco Nexus switch environments.

Network cards are connected in any combination, 2015

Cisco Nexus 9500 Platform Expansion Modules

For internal connectivity, the Cisco Nexus 9500 platform uses a closed-structure solution, that is, network cards are connected to expansion modules that are installed at the rear. The Cisco Nexus 9508 supports up to six expansion modules, each of which provides packet transmission from speed of 5,12 Tbit/s. All expansion cards connect directly to all network cards. By balancing the load across all expansion boards, the architecture achieves optimal capacity distribution in the chassis. With ACI-adaptable network cards, only three expansion modules are required. Six expansion cards are required when using a 36-port 40 Gigabit Ethernet network card without blocking.

Cisco Nexus 9500 Platform Supervisor Module

A pair of redundant manager modules controls the operation of all switches in active state-synchronized redundancy mode. Each dispatcher module includes a quad-core CPU, 16GB of RAM, and a 64GB solid-state drive (SSD) for boot and analytics information. The manager accepts external synchronization and provides control through various ports, including two USB ports, a serial console and a 10/100/1000 Mbps network port.

Cisco Nexus 9500 Platform System Controller

A redundant pair of system controllers unloads the manager modules, removing the chassis management functions from them. It is responsible for managing power supplies and fan bays and is the central point for the out-of-band Gigabit Ethernet Link (EOBC) that connects managers, expansion modules, and network cards.

Cisco Nexus 9500 Platform Power Supplies

The Cisco Nexus 9508 supports up to eight replaceable power supplies without power loss and with front panel access. When fully loaded, the chassis can operate with two 3000 V AC power supplies. N + 1 and N + N protection modes are available. The 3000 V AC power supply is 80 Plus Platinum and provides more than 90% efficiency for typical workloads. An additional four power supply connectors are not required when using existing NICs, but space is left to increase performance and install other NICs in the future.

Cisco Nexus 9500 Platform Fan Bays

The three interchangeable fan bays provide front-to-rear cooling. Each fan bay serves two expansion modules and is removed to access the modules.

Deployment scenarios

The Cisco Nexus 9508 is a wide-ranging data center switching platform, which can function as an access level switch with installation at the end of a row of racks and is deployed, both with and without Cisco I/O modules, as an aggregation-layer switch in a standard hierarchical network architecture, and as a endpoint or node switch in a horizontal-scaling architecture for endpoints and nodes.

Access level switch with installation at the end of a row of racks

• The Cisco Nexus 9508 can be configured as an access layer switch with installation at the end of a series of racks. It can be connected to almost any blade server or rack server via 100 Megabit Ethernet, 1 Gigabit Ethernet, and 10 Gigabit Ethernet connections, including:
• Third-party rack servers and individual Cisco? Unified? Computing System (Cisco? UCS) rack servers
• Third-party blade server blocks with switches in blocks or transients
• Cisco UCS

The switch simplifies the Cisco Catalyst 6500 series upgrade by providing existing systems with end-of-rack functionality, reliability, scalability, and availability for Cisco NX-OS-based platforms. Because the switch supports 100 Megabit Ethernet, 1 Gigabit Ethernet, and 10 Gigabit Ethernet connections using copper cables, it moves servers or racks from 1 to 10 Gigabit Ethernet one by one.

Each Cisco Nexus 9508 switch is equipped with eight NICs with 48 ports 1 and 10GBASE-T and can handle up to 384 servers with thirty-two 40 Gigabit Ethernet connections to a backbone for server access or aggregation-level connections.

Nexus 9500 Design Presentation, 2015

2013: Cisco Nexus 5500

Cisco Nexus 5500 - multi-layered, multi-protocol, multi-purpose switch with matrix. The device operates according to Ethernet standards and allows you to transmit any traffic based on a single data center platform.

Cisco Nexus 5500 switches support industry-leading 10 GbE port density in a standard rack. The increased density of switches accelerates management and saves energy.

2008: Cisco Nexus 1000V

In 2008, the Nexus 1000V saw the light as a distributed virtual switch (vSwitch) for the VMware vSphere environment. By 2013, the product acts as an industry platform for cloud computing and services, allowing you to scale (using VXLAN) virtualization solutions for multi-user networks operating with various hypervisors.

Nexus 1000V became the industry's first platform with service chain formation, service forwarding, and service offload features using vPath technology.

The Nexus 1000V Advanced Edition includes a specially designed Virtual Security Gateway firewall that interacts with virtual machine attributes. The range of Nexus 1000V virtual services is being expanded with solutions such as Cisco Cloud Services Router, Citrix NetScaler 1000V, vWAAS, ASA 1000V Cloud Firewall, and Cisco Prime vNAM.

Nexus 1000V allows you to safely expand a private cloud or physical data center by transferring part of their functions to external cloud service providers using Nexus 1000V InterCloud, while preserving all internal policies and virtual services in the public cloud. Wide functionality, covers almost all network layers from the second to the seventh and includes integration with hybrid "clouds."

Network Virtualization Support

Cisco developed VXLAN technology, and in August 2011 made it available to industry partners, allowing the development of an open IETF standard. The L2-LISP frame format has become standard for VXLAN frames. As of August 22, 2013, VXLAN technology was widely distributed in the industry and formed the basis for the best network virtualization solutions. Nexus 1000V became the first platform in the industry to support VXLAN solutions (since January 2012). Cisco now plans to support NVGRE solutions for the Microsoft Hyper-V environment .

Nexus 1000V is the first platform with a VXLAN-VLAN gateway, supporting interaction between VXLAN segments and physical VLAN segments, complete compatibility between physical and virtual loads and infrastructures.

The Nexus 1000V pioneered improvements to the IETF VXLAN standard, including the ability to implement without multicasting. Nexus 1000V scales well and can support more than 16 thousand VXLAN segments, several thousand tenants and up to 32 thousand virtual machines for each pair of virtual supervisor modules (VSM).

Flexibility, integration

Initially, the Nexus 1000V was intended for network administrators and from the first day supported the familiar NX-OS command line interface and XML/netconf interfaces.

The platform has undergone changes, it includes REST APIs designed for automation, as well as Power Shell technology for the Microsoft Hyper-V environment.

Nexus 1000V integrates well with various control platforms:

• VMware vCloud Director
• Microsoft SCVMM
• OpenStack
• Cisco UCS Director.

Nexus 1000V integrates with Cisco Data Center Network Manager (DCNM) to simplify data center network management.

Platform

The Nexus 1000V runs Cisco NX-OS, one of the most popular operating systems for data center networks. Nexus 1000V can be installed independently of Cisco Nexus physical switches and Cisco UCS servers in any infrastructure and network of any vendor.

Advantages

• Nexus 1000V is the best virtual switching platform for network services at the L3-7 levels
• The Nexus 1000V is the only platform that works really well in an environment with many different hypervisors. Nexus 1000V supports consistent functionality when working with all popular hypervisors, including, and ESX Hyper-V /. KVMXen
• Nexus 1000V supports the most advanced functionality required by enterprise customers and cloud operators, including advanced VXLAN features and innovative vPath service connectivity technologies;
• Nexus 1000V is the only cloud network platform that provides seamless integration of physical and virtual services within a single operating model that supports transparency of all network functions and unified diagnostics.

Technology versionality

Two versions of the technology for the Nexus 1000V switch are available. The FREE Essential edition includes all features, such as VXLAN and vPath, required for a high-end cloud networking environment.

Advanced edition includes additional information security features, free Virtual Security Gateway firewall licenses, and VXLAN-VLAN gateways.

Nexus Highly Integrated Switch 1000V