Book excerpt from NX-OS and Cisco Nexus Switching

Excerpt from NX-OS and Cisco Nexus Switching: Next-Generation Data Center Architectures.

1 2 3 4 5 Page 2
Page 2 of 5
  • Controller Processor (CP)/Supervisor: Has both the management plane and control plane and is critical to the operation of the network.

  • Connectivity Management Processor (CMP): Provides a second network interface to the device for use even when the CP is not reachable. The CMP interface is used for out-of-band management and monitoring; the CMP interface is independent from the primary operating system.

  • MGMT0: Provides true out-of-band management through a dedicated interface and VRF to ensure 100 percent isolation from either control plane or data plane. MGMT0 enables you to manage the devices by the IPv4 or IPv6 address on the MGMT0 interface; the mgmt0 interface is a 10/100/1000 Ethernet interface. When implementing Virtual port-channel (vPC), a best practice is to use the MGMT0 interface for the VPC keepalive link.

  • Telnet: Provides an unsecure management connection to the NX-OS device.

  • SSH: Provides a secure management connection to the NX-OS device.

  • Extended Markup Language (XML) management interfaces: Use the XML-based Network Configuration Protocol (NETCONF) that enables management, monitoring, and communication over the interface with an XML management tool or program.

  • Simple Network Management Protocol (SNMP): Used by management systems to monitor and configure devices via a set of standards for communication over the TCP/IP protocol.

Controller Processor (Supervisor Module)

The Cisco Nexus 7000 series supervisor module is designed to deliver scalable control plane and management functions for the Cisco Nexus 7000 Series chassis. The Nexus 7000 supervisor module is based on an Intel dual-core processor that enables a scalable control plane. The supervisor modules controls the Layer 2 and Layer 3 services, redundancy capabilities, configuration management, status monitoring, power, and environmental management. The supervisor module also provides centralized arbitration to the system fabric for all line cards. The fully distributed forwarding architecture enables the supervisor to support transparent upgrades to higher forwarding capacity-capable I/O and fabric modules. Two supervisors are required for a fully redundant system, with one supervisor module running as the active device and the other in hot standby mode, providing exceptional high-availability features in data center-class products. Additional features and benefits of the Nexus 7000 supervisor modules to meet demanding data center requirements follow:

  • Active and standby supervisor.

  • In-Service Software Upgrade (ISSU) with dual supervisor modules.

  • Virtual output queuing (VoQ), which is a quality of service (QoS)-aware lossless fabric, avoids the problems associated with head-of-line blocking.

  • USB interfaces that enable access to USB flash memory devices for software image loading and recovery.

  • Central arbitration that provides symmetrical control of the flow of traffic through the switch fabric helps ensure transparent switchover with no losses.

  • Segmented and redundant out-of-band provisioning and management paths.

  • Virtualization of the management plane via Virtual Device Contexts (vDC).

  • Integrated diagnostics and protocol decoding with an embedded control plane packet analyzer; this is based on the Wireshark open source. (No additional licenses are required.)

  • Fully decoupled control plane and data plane with no hardware forwarding on the module.

  • Distributed forwarding architecture, enabling independent upgrades of the supervisor and fabric.

  • With Central arbitration and VoQ, this enables for Unified Fabric.

  • Transparent upgrade capacity and capability; designed to support 40-Gigabit and 100-Gigabit Ethernet.

  • System locator and beacon LEDs for simplified operations.

  • Dedicated out-of-band management processor for “lights out” management.

Connectivity Management Processor (CMP)

The supervisor incorporates an innovative dedicated connectivity management processor (CMP) to support remote management and troubleshooting of the complete system. The CMP provides a complete out-of-band management and monitoring capability independent from the primary operating system. The CMP enables lights out management of the supervisor module, all modules, and the Cisco Nexus 7000 Series system without the need for separate terminal servers with the associated additional complexity and cost. The CMP delivers the remote control through its own dedicated processor, memory, and boot flash memory and a separate Ethernet management port. The CMP can reset all system components, including power supplies; it can also reset the host supervisor module to which it is attached, enabling a complete system restart.

The CMP offer many benefits, including the following:

  • Dedicated processor and memory, and boot flash.

  • The CMP interface can reset all the system components, which include power, supervisor module, and system restart.

  • An independent remote system management and monitoring capability enables lights out management of the system.

  • Remote monitoring of supervisor status and initiation of resets that removes the need for separate terminal server devices for out-of-band management.

  • System reset while retaining out-of-band Ethernet connectivity, which reduces the need for onsite support during system maintenance.

  • Capability to remotely view boot-time messages during the entire boot process.

  • Capability to initiate a complete system power shutdown and restart, which eliminates the need for local operator intervention to reset power for devices.

  • Login authentication, which provides secure access to the out-of-band management environment.

  • Access to supervisor logs that enables rapid detection and prevention of potential system problems.

  • Capability to take full console control of the supervisor.

  • Complete control is delivered to the operating environment.

Example 1-5 shows how to connect to the CMP interface and the available show commands available from the CMP interface. Also, note the escape sequence of “~,” to get back to the main NX-OS interface. You can also connect from the CMP back to the CP module.

Example 1-5  Connecting to the CMP Interface, Displaying Available show Commands

N7010-1# attach cmpConnectedEscape character is ‘~,’ [tilde comma]N7010-1-cmp5 login: adminPassword:Last login: Tue Aug 11 23:58:12 2009 on ttyS1N7010-1-cmp5# attach cpThis command will disconnect the front-panel console on this supervisor, and will clear all console attach sessions on the CP - proceed(y/n)? yN7010-1#N7010-1# attach cmpConnectedEscape character is ‘~,’ [tilda comma]N7010-1-cmp5 login: adminPassword:Last login: Wed Aug 12 00:06:12 2009 on ttyS1N7010-1-cmp5# show ?  attach          Serial attach/monitor processes  clock           Display current date  cores           Show all core dumps for CMP  cp              Show CP status information  hardware        Show cmp hardware information  interface       Display interface information  line            Show cmp line information  logging         Show logging configuration and contents of logfile  logs            Show all log files for CMP  processes       Show cmp processes information  running-config  Current operating configuration  sprom           Show SPROM contents  ssh             SSH information  system          Show system information  users           Show the current users logged in the system  version         Show cmp boot information


NX-OS enables for Telnet server and client. The Telnet protocol enables TCP/IP terminal connections to a host. Telnet enables a user at one site to establish a TCP connection to a login server at another site and then passes the keystrokes from one device to the other. Telnet can accept either an IP address or a domain name as the remote device address.

Note - Remember that the Telnet server is disabled by default in NX-OS.

The Telnet server is disabled by default on an NX-OS device. Example 1-6 demonstrates how to enable a Telnet server in NX-OS.

Example 1-6  Enabling a Telnet Server in NX-OS

N7010-1# conf tEnter configuration commands, one per line. End with CNTL/Z.N7010-1(config)# feature telnetN7010-1(config)# show telnet servertelnet service enabledN7010-1(config)# copy running-config startup-config[########################################] 100%


NX-OS supports SSH Server and SSH Client. Use SSH server to enable an SSH client to make a secure, encrypted connection to a Cisco NX-OS device; SSH uses strong encryption for authentication. The SSH server in Cisco NX-OS Software can interoperate with publicly and commercially available SSH clients. The user authentication mechanisms supported for SSH are Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access Control System Plus (TACACS+), and the use of locally stored usernames and passwords.

The SSH client application enables the SSH protocol to provide device authentication and encryption. The SSH client enables a Cisco NX-OS device to make a secure, encrypted connection to another Cisco NX-OS device or to any other device that runs the SSH server.

SSH requires server keys for secure communications to the Cisco NX-OS device. You can use SSH server keys for the following SSH options:

  • SSH version 2 using Rivest, Shamir, and Adelman (RSA) public-key cryptography

  • SSH version 2 using the Digital System Algorithm (DSA)

Be sure to have an SSH server key-pair with the appropriate version before allowing the SSH service. You can generate the SSH server key-pair according to the SSH client version used. The SSH service accepts two types of key-pairs for use by SSH version 2:

  • The dsa option generates the DSA key-pair for the SSH version 2 protocol.

  • The rsa option generates the RSA key-pair for the SSH version 2 protocol.

By default, Cisco NX-OS Software generates an RSA key using 1024 bits.

SSH supports the following public key formats:

  • OpenSSH

  • IETF Secure Shell (SECSH)

Example 1-7 demonstrates how to enable SSH server and configure the SSH server keys.

Example 1-7  Enabling SSH Server and Configuring SSH Server Keys

N7010-1# conf tEnter configuration commands, one per line. End with CNTL/Z.N7010-1(config)# no feature sshXML interface to system may become unavailable since ssh is disabledN7010-1(config)# ssh key rsa 2048generating rsa key(2048 bits).......generated rsa keyN7010-1(config)# feature sshN7010-1(config)# exitN7010-1# show ssh key**************************************rsa Keys generated:Thu Aug 13 23:33:41 2009ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6+TdX+ABH/mq1gQbfhhsjBmm65ksgfQb3Mb3qbwUbNlcAa6fjJCGdHuf3kJox/hjgPDChJOdkUXHjESlV59OhZP/NHlBrBq0TGRr+hfdAssD3wG5oPkywgM4+bR/ssCzoj6jVG41tGmfPip4pr3dqsMzR21DXSKK/tdj7bipWKy1wSkYQzZwatIVPIXRqTJY7L9a+JqVIJEA0QlJM1l0wZ5YbxccB2GKNKCM2x2BZl4okVgl80CCJg7vmn+8RqIOQ5jNAPNeb9kFw9nsPj/r5xFC1RcSKeQbdYAjItU6cX1TslRnKjlWewCgIa26dEaGdawMVuftgu0uM97VCOxZPQ==bitcount:2048fingerprint:1f:b7:a3:3b:f5:ca:a6:36:19:93:98:c7:37:ba:27:db**************************************could not retrieve dsa key information**************************************N7010-1# show ssh serverssh version 2 is enabledN7010-1(config)# username nxos-admin password C1sc0123!N7010-1(config)# username nxos-admin sshkey ssh-rsaAAAAB3NzaC1yc2EAAAABIwAAAQEA6+TdX+ABH/mq1gQbfhhsjBmm65ksgfQb3Mb3qbwUbNlcAa6fjJCGdHuf3kJox/hjgPDChJOd-kUXHjESlV59OhZP/NHlBrBq0TGRr+hfdAssD3wG5oPkywgM4+bR/ssCzoj6jVG41tGmfPip4pr3dqsMzR21DXSKK/tdj7bip-WKy1wSkYQzZwatIVPIXRqTJY7L9a+JqVIJEA0QlJM1l0wZ5YbxccB2GKNKCM2x2BZl4okVgl80CCJg7vmn+8RqIOQ5jNAPNeb9kFw9nsPj/r5xFC1RcSKeQbdYAjItU6cX1TslRnKjlWewCgIa26dEaGdawMVuftgu0uM97VCOxZPQ==N7010-1(config)# show user-accountuser:admin        this user account has no expiry date        roles:network-adminuser:nxos-admin        this user account has no expiry date        roles:network-operator        ssh public key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6+TdX+ABH/mq1gQbfhhsjBmm65ksgfQb3Mb3qbwUbNlcAa6fjJCGdHuf3kJox/hjgPDChJOd-kUXHjESlV59OhZP/NHlBrBq0TGRr+hfdAssD3wG5oPkywgM4+bR/ssCzoj6jVG41tGmfPip4pr3dqsMzR21DXSKK/tdj7bip-WKy1wSkYQzZwatIVPIXRqTJY7L9a+JqVIJEA0QlJM1l0wZ5YbxccB2GKNKCM2x2BZl4okVgl80CCJg7vmn+8RqIOQ5jNAPNeb9kFw9nsPj/r5xFC1RcSKeQbdYAjItU6cX1TslRnKjlWewCgIa26dEaGdawMVuftgu0uM97VCOxZPQ==N7010-1(config)#N7010-1# copy running-config startup-config[########################################] 100%N7010-1#


NX-OS has a robust XML management interface, which can be used to configure the entire switch. The interface uses the XML-based Network Configuration Protocol (NETCONF) that enables you to manage devices and communicate over the interface with an XML management tool or a program. NETCONF is based on RFC 4741 and the NX-OS implementation requires you to use a Secure Shell (SSH) session for communication with the device.

NETCONF is implemented with an XML Schema (XSD) that enables you to enclose device configuration elements within a remote procedure call (RPC) message. From within an RPC message, you select one of the NETCONF operations that matches the type of command that you want the device to execute. You can configure the entire set of CLI commands on the device with NETCONF.

The XML management interface does not require any additional licensing. XML management is included with no additional charge.

XML/NETCONF can be enabled via a web2.0/ajax browser application that uses XML/NETCONF to pull all statistics off all interfaces on the Nexus 7000 running NX-OS in a dynamically updating table.

Figures 1-2, 1-3, and 1-4 demonstrate sample output from the XML/NETCONF interface.

Figure 1-2

Obtaining NX-OS Real-Time Interface Statistics via NETCONF/XML. The IP Address Entered Is the NX-OS mgmt0 Interface.

Figure 1-3

Login Results to the NX-OS Devices via NETCONF/XML

Figure 1-4

Results of the Selected Attributes, Such as Speed, Duplex, Errors, Counters, MAC Address. The Page Refreshes Every 10 Seconds.


The Simple Network Management Protocol (SNMP) is an application-layer protocol that provides a message format for communication between SNMP managers and agents. SNMP provides a standardized framework and a common language used for the monitoring and management of devices in a network.

SNMP has different versions such as SNMPv1, v2, and v3. Each SNMP version has different security models or levels. Most Enterprise customers are looking to implement SNMPv3 because it offers encryption to pass management information (or traffic) across the network. The security level determines if an SNMP message needs to be protected and authenticated. Various security levels exist within a security model:

  • noAuthNoPriv: Security level that does not provide authentication or encryption.

  • authNoPriv: Security level that provides authentication but does not provide encryption.

  • authPriv: Security level that provides both authentication and encryption.

Cisco NX-OS supports the following SNMP standards:

1 2 3 4 5 Page 2
Page 2 of 5
The 10 most powerful companies in enterprise networking 2022