Home > Articles > Cisco Network Technology > General Networking > Introduction to Cisco NX-OS

Introduction to Cisco NX-OS

  • Sample Chapter is provided courtesy of Cisco Press.
  • Date: Jul 19, 2010.

Chapter Description

This chapter provides an introduction and overview of NX-OS and a comparison between traditional IOS and NX-OS configurations and terminology.

Management Interfaces

NX-OS has many different type of management interfaces, all of which the following section covers:

  • Controller Processor (CP)/Supervisor: Has both the management plane and control plane and is critical to the operation of the network.
  • Connectivity Management Processor (CMP): Provides a second network interface to the device for use even when the CP is not reachable. The CMP interface is used for out-of-band management and monitoring; the CMP interface is independent from the primary operating system.
  • MGMT0: Provides true out-of-band management through a dedicated interface and VRF to ensure 100 percent isolation from either control plane or data plane. MGMT0 enables you to manage the devices by the IPv4 or IPv6 address on the MGMT0 interface; the mgmt0 interface is a 10/100/1000 Ethernet interface. When implementing Virtual port-channel (vPC), a best practice is to use the MGMT0 interface for the VPC keepalive link.
  • Telnet: Provides an unsecure management connection to the NX-OS device.
  • SSH: Provides a secure management connection to the NX-OS device.
  • Extended Markup Language (XML) management interfaces: Use the XML-based Network Configuration Protocol (NETCONF) that enables management, monitoring, and communication over the interface with an XML management tool or program.
  • Simple Network Management Protocol (SNMP): Used by management systems to monitor and configure devices via a set of standards for communication over the TCP/IP protocol.

Controller Processor (Supervisor Module)

The Cisco Nexus 7000 series supervisor module is designed to deliver scalable control plane and management functions for the Cisco Nexus 7000 Series chassis. The Nexus 7000 supervisor module is based on an Intel dual-core processor that enables a scalable control plane. The supervisor modules controls the Layer 2 and Layer 3 services, redundancy capabilities, configuration management, status monitoring, power, and environmental management. The supervisor module also provides centralized arbitration to the system fabric for all line cards. The fully distributed forwarding architecture enables the supervisor to support transparent upgrades to higher forwarding capacity-capable I/O and fabric modules. Two supervisors are required for a fully redundant system, with one supervisor module running as the active device and the other in hot standby mode, providing exceptional high-availability features in data center-class products. Additional features and benefits of the Nexus 7000 supervisor modules to meet demanding data center requirements follow:

  • Active and standby supervisor.
  • In-Service Software Upgrade (ISSU) with dual supervisor modules.
  • Virtual output queuing (VoQ), which is a quality of service (QoS)-aware lossless fabric, avoids the problems associated with head-of-line blocking.
  • USB interfaces that enable access to USB flash memory devices for software image loading and recovery.
  • Central arbitration that provides symmetrical control of the flow of traffic through the switch fabric helps ensure transparent switchover with no losses.
  • Segmented and redundant out-of-band provisioning and management paths.
  • Virtualization of the management plane via Virtual Device Contexts (vDC).
  • Integrated diagnostics and protocol decoding with an embedded control plane packet analyzer; this is based on the Wireshark open source. (No additional licenses are required.)
  • Fully decoupled control plane and data plane with no hardware forwarding on the module.
  • Distributed forwarding architecture, enabling independent upgrades of the supervisor and fabric.
  • With Central arbitration and VoQ, this enables for Unified Fabric.
  • Transparent upgrade capacity and capability; designed to support 40-Gigabit and 100-Gigabit Ethernet.
  • System locator and beacon LEDs for simplified operations.
  • Dedicated out-of-band management processor for "lights out" management.

Connectivity Management Processor (CMP)

The supervisor incorporates an innovative dedicated connectivity management processor (CMP) to support remote management and troubleshooting of the complete system. The CMP provides a complete out-of-band management and monitoring capability independent from the primary operating system. The CMP enables lights out management of the supervisor module, all modules, and the Cisco Nexus 7000 Series system without the need for separate terminal servers with the associated additional complexity and cost. The CMP delivers the remote control through its own dedicated processor, memory, and boot flash memory and a separate Ethernet management port. The CMP can reset all system components, including power supplies; it can also reset the host supervisor module to which it is attached, enabling a complete system restart.

The CMP offer many benefits, including the following:

  • Dedicated processor and memory, and boot flash.
  • The CMP interface can reset all the system components, which include power, supervisor module, and system restart.
  • An independent remote system management and monitoring capability enables lights out management of the system.
  • Remote monitoring of supervisor status and initiation of resets that removes the need for separate terminal server devices for out-of-band management.
  • System reset while retaining out-of-band Ethernet connectivity, which reduces the need for onsite support during system maintenance.
  • Capability to remotely view boot-time messages during the entire boot process.
  • Capability to initiate a complete system power shutdown and restart, which eliminates the need for local operator intervention to reset power for devices.
  • Login authentication, which provides secure access to the out-of-band management environment.
  • Access to supervisor logs that enables rapid detection and prevention of potential system problems.
  • Capability to take full console control of the supervisor.
  • Complete control is delivered to the operating environment.

Example 1-5 shows how to connect to the CMP interface and the available show commands available from the CMP interface. Also, note the escape sequence of "~," to get back to the main NX-OS interface. You can also connect from the CMP back to the CP module.

Example 1-5. Connecting to the CMP Interface, Displaying Available show Commands

N7010-1# attach cmp
Escape character is '~,' [tilde comma]

N7010-1-cmp5 login: admin
Last login: Tue Aug 11 23:58:12 2009 on ttyS1

N7010-1-cmp5# attach cp
This command will disconnect the front-panel console on this supervisor, and will
clear all console attach sessions on the CP - proceed(y/n)? y

N7010-1# attach cmp
Escape character is '~,' [tilda comma]

N7010-1-cmp5 login: admin
Last login: Wed Aug 12 00:06:12 2009 on ttyS1
N7010-1-cmp5# show ?
  attach          Serial attach/monitor processes
  clock           Display current date
  cores           Show all core dumps for CMP
  cp              Show CP status information
  hardware        Show cmp hardware information
  interface       Display interface information
  line            Show cmp line information
  logging         Show logging configuration and contents of logfile
  logs            Show all log files for CMP
  processes       Show cmp processes information
  running-config  Current operating configuration
  sprom           Show SPROM contents
  ssh             SSH information
  system          Show system information
  users           Show the current users logged in the system
  version         Show cmp boot information


NX-OS enables for Telnet server and client. The Telnet protocol enables TCP/IP terminal connections to a host. Telnet enables a user at one site to establish a TCP connection to a login server at another site and then passes the keystrokes from one device to the other. Telnet can accept either an IP address or a domain name as the remote device address.

The Telnet server is disabled by default on an NX-OS device. Example 1-6 demonstrates how to enable a Telnet server in NX-OS.

Example 1-6. Enabling a Telnet Server in NX-OS

N7010-1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
N7010-1(config)# feature telnet
N7010-1(config)# show telnet server
telnet service enabled
N7010-1(config)# copy running-config startup-config
[########################################] 100%


NX-OS supports SSH Server and SSH Client. Use SSH server to enable an SSH client to make a secure, encrypted connection to a Cisco NX-OS device; SSH uses strong encryption for authentication. The SSH server in Cisco NX-OS Software can interoperate with publicly and commercially available SSH clients. The user authentication mechanisms supported for SSH are Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access Control System Plus (TACACS+), and the use of locally stored usernames and passwords.

The SSH client application enables the SSH protocol to provide device authentication and encryption. The SSH client enables a Cisco NX-OS device to make a secure, encrypted connection to another Cisco NX-OS device or to any other device that runs the SSH server.

SSH requires server keys for secure communications to the Cisco NX-OS device. You can use SSH server keys for the following SSH options:

  • SSH version 2 using Rivest, Shamir, and Adelman (RSA) public-key cryptography
  • SSH version 2 using the Digital System Algorithm (DSA)

Be sure to have an SSH server key-pair with the appropriate version before allowing the SSH service. You can generate the SSH server key-pair according to the SSH client version used. The SSH service accepts two types of key-pairs for use by SSH version 2:

  • The dsa option generates the DSA key-pair for the SSH version 2 protocol.
  • The rsa option generates the RSA key-pair for the SSH version 2 protocol.

By default, Cisco NX-OS Software generates an RSA key using 1024 bits.

SSH supports the following public key formats:

  • OpenSSH
  • IETF Secure Shell (SECSH)

Example 1-7 demonstrates how to enable SSH server and configure the SSH server keys.

Example 1-7. Enabling SSH Server and Configuring SSH Server Keys

N7010-1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
N7010-1(config)# no feature ssh
XML interface to system may become unavailable since ssh is disabled
N7010-1(config)# ssh key rsa 2048
generating rsa key(2048 bits).....
generated rsa key
N7010-1(config)# feature ssh
N7010-1(config)# exit
N7010-1# show ssh key
rsa Keys generated:Thu Aug 13 23:33:41 2009
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6+TdX+ABH/mq1gQbfhhsjBmm65ksgfQb3Mb3qbwUbNlc

could not retrieve dsa key information
N7010-1# show ssh server
ssh version 2 is enabled
N7010-1(config)# username nxos-admin password C1sc0123!

N7010-1(config)# username nxos-admin sshkey ssh-rsa
N7010-1(config)# show user-account
        this user account has no expiry date
        this user account has no expiry date
        ssh public key: ssh-rsa
N7010-1# copy running-config startup-config
[########################################] 100%


NX-OS has a robust XML management interface, which can be used to configure the entire switch. The interface uses the XML-based Network Configuration Protocol (NETCONF) that enables you to manage devices and communicate over the interface with an XML management tool or a program. NETCONF is based on RFC 4741 and the NX-OS implementation requires you to use a Secure Shell (SSH) session for communication with the device.

NETCONF is implemented with an XML Schema (XSD) that enables you to enclose device configuration elements within a remote procedure call (RPC) message. From within an RPC message, you select one of the NETCONF operations that matches the type of command that you want the device to execute. You can configure the entire set of CLI commands on the device with NETCONF.

The XML management interface does not require any additional licensing. XML management is included with no additional charge.

XML/NETCONF can be enabled via a web2.0/ajax browser application that uses XML/NETCONF to pull all statistics off all interfaces on the Nexus 7000 running NX-OS in a dynamically updating table.

Figures 1-2, 1-3, and 1-4 demonstrate sample output from the XML/NETCONF interface.

Figure 1-2

Figure 1-2 Obtaining NX-OS Real-Time Interface Statistics via NETCONF/XML. The IP Address Entered Is the NX-OS mgmt0 Interface.

Figure 1-3

Figure 1-3 Login Results to the NX-OS Devices via NETCONF/XML

Figure 1-4

Figure 1-4 Results of the Selected Attributes, Such as Speed, Duplex, Errors, Counters, MAC Address. The Page Refreshes Every 10 Seconds.


The Simple Network Management Protocol (SNMP) is an application-layer protocol that provides a message format for communication between SNMP managers and agents. SNMP provides a standardized framework and a common language used for the monitoring and management of devices in a network.

SNMP has different versions such as SNMPv1, v2, and v3. Each SNMP version has different security models or levels. Most Enterprise customers are looking to implement SNMPv3 because it offers encryption to pass management information (or traffic) across the network. The security level determines if an SNMP message needs to be protected and authenticated. Various security levels exist within a security model:

  • noAuthNoPriv: Security level that does not provide authentication or encryption.
  • authNoPriv: Security level that provides authentication but does not provide encryption.
  • authPriv: Security level that provides both authentication and encryption.

Cisco NX-OS supports the following SNMP standards:

  • SNMPv1: Simple community-string based access.
  • SNMPv2c: RFC 2575-based group access that can be tied into RBAC model.
  • SNMPv3: Enables for two independent security mechanisms, authentication (Hashed Message Authentication leveraging either Secure Hash Algorithm [SHA-1] or Message Digest 5 [MD5] algorithms) and encryption (Data Encryption Standard [DES] as the default and Advanced Encryption Standard [AES]) to ensure secure communication between NMS station and N7K/NX-OS. Both mechanisms are implemented as demonstrated in Example 1-8.

As NX-OS is truly modular and highly available, the NX-OS implementation of SNMP supports stateless restarts for SNMP. NX-OS has also implemented virtualization support for SNMP; NX-OS supports one instance of SNMP per virtual device context (VDC). SNMP is also VRF-aware, which allows you to configure SNMP to use a particular VRF to reach the network management host.

Example 1-8 demonstrates how to enable SNMPv3 on NX-OS.

Example 1-8. Enabling SNMPv3 on NX-OS

N7010-1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
N7010-1(config)# snmp-server user NMS auth sha Cisc0123! priv Cisc0123! engineID
N7010-1(config)# snmp-server host informs version 3 auth NMS
N7010-1(config)# snmp-server community public ro
N7010-1(config)# snmp-server community nxos rw
N7010-1(config)# show snmp
sys contact:
sys location:
0 SNMP packets input
        0 Bad SNMP versions
        0 Unknown community name
        0 Illegal operation for community name supplied
        0 Encoding errors
        0 Number of requested variables
        0 Number of altered variables
        0 Get-request PDUs
        0 Get-next PDUs
        0 Set-request PDUs
        0 No such name PDU
        0 Bad value PDU
        0 Read Only PDU
        0 General errors
        0 Get Responses
45 SNMP packets output
        45 Trap PDU
        0 Too big errors
        0 No such name errors
        0 Bad values errors
        0 General errors
        0 Get Requests
        0 Get Next Requests
        0 Set Requests
        0 Get Responses
        0 Silent drops
Community            Group / Access      context    acl_filter
---------            --------------      -------    ----------
nxos                  network-admin
public                network-operator
                  SNMP USERS
User                          Auth  Priv(enforce) Groups
____                          ____  _____________ ______
admin                         md5   des(no)       network-admin
nxos-admin                    sha   des(no)       network-operator
 NOTIFICATION TARGET USERS (configured  for sending V3 Inform)
User                          Auth  Priv
____                          ____  ____
NMS                           sha   des
(EngineID 0:0:0:63:0:1:0:10:20:15:10:3)
SNMP Tcp Authentication Flag : Enabled.
Port Monitor : enabled
Policy Name  : default
Admin status : Not Active
Oper status  : Not Active
Port type    : All Ports
Counter          Threshold  Interval Rising Threshold event Falling Threshold
event In Use
-------          ---------  -------- ---------------- ----- ------------------ --
Link Loss        Delta      60       5                4     1                  4
Sync Loss        Delta      60       5                4     1                  4
Protocol Error   Delta      60       1                4     0                  4
Signal Loss      Delta      60       5                4     1                  4
Invalid Words    Delta      60       1                4     0                  4
Invalid CRC's    Delta      60       5                4     1                  4
RX Performance   Delta      60       2147483648       4     524288000          4
TX Performance   Delta      60       2147483648       4     524288000          4
SNMP protocol : Enabled
Context                          [Protocol instance, VRF, Topology]

N7010-1# show snmp user
                  SNMP USERS

User                          Auth  Priv(enforce) Groups
____                          ____  _____________ ______
admin                         md5   des(no)       network-admin

nxos-admin                    sha   des(no)       network-operator

 NOTIFICATION TARGET USERS (configured  for sending V3 Inform)

User                          Auth  Priv
____                          ____  ____
NMS                           sha   des
(EngineID 0:0:0:63:0:1:0:10:20:15:10:3)
N7010-1(config)# exit
N7010-1# copy running-config  startup-config
[########################################] 100%


Cisco Data Center Network Manager (DCNM) is a management solution that supports NX-OS devices. DCNM maximizes the overall data center infrastructure uptime and reliability, which improves service levels. Focused on the operational management requirements of the data center, DCNM provides a robust framework and rich feature set that fulfills the switching, application, automation, provisioning, and services needs of today's data centers and tomorrow's data center requirements.

DCNM is a client-server application supporting a Java-based client-server application. The DCNM client communicates with the DCNM server only, never directly with managed Cisco NX-OS devices. The DCNM server uses the XML management interface of Cisco NX-OS devices to manage and monitor them. The XML management interface is a programmatic method based on the NETCONF protocol that complements the CLI functionality.

DCNM has a robust configuration and feature support on the NX-OS platform. The following features can be configured, provisioned, and monitored through DCNM enterprise management:

  • Physical ports
  • Port channels and virtual port channels (vPC)
  • Loopback and management interfaces
  • VLAN network interfaces (sometimes referred to as switched virtual interfaces [SVI])
  • VLAN and private VLAN (PVLAN)
  • Spanning Tree Protocol, including Rapid Spanning Tree (RST) and Multi-Instance Spanning Tree Protocol (MST)
  • Virtual Device Contexts
  • Gateway Load Balancing Protocol (GLBP) and object tracking
  • Hot Standby Router Protocol (HSRP)
  • Access control lists
  • IEEE 802.1X
  • Authentication, authorization, and accounting (AAA)
  • Role-based access control
  • Dynamic Host Configuration Protocol (DHCP) snooping
  • Dynamic Address Resolution Protocol (ARP) inspection
  • IP Source Guard
  • Traffic storm control
  • Port security
  • Hardware resource utilization with Ternary Content Addressable Memory (TCAM) statistics
  • Switched Port Analyzer (SPAN)

DCNM also includes end-end enterprise visibility including topology views, event browsers, configuration change management, device operating system management, hardware asset inventory, logging, and statistical data collection management.

4. Managing System Files | Next Section Previous Section

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@ciscopress.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020