This article explains the procedure that should be followed to correctly shutdown/powerdown a Cisco Nexus 7000 series module and remove it from the chassis. We also include important tips that will help ensure you avoid common problems and mistakes during the removal procedure.

The Nexus 7010 is one of the larger data center switches in the Nexus portfolio found in most enterprise-class data centers. Even though the Nexus 7000 series switches have been in the market since 2008 there are still a lot of data centers powering their core infrastructure using the well-known Cisco Catalyst series.

The Nexus 7000 series switches are designed for continuous operation, which means all parts are hot-swappable thereby eliminating downtime for upgrades or parts replacement.

The process covered in this installation guide can be used with all Nexus 7000 series modules including:

• 48-port 10/100/1000 Ethernet module (N7K-M148GT-11)
• 48-port 10/100/1000 Ethernet module with XL option (N7K-M148GT-11L)
• 48-port 1-Gigabit Ethernet I/O module (N7K-M148GS-11)
• 48-port 1-Gigabit Ethernet I/O module with XL option (N7K-M148GS-11L)
• 48-port 1-/10-Gigabit Ethernet I/O modules with XL (N7K-F248XP-25 and N7K-F248XP-25E)
• 32-port 10-Gigabit Ethernet I/O module (N7K-M132XP-12)
• 32-port 10-Gigabit Ethernet I/O module with XL option (N7K-M132XP-12L)
• 32-port 1- and 10-Gigabit Ethernet I/O module (N7K-F132XP-15)
• 8-port 10-Gigabit Ethernet I/O module with XL option (N7K-M108X2-12L)

Step 1. Nexus 7000 Module Shutdown - Poweroff

The Nexus 7000 series modules are hot swappable and support automatic shutdown when ejected, however, it is always advisable to poweroff the module before removing it. If the module is to be removed or swapped with a different module type it is advisable to also ensure all configuration associated with the old module’s ports is cleared and ports are shutdown before the module is removed.

Locate the slot number of the module to be uninstalled and remove all attached cables. It is very important no cables are attached to the module and there is enough space on both sides of the module. In our example we’ll be removing the module located in slot No.9:

Click on the images to enlarge

Figure 1. Nexus 7010 with module No.9 to be removed.

Issuing the show module 9 command will reveal the module’s model, status, capabilities, serial number and diagnostic status:

The output of the show module is also reflected on the module’s status LED. A green Status LED, as shown in the photo on the left, tells us that the module is currently online (powered on) and operating.

The orange interface LEDs confirm that the interfaces are in a shutdown state.

The specific card we are about to remove is a 48-port 10/100/1000 Ethernet card (N7K-M148GT-11L):

Figure 2. Nexus 7000 Module Status and Interface LEDs

Now proceed to power off the module using the poweroff module 9 command:

Palo Alto Networks Next-Generation Firewalls rely on the concept of security zones in order to apply security policies. This means that access lists (firewall rules) are applied to zones and not interfaces – this is similar to Cisco’s Zone-Based Firewall supported by IOS routers.

Palo Alto Networks Next-Generation Firewalls zones have no dependency on their physical location and they may reside in any location within the enterprise network. This is also illustrated in the network security diagram below:

 Figure 1. Palo Alto Firewall Security Zones can contain networks in different locations

The above topology illustrated shows VLANs 10, 11 ,12 and 2 managed by a Cisco Catalyst 4507R+E Switch and are all part of OSPF Area 0 and visible as routes in the Palo Alto Firewall. A Layer 3 aggregated link has been created between the Palo Alto Firewall (Interface ae1 on each firewall) and the Cisco 4507R+E Switch (Port-Channel 1 & 2).

When aggregation interface ae1.2 on the Palo Alto Firewall is configured to be part of the DMZ Security Zone, all networks learnt by the OSPF routing protocol on interface ae1.2 will be part of the DMZ Security Zone.

Creating a Security Zone involves tasks such as naming the zone, assigning the interfaces to the new zone created and more. Palo Alto Networks Next-Generation Firewalls won’t process traffic from any interface unless they are part of a Security Zone.

The diagram below depicts the order in which packets are processed by the Palo Alto Firewall:

Figure 2. Initial Packet Processing – Flow Logic of Palo Alto Next-Generation Firewall

It is without doubt Zone based firewalls provide greater flexibility in security design and are also considered easier to administer and maintain especially in large scale network deployments.

Palo Alto Networks Next-Generation Firewalls have four main types of Zones namely as shown in the screenshot below:

• Tap Zone. Used in conjunction with SPAN/RSPAN to monitor traffic.
• Virtual Wire. Also known as Transparent Firewall.
• Layer 2. Used when switching between two or more networks.
• Layer 3. Used when routing between two or more networks. Interfaces must be assigned an IP address.

Running Spanning Tree Protocol (STP) in a large network environment can be a challenging task especially when features/enhancements such as BPDU Filter and BPDU Guard need to be configured to help STP adapt to the network infrastructure requirements.

The key to a successful STP deployment is understanding how each STP feature should be used and implemented.

Understanding and Configuring BPDU Guard

BPDU Guard is an STP enhancement which, when enabled, will place a port in the errdisable mode when it receives any BPDU packet from that port.

BPDU Guard is usually configured on access layer ports where we are not expecting to see any BPDU packets arriving from devices connected to these ports e.g computers, printers, IP phones or other user-end devices.

Ports used as uplinks or downlinks to other switches should not have BPDU Guard enabled as these are more likely to have BPDU packets transmitted and received as switches actively monitor for network loops.

BPDU Guard can be configured either in Global mode or Interface mode.

When configured in Global mode the feature is enabled globally for all switch ports configured with port-fast configuration. Port-Fast is an STP feature configured at each individual port that forces the port to go directly into a forwarding state rather than through the normal STP states (Listening, Learning, Forwarding).

While port-fast is a very handy feature that forces a network port to transition immediately to the forwarding state (similar to an unmanaged switch), it must be used with caution as STP won’t be able to immediately detect a network loop through a Port-Fast enabled port.

To configure BPDU Guard in Global mode use the spanning-tree portfast bpduguard default command in Global Configuration Mode:

SW2(config)# spanning-tree portfast bpduguard default

To configure BPDU Guard in Interface mode use the spanning-tree bpduguard enable command under the interface:

SW2(config-if)# spanning-tree bpduguard enable

Note: It is important to keep in mind that if the interface is configured as an access port, with port-fast enabled, and receives a BPDU packet it will automatically be disabled and placed in an errdisabled state.

To help illustrate how BPDU Guard works, we’ve configured port G1/0/1 on our 3750-X as an access link with port-fast and BPDU Guard enabled:

Figure 1. Spanning Tree BPDU Guard configuration and example

Next, we connect another switch (rogue switch) running spanning tree protocol to port G1/0/1 on SW2. As soon as a BPDU packet is received on G1/0/1, here’s how SW2 reacted:

Title:              Cisco Firepower and Advanced Malware Protection Live Lessons
Authors:        Omar Santos
ISBN-10:          0-13-446874-0
Publisher:     Cisco Press
Published:     June 22, 2016
Edition:         1st Edition
Language:     English

The “Cisco Firepower and Advanced Malware Protection Live Lessons” video series by Omar Santos is the icing on the cake for someone who wants to start their journey of Cisco Next-Generation Network Security. This video series contains eight lessons on the following topics:

Lesson 1: Fundamentals of Cisco Next-Generation Network Security

Lesson 2: Introduction and Design of Cisco ASA with FirePOWER Services

Lesson 3: Configuring Cisco ASA with FirePOWER Services

Lesson 4: Cisco AMP for Networks

Lesson 5: Cisco AMP for Endpoints

Lesson 6: Cisco AMP for Content Security

Lesson 7: Configuring and Troubleshooting the Cisco Next-Generation IPS Appliances

Lesson 8: Firepower Management Center

Lesson 1 deals with the fundamentals of Cisco Next-Generation Network Security products, like security threats, Cisco ASA Next-Generation Firewalls, FirePOWER Modules, Next-Generation Intrusion Prevention Systems, Advanced Malware Protection (AMP), Email Security, Web Security, Cisco ISE, Cisco Meraki Cloud Solutions and much more. Omar Santos has done an exceptional job creating short videos, which are a maximum of 12 minutes, he really built up the series with a very informative introduction dealing with the security threats the industry is currently facing, the emergence of Internet of Things (IOT) and its impact and the challenges of detecting threats.

This article explains what a web browser cookie is and examines how Cross Site Request Forgery work by allowing hackers to intercept and access web browser cookies from unaware users trying to logon to a website to continue their online shopping or access personal online files e.g Dropbox etc. We also explain how we can avoid Cross Site Request Forgery attacks and best security practices to keep our web applications and users safer.

What is a Cookie?

When visiting a website, a cookie (small file) from the website is usually stored on your computer containing information such as login details, items you had in your shopping basket etc. Each cookie is unique to your web browser and website visited, so that the website can retrieve or read the contents of its cookie when revisiting it. What most people are unaware of is that any malicious attacker with access to your computer can use the cookies stored therein to exploit access to websites you have visited earlier.

A malicious attacker may take advantage of this situation by latching on to the authentication cookie the user is sending to the website for initiating an action and then using the credentials to impersonate the user. The attacker uses Cross Site Request Forgery (CSRF) for initiating the attack.

Mechanism of a CSRF Attack

The Open Web Application Security Project (OWASP) Top 10 lists Cross Site Request Forgery which is an attack whereby an attacker uses his or her website to send malicious code to a vulnerable web application in which a user is already authenticated.

Figure 1. Illustration of how CSRF attacks work