Cisco N9300 Smart Switch and Hypershield Security for AI Scale

Learn all about the new Cisco N9300 Smart Switch and its role in the data center. Cisco has launched Nexus Smart Switches designed for data center environments, featuring a 24-port, 100-gig switch currently shipping and a new 48-port, 25-gig top-of-rack switch becoming generally available in August. Both switches integrate 800 Gbps of services throughput, primarily offloaded to Data Processing Units (DPUs) that run Cisco HyperShield security. These Smart Switches aim to consolidate traditional networking and security devices into a single unit, with the Silicon One NPU handling network processing (routing, switching, VXLAN, multicast) and the DPUs providing dedicated firewall services. This architecture facilitates a complete isolation of management, with NetOps teams managing the network processor and SecOps teams directly controlling HyperShield software on the DPUs through separate dashboards for enhanced security and operational clarity.

The Nexus Smart Switches are designed to address key data center use cases including cloud edge, zone-based segmentation, and data center interconnect, with the top-of-rack use case being a major focus for future implementation. The switches provide a “before and after” consolidation view, illustrating how a single Smart Switch can replace multiple traditional switches and firewalls, streamlining infrastructure and reducing complexity. Provisioning involves activating DPUs with a simple command and establishing connectivity to the HyperShield public cloud controller. Traffic can be selectively redirected to DPUs for firewalling based on VRF or VLAN policies, ensuring that only necessary traffic is subject to deep packet inspection. The system also supports high availability with state synchronization between Smart Switches for Layer 2 and Layer 3 protocols, and integrates with Cisco Live Protect for rapid vulnerability remediation via EBPF policies.

HyperShield, initially conceived as a distributed advanced firewall, represents a forward-thinking approach to security by distributing enforcement points directly inside the kernel (via EBPF and the acquisition of Isovalent) and deeply within the network via the Smart Switches. It utilizes an intent-driven policy model, allowing security policies to be written once and enforced across both kernel-level agents and network guardrails. Key use cases for HyperShield include zone segmentation, autonomous application segmentation, and distributed exploit protection. By fingerprinting known good behaviors and detecting multi-step anomalies, HyperShield moves beyond traditional IDS/IPS signature matching to a more dynamic, graph-based anomaly detection. A “Digital Twin” capability allows for safe testing of firmware and policy updates, providing a confidence score before deployment. This innovative approach offers a consolidated, high-throughput Layer 4 security solution, complementing existing perimeter firewalls, and integrating with third-party firewall policies for comprehensive security management.