Cisco NX-OS Software VXLAN OAM (NGOAM) Denial of Service Vulnerability

A vulnerability in the VXLAN Operation, Administration, and Maintenance (OAM) feature of Cisco NX-OS Software, known as NGOAM, could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

This vulnerability is due to improper handling of specific packets with a Transparent Interconnection of Lots of Links (TRILL) OAM EtherType. An attacker could exploit this vulnerability by sending crafted packets, including the TRILL OAM EtherType of 0x8902, to a device that is part of a VXLAN Ethernet VPN (EVPN) fabric. A successful exploit could allow the attacker to cause an affected device to experience high CPU usage and consume excessive system resources, which may result in overall control plane instability and cause the affected device to reload.

Note: The NGOAM feature is disabled by default.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:

This advisory is part of the August 2021 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: August 2021 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2021-1587


  • No Related Posts

HPE FlexFabric 12916E Sets New World Records for Data Center Performance

With this largest-ever test of 100G Ethernet networking, the HPE FlexFabric 12916E sets a new high-water mark for data-center core networking. In an extensive set of stressful benchmark tests, the FlexFabric 12916E pumped traffic through 768 100G Ethernet interfaces and set several records along the way:

  • The highest throughput ever recorded from a single switch chassis (76.8 terabits per second)
  • Throughput of more than 100 million frames per second per port on each of 768 100G Ethernet ports
  • Support for nearly 1 million unique routes learned via BGP
  • Identical throughput when routing to 768 routes and nearly 1 million routes
  • The highest EVPN scalability ever recorded with a single chassis (768 concurrent VXLAN tunnels)
  • ISSU failover times measured in tens of microseconds

HPE FF 12916E.png

As these test results demonstrate, the HPE FlexFabric 12916E is a highly capable performer even under the most demanding conditions. Such high performance on such an unprecedented scale offers a measure of “future proofing” for tomorrow’s data center networks.

Data centers will continue to grow ever larger; as these test results demonstrate, the HPE FlexFabric 12916E is
well positioned to serve as the engine of that growth..


Connection between VXLAN and VLAN without NAT

Is there any way to connect VXLAN and VLAN without NAT?

I know that using NAT can be enabled on NSX ESG, then physical network addres can reach to the virtual network address.

However, we have the app which require BYOIP and no NAT connection, so do you have any idea to connect VXLAN and VLAN without NAT?

Can we utilize distrubuted logical router and its bridging?


HPE and Arista accelerate customers transition to a software define-data center

Last month at the HPE Global Partner Conference, Antonio Neri announced that Arista Networks would become HPE’s preferred networking partner for customers embracing software-defined infrastructure and cloud. This new strategic partnership expands and complements our current data center networking portfolio while also helping accelerate our customer’s transition to Hybrid IT and next-generation software defined cloud data centers.

Starting today– HPE customers and partners can purchase Arista Networks data center switching products directly from HPE. Learn more about these solutions by visiting


Why is this good for HPE customers?

HPE and Arista share a common vision around the need to deliver secure Hybrid IT solutions built on industry-leading software-defined infrastructure helping customers to operate their workloads with speed and agility to grow their business. This partnership will provide our customers with best of breed networking solutions that are superior to legacy networking solutions and that are complementary to our HPE Data Center Infrastructure Group (DCIG) solutions including HPE compute, storage, virtualization and cloud offerings.

Supercharge Your Data Center with HPE and Arista Networks –SL11887

If your headed to HPE Discover in London – you can join HPE’s Dom Wilde and Paddy Power Betfair’s Richard Haigh to learn more about this exciting new partnership and how HPE and Arista can help you design a simplified, higher scaling and more automated software-defined data center.

Not attending Discover London?Tune in to the live streamstarting November 29, 2016 to watch all of the general sessions with Meg, spotlight sessions, innovation sessions and digital executive interviews.

What other data center networking solutions are we showcasing at Discover London 2016?

HPE 25/100GbE Networking Solutions – demo #11447 –ourHPE serverand networking teams have joined forces with solutions that spans HPE servers, network adapters, transceivers, cables and Ethernet switches designed and tested to deliver a comprehensive 25/100GbE networking ecosystem. View our25/100GbE Infographicto see if these solutions are a fit for you!

HPE Network Virtualization – demo #11086 and #11087 –solutions that help make networks as readily consumable as compute resources. HPE Distributed Cloud Networking(DCN) and VMware NSX help datacenter operators manage a distributed, multi datacenter environment in a simple, open and agile way leveraging SDN and network virtualization.

HPE Ethernet VPN– demo #11084 –EVPN has emerged to offer a strong end-to-end solution for datacenter VXLAN networks. This demo will showcase howHPE EVPNenables multi-tenancy and application mobility in your data center.

Arista Networks Software-defined Cloud Networking – demo #11213 –The HPE-Arista partnership advances customer capabilities in maximizing the value of their networks in supporting mission-critical workloads with simplified management and provisioning, rapid service delivery and lowering total cost of ownership.



Simplify and Scale Virtual Networking

Use Virtual Networking Services

Cisco Nexus 1000V Port Profiles: The Nexus 1000V extends the concept of referenced configuration through the use of Cisco NX-OS port profiles. It publishes them in the hypervisor management domain, allowing ease of assignment and the portability of networking and security policies.

Since the Nexus 1000V is a virtual distributed switch, the policies from the profiles are known and supported across Cisco vPath v2.0, a fundamental architecture component of the Cisco Nexus 1000V vPath optimizes the use of Layer 4-7 virtual networking services in virtual machine and cloud environments.

Service chaining is supported, providing multiple virtual network services as part of a single traffic flow. For example, you can simply specify the network policy and let vPath direct traffic:

Cisco vPath also works on VXLAN to support movement between servers in different Layer 2 domains. Together, these features promote highly secure policy, application, and service delivery in the cloud.