Skip to main content

N9300 Smart Switch East/West Firewalling

Home > Enterprise Networking > N9300 Smart Switch East/West Firewalling
N9300 Smart Switch | East/West Firewalling at Switching Speeds | Crossconnect Engineering
Cisco N9300 Smart Switch + Hypershield

East/West
Firewalling at
Switching Speeds

Stateful segmentation built into the Cisco N9300 Smart Switch — uses the on-switch DPUs for 800G of enforcement in the fabric, no hairpin to a firewall, no TCAM tax. We’ve deployed it in production.

Talk to Us 1:1 →
800G
Enforcement capacity per switch, line rate, no external firewall
84%
Rule reduction achieved on a real customer ACL set
0
Hairpins to an external firewall — enforcement lives in the fabric
Why East/West, Why Now

The threat is already inside the perimeter.

01

Most datacenter traffic is east/west. Perimeter controls assume the threat is outside. Breach data says otherwise.

02

Frontier AI has collapsed attack reconnaissance from days to hours. The window to contain lateral movement is shrinking.

03

The DPU puts stateful enforcement exactly where the traffic lives — every port, line rate, no choice between fast and safe.

Policy That Matches Human Intent

35+ years of tech debt. Leave it behind.

Directionality and rule ordering in legacy ACLs were never design choices. They were consequences of stateless hardware and finite TCAM. The DPU removes both constraints.

What’s left is policy that matches human intent — stateful, order-independent, object-based, and globalized.

This is the opportunity to shake 35+ years of tech debt. Statelessness, ordered rules, directionality — are all things we get to leave behind.

84%

Rule reduction on a real customer ACL set. Cisco advertises 50–80% — we’ve hit as high as 84%.

No one speaks or thinks in ACL. Policy creation now matches intent: “Accounting can talk to the database.”

Stateful. Order-independent. Object-based. Globalized. What policy should have always been.

We’ve Done This in Production

Not a lab. Not a proof-of-concept.

Crossconnect Engineering deployed one of the furthest-progressed Cisco N9300 Smart Switch + Hypershield implementations in the world as of June 2026 — in production, for a real customer. We presented the work at Cisco Live 2026 (WOSDCN-2007 & CSSDCN-1003). Led by a CCIE (#46110) who wrote the migration tooling himself.

Event
Cisco Live 2026
Sessions Presented
WOSDCN-2007 & CSSDCN-1003
Lead Engineer
CCIE #46110
Three Ways In

We help with any of them.

Way 01
Translate Existing Policy

Hand-translate existing NX-OS ACLs into globalized Hypershield policy.

Way 02
Observe, Then Enforce

Drop the N9300 inline at permit-any-any, collect real flows off the DPU, and build policy from observed behavior.

Way 03
Automated Migration

Looking for an automated method? We have a deterministic, no-AI method that produces condensed, stateful, unordered policy with minimal intervention.

Open-Source Tooling

Built in production.
Released to the community.

The flow-collection and policy-conversion tooling we built is available under MIT license — example code to adapt to your environment.

View on GitHub →

See if your datacenter is a fit for N9300 + Hypershield.

We’ve deployed it. We’ve presented it. Now let’s talk about yours.

→  Contact CEI