>
    Strata Copilot
    Configure Your Cisco APIC to Secure North-South Traffic
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall in Cisco Application Centric Infrastructure (ACI)
    4. Integrate the Firewall with Cisco ACI in Network Policy Mode
    5. Deploy the Firewall to Secure North-South Traffic in Network Policy Mode
    6. Configure Your Cisco APIC to Secure North-South Traffic
    Download PDF
    VM-Series

    Configure Your Cisco APIC to Secure North-South Traffic

    Table of Contents

    Configure Your Cisco APIC to Secure North-South Traffic

    Set up your Cisco APIC to secure North-South traffic using your Palo Alto Networks firewall.
    Where Can I Use This?What Do I Need?
    • Cisco ACI
    • VM-Series plugin
    • Panorama
    • VM-Series licenses
    • Cisco ACI Fabric
    • Panorama plugin for Cisco ACI

    Create a VLAN Pool and External Routed Domain

    Create a VLAN pool to allocate VLANs to the firewall as you attach interfaces to the infrastructure to support the EPGs in your ACI fabric using a static VLAN range for the firewall.
    Additionally, create a physical domain to map the VLANs to the EPGs. The following procedure creates a physical domain dedicated to the firewall.
    1. Create a VLAN pool:
      1. Log in to your APIC.
      2. Select FabricAccess PoliciesPoolsVLAN.
      3. Right-click VLAN and select Create VLAN Pool.
      4. Enter a descriptive Name for your VLAN pool.
      5. Select Dynamic Allocation for Allocation Mode.
      6. Click the plus (+) button to the right of Encap Blocks.
      7. Enter your VLAN range in the VLAN Range field.
      8. Select Static Allocation from the Allocation Mode drop-down.
      9. Select OK.
      10. Select Submit.
    2. Create an external routed domain:
      1. Select FabricAccess PoliciesPhysical and External DomainsExternal Domains.
      2. Right-click External Routed Domain and select Create Layer 3 Domain.
      3. Enter a descriptive Name for your physical domain.
      4. Select the VLAN pool you created in the previous procedure from the VLAN Pool list.
      5. Select Submit.

    Configure an Interface Policy for LLDP and LACP for North-South Traffic

    LLDP is necessary for forwarding to work correctly in the ACI environment; ACI does not deploy a subnet router interface on a leaf switch unless it detects an endpoint on the switch that requires one. LLDP helps determine if a subnet router interface is required.
    LACP provides greater resiliency and recovery speed on a link failure.
    1. Create an LLDP Interface Policy:
      1. Select FabricAccess PoliciesInterface PoliciesPoliciesLLDP Interface.
      2. Right-click on LLDP Interface and select Create LLDP Interface Policy.
      3. Enter a descriptive Name for your LLDP interface policy.
      4. Select Enabled for Receive State.
      5. Select Enabled for Transmit State.
      6. Select Submit.
    2. Create a Port Channel policy to enable LACP:
      1. Select FabricAccess PoliciesInterface PoliciesPoliciesPort Channel.
      2. Right-click on Port Channel and select Create Port Channel Policy.
      3. Enter a descriptive Name for your port channel policy.
      4. Select LACP Active from the Mode drop-down.
      5. Select Submit.

    Create an External Routed Network

    The firewalls pass IP routing information to the ACI over a Layer 3 Open Shortest Path First (OSPF) protocol network. ACI uses a switch virtual interface (SVI) on the leaf switches with an IP address on each switch for connection resilience. Create a Layer 3 routed network to peer with the firewall using OSPF.
    1. On the Tenants, double-click on the name of your tenant.
    2. Select NetworkingExternal Routed Networks.
    3. Right-click External Routed Networks and select Create Routed Outside.
    4. Enter a descriptive Name for your External Routed Network.
    5. Select your VRF with external connectivity from the VRF drop-down.
    6. Select the external routed domain you created previously from the External Routed Domain drop-down.
    7. Select OSPF.
    8. Enter an OSPF Area ID. The Area ID can be expressed in decimal number or dotted decimal form. For example, Area 1 is the same as Area 0.0.0.1 or Area 271 is the same as Area 0.0.1.15. The Area ID range is 0 (0.0.0.0) to 4294967295 (255.255.255.255).
    9. Select Regular Area for the OSPF Area Type.
    10. Click the plus (+) button to the right of Nodes and Interface Profiles to create a Node Profile with a node for the border-leaf switches that connect to the firewall.
    11. Enter a descriptive Name for your Node Profile.
    12. Attach nodes to your Node Profile:
      1. Click the plus (+) button to the right of Nodes. This opens the Select Node window.
      2. Select the node that your firewall is connected to from the Node ID drop-down.
      3. Enter the IP address of the router attached to the leaf switch in Router ID.
      4. Select OK.
      5. Click the plus (+) button to the right of Nodes and Interface Profiles.
      6. Enter a descriptive Name for your Node Profile.
      7. Click the plus (+) button to the right of Nodes. This opens the Select Node window.
      8. Select the node that your secondary HA firewall is connected to from the Node ID drop-down.
      9. Enter the IP address of the router attached to the second leaf switch in Router ID.
      10. Select OK.
    13. Attach an OSPF Interface Profile for your Node Profile:
      1. Enter a descriptive Name for your OSPF Interface Profile.
      2. Click Next.
      3. Select Create OSPF Interface Policy from the OSPF Policy drop-down.
      4. Enter a descriptive Name for your OSPF Interface Policy.
      5. Select MTU Ignore.
      6. Select Submit.
      7. Select Next.
      8. Select SVI.
      9. Click the plus (+) button to the right of SVI Interfaces. This opens the Select SVI window.
      10. Click Virtual Port Channel.
      11. Select the Path to the port and port channel interface where the firewall connects to the leaf switch.
      12. In Encap, enter the VLAN encapsulation used for your layer 3 outside profile.
      13. Select Trunk for Mode.
      14. In the Side A IPv4 Primary Address, enter the primary IP address of the path attached to the layer 3 outside profile.
      15. In the Side B IPv4 Primary Address, enter the secondary IP address of the path attached to the layer 3 outside profile.
      16. Select OK.
    14. Select OK to close the Create Interface Profile window.
    15. Select OK to close the Create Node Profile window.
    16. Select Next.
    17. Click the plus (+) button to the right of External EPG Networks. This opens the Create Routed Outside window.
    18. Enter a descriptive Name for your External Network.
    19. Add a subnet to your External Network:
      1. Click the plus (+) button to the right of Subnets.
      2. Enter the IP address and mask of the subnet’s default gateway.
      3. Select Export Route Control Subnet.
      4. Select External Subnets for External EPG.
      5. Select OK.
    20. Select Finish.

    Configure Subnets to Advertise to the External Firewall

    Configure the subnets in the ACI fabric to advertise the subnets externally.
    1. On the Tenants tab, double-click on the name of your tenant.
    2. Select NetworkingBridge Domains<your bridge domain>.
    3. Select L3 Configurations.
    4. Click the plus (+) button to the right of Associated L3 Outs.
    5. Select the Layer 3 external routed network connection you created in the previous procedure from the L3 Out drop-down.
    6. Select Update.
    7. Select NetworkingBridge Domains<your bridge domain>Subnets<externally advertised subnet>.
    8. Set the Scope to Advertised Externally.
    9. Select Submit.

    Create an Outbound Contract

    Create a contract with a filter that allows DNS, NTP, HTTP, and HTTPS traffic. You will use this contract to allow all endpoints in the VRF to reach the external networks but limit the traffic sent to the firewall.
    1. On the Tenants tab, double-click on the name of your tenant.
    2. Select ContractsFilters
    3. Right-click on Filters and select Create Filter.
    4. Enter a descriptive Name for the filter.
    5. Create a filter entry for UDP traffic.
      1. Click the plus (+) button to the right of Entries.
      2. Enter a descriptive Name for the UDP filter.
      3. Select IP from the EtherType drop-down.
      4. Select udp from the IP Protocol drop-down.
      5. Select dns from the Destination Port From drop-down.
      6. Click Update.
    6. Create a filter entry for TCP traffic:
      1. Click the plus (+) button to the right of Entries.
      2. Enter a descriptive Name for the TCP filter.
      3. Select IP from the EtherType drop-down.
      4. Select tcp from the IP Protocol drop-down.
      5. Select dns from the Destination Port From drop-down.
      6. Click Update.
    7. Create a filter entry for NTP traffic:
      1. Click the plus (+) button to the right of Entries.
      2. Enter a descriptive Name for the NTP filter.
      3. Select IP from the EtherType drop-down.
      4. Select udp from the IP Protocol drop-down.
      5. In the Destination Port From field, enter 123.
      6. Click Update.
    8. Create a filter entry for HTTP traffic:
      1. Click the plus (+) button to the right of Entries.
      2. Enter a descriptive Name for the HTTP filter.
      3. Select IP from the EtherType drop-down.
      4. Select tcp from the IP Protocol drop-down.
      5. Select http from the Destination Port From drop-down.
      6. Click Update.
    9. Create a filter entry for HTTPS traffic:
      1. Click the plus (+) button to the right of Entries.
      2. Enter a descriptive Name for the HTTP filter.
      3. Select IP from the EtherType drop-down.
      4. Select tcp from the IP Protocol drop-down.
      5. Select https from the Destination Port From drop-down.
      6. Select Update.
    10. Select Submit.
    11. Create a contract for outbound traffic:
      1. On the Tenants tab, double-click on the name of your tenant and select Contracts.
      2. Right-click on Contracts and select Create Contract.
      3. Enter a descriptive Name for your Contract.
      4. Click the plus (+) button to the right of Subjects.
      5. Enter a descriptive Name for your Subject.
      6. Under Filter Chain, click the plus (+) button to the right of Filters.
      7. Select the filter you created previously from the drop-down.
      8. Select OK.
    12. Select Submit.

    Create an Inbound Web Contract

    Create a contract and filters to allow inbound traffic to reach the servers behind the firewall. The following procedure describes the process of creating a contract and filters that allow HTTP and HTTPS web traffic to access resources behind the firewall.
    1. On the Tenants tab, double-click on the name of your tenant.
    2. Select ContractsFilters
    3. Right-click on Filters and select Create Filter.
    4. Enter a descriptive Name for the filter.
    5. Create a filter entry for HTTP traffic:
      1. Click the plus (+) button to the right of Entries.
      2. Enter a descriptive Name for the HTTP filter.
      3. Select IP from the EtherType drop-down.
      4. Select tcp from the IP Protocol drop-down.
      5. Select http from the Destination Port From drop-down.
      6. Select Update.
    6. Create a filter entry for HTTPS traffic:
      1. Click the plus (+) button to the right of Entries.
      2. Enter a descriptive Name for the TCP filter.
      3. Select IP from the EtherType drop-down.
      4. Select tcp from the IP Protocol drop-down.
      5. Select https from the Destination Port From drop-down.
      6. Select Update.
    7. Select Submit.
    8. Create a contract for inbound web traffic:
      1. On the Tenants tab, double-click on the name of your tenant and select Contracts.
      2. Right-click on Contracts and select Create Contract.
      3. Enter a descriptive Name for your Contract.
      4. Click the plus (+) button to the right of Subjects.
      5. Enter a descriptive Name for your Subject.
      6. Under Filter Chain, click the plus (+) button to the right of Filters.
      7. Select the filter you created previously from the drop-down.
      8. Select OK.
    9. Select Submit.

    Apply Outbound and Inbound Contracts to the Endpoint Groups (EPGs)

    For all the EPGs (EPG collection) within a VRF to send traffic to an external destination, each internal EPG must contract with the external EPG. Typically, you would need to create a separate contract between each internal EPG and the external EPG. However, using a vzAny object you can apply the same contract to all EPGs dynamically. The EPG collection consumes the contract and the external EPG provides the contract. You can configure specific traffic profiles in the contract or send all traffic to the firewall and allow it to control the traffic leaving the data center. Additionally, any new EPG that joins the VRF will automatically has the contract applied to it.
    Apply the inbound contract so the internal EPG is the provider and the external EPG is the consumer. Traffic flowing to the internal EPG is fist checked against the contract and any allowed traffic is then secured further by the firewall as necessary.
    1. Apply the outbound contract to all EPGs in the VRF:
      1. On the Tenants tab, double-click on the name of your tenant.
      2. Select NetworkingVRFs<you VRF>EPG Collection for VRF.
      3. Click the plus (+) button to the right of Consumed Contracts.
      4. Select your outbound contract from the Name drop-down.
      5. Select Update.
      6. Select NetworkingExternal Routed Networks<your external routed network>NetworksExternal.
      7. Click the plus (+) button to the right of Provided Contracts.
      8. Select your outbound contract from the Name drop-down.
      9. SelectUpdate.
    2. Apply the inbound contract so an internal EPG provides it to the external EPG:
      1. On the Tenants tab, double-click on the name of your tenant.
      2. Select Application Profiles<your application profile>Application EPGs<your application EPG>Contracts.
      3. Right-click on Contracts and select Add Provided Contract.
      4. Select your inbound contract from the Contract drop-down.
      5. Select Submit.
      6. On the same tenant, select NetworkingExternal Routed Networks<your external routed network>NetworksExternal.
      7. On the Contracts tab, click the plus (+) button to the right of Consumed Contracts.
      8. Select your inbound contract from the Name drop-down.
      9. Select Update.

    © 2026 Palo Alto Networks, Inc. All rights reserved.