>
    Strata Copilot
    Configure Your Cisco APIC to Secure East-West Traffic
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall in Cisco Application Centric Infrastructure (ACI)
    4. Integrate the Firewall with Cisco ACI in Network Policy Mode
    5. Deploy the Firewall to Secure East-West Traffic in Network Policy Mode
    6. Configure Your Cisco APIC to Secure East-West Traffic
    Download PDF
    VM-Series

    Configure Your Cisco APIC to Secure East-West Traffic

    Table of Contents

    Configure Your Cisco APIC to Secure East-West Traffic

    Complete these steps to configure your Cisco APIC to secure east-west traffic with a Palo Alto Networks firewall.
    Where Can I Use This?What Do I Need?
    • VM-Series firewall deployment in Cisco ACI
    • VM-Series plugin
    • Panorama
    • VM-Series licenses
    • Cisco ACI Fabric
    • Panorama plugin for Cisco ACI

    Create a VLAN Pool and Domain

    Configure the VLAN pool that will be used to allocate VLANs to the firewall when you attach interfaces to the ACI infrastructure for EPGs. The firewall’s VLAN pull should have a static VLAN range.
    Configure a dedicated domain for the firewall. A domain for the firewall is required to map the VLANs to the EPGs. Create a physical domain for a physical firewall and create a VMM domain for a VM-Series firewall.
    1. Create a VLAN pool:
      1. Log in to your APIC.
      2. Select FabricAccess PoliciesPoolsVLAN.
      3. Right-click VLAN and select Create VLAN Pool.
      4. Enter a descriptive Name for your VLAN pool.
      5. Select Dynamic Allocation for Allocation Mode.
      6. Click the plus (+) button to the right of Encap Blocks.
      7. Enter your VLAN range in the VLAN Range field.
      8. Select Static Allocation from the Allocation Mode drop-down and select OK.
      9. Submit your changes.
    2. (Physical firewall only) Create a physical domain:
      1. Select FabricAccess PoliciesPhysical and External DomainsPhysical Domains.
      2. Right-click Physical Domain and select Create Physical Domain.
      3. Enter a descriptive Name for your physical domain.
      4. Select the VLAN pool you created in the previous procedure from the VLAN Pool list and Submit your changes.
    3. (VM-Series firewall only) Create a VMM domain:
      1. Select Virtual NetworkingVMM DomainsVMware.
      2. Right-click VMware and select Create vCenter Domain.
      3. Enter a descriptive Name for your VMM domain.
      4. Select VMware vSphere Distributed Switch from the Virtual Switch drop-down.
      5. Select VLAN from the Encapsulation drop-down.
      6. Select your VLAN pool from the VLAN Pool drop-down.
      7. Click the plus (+) button to the right of vCenter Credentials.
      8. Enter a descriptive Profile Name and your vCenter login information.
      9. Click the plus (+) button to the right of vCenter.
      10. Enter a descriptive Name.
      11. Select vCenter from the Type drop-down.
      12. Enter your vCenter IP address under IP/Hostname.
      13. Select the vCenter Credentials profile you created from the Associated Credential drop-down.
      14. Submit your changes.

    Configure an Interface Policy for LLDP and LACP for East-West Traffic

    LLDP is necessary for forwarding to work correctly in the ACI environment; ACI does not deploy a subnet router interface on a leaf switch unless it detects an endpoint on the switch that requires one. LLDP helps determine if a subnet router interface is required.
    LACP provides greater resiliency and recovery speed on a link failure.
    1. Create an LLDP Interface Policy:
      1. Select FabricAccess PoliciesInterface PoliciesPoliciesLLDP Interface.
      2. Right-click on LLDP Interface and select Create LLDP Interface Policy.
      3. Enter a descriptive Name for your LLDP interface policy.
      4. Select Enabled for Receive State.
      5. Select Enabled for Transmit State.
      6. Submit your changes.
    2. Create a Port Channel policy to enable LACP:
      1. Select FabricAccess PoliciesInterface PoliciesPoliciesPort Channel.
      2. Right-click on Port Channel and select Create Port Channel Policy.
      3. Enter a descriptive Name for your port channel policy.
      4. Select LACP Active from the Mode drop-down.
      5. Submityour changes.

    Establish the Connection Between the Firewall and ACI Fabric

    Attach your firewall to the leaf switch through a VPC connection using the Ethernet interface (or Aggregate Ethernet group) you configured on your firewall earlier in this procedure. Connect the interface or interfaces to the same ports on the leaf switches.
    1. Select FabricAccess PoliciesQuick Start.
    2. Select Configure an interface, PC, and VPC.
    3. Click the green and white plus (+).
    4. Select the leaf switch or switches to which your firewall is connected from the Switches drop-down.
    5. Click the green and white plus (+).
    6. Select VPC as the Interface Type.
    7. In the Interfaces field, enter the number of the interface your firewall uses to connect to the leaf switch.
    8. Enter a descriptive name into the Interface Selector Name field.
    9. Select LLDP-Enabled from the LLDP Policy drop-down.
    10. Select LACP Active from the Port Channel Policy drop-down.
    11. Select Bare Metal for a physical firewall or ESX Hosts for the VM-Series from the Attached Device Type drop-down.
    12. Select Choose One for Domain.
    13. Select the physical domain or VMM domain you created previously in this procedure from the Domain drop-down.
    14. Select Save.
    15. Select Save and then Submit.
    16. Repeat this procedure for the second firewall in your HA pair.

    Create a VRF and Bridge Domain

    A tenant requires a VRF for all bridge domains and subnets. In this example, you will create a single, common VRF for the firewalls and endpoints. Then configure a dedicated bridge domain for your firewall and disable dataplane learning to use Policy-Based Redirect in a bridge domain.
    1. Create a VRF:
      1. On the Tenants tab, double-click on the name of your tenant.
      2. Select NetworkingVRFs.
      3. Right-click VRFs and select Create VRF.
      4. Enter a descriptive Name for your VRF.
      5. Uncheck Create A Bridge Domain.
      6. Select Finish.
    2. Create a bridge domain for the firewall:
      1. On the Tenants tab, double-click on the name of your tenant.
      2. Select NetworkingBridge Domains.
      3. Right-click Bridge Domains and select Create Bridge Domain.
      4. Enter a descriptive Name for your bridge domain.
      5. Select the VRF you created in the previous procedure from the VRF drop-down and select Next.

    Configure VM-Series Firewall as an L4-L7 Device

    Define the firewall as an L4-L7 device in the APIC so ACI can insert it into the traffic flow. You configure L4-L7 devices in the APIC as a device cluster, which is a construct that represents a single firewall or a firewall HA pair acting as a single device. Device clusters have one or more logical interfaces, which define the path of the member firewalls with a VLAN from the physical domain.
    1. On the Tenants tab, double-click on the name of your tenant.
    2. Select ServicesL4-L7Devices.
    3. Right-click Devices and select Create L4-L7 Device.
    4. Clear the Managed check box.
    5. Enter a descriptive Name for your L4-L7 Device.
    6. Select Firewall from the Service Type drop-down.
    7. Select Physical for a physical firewall or Virtual for a VM-Series firewall from the Device Type drop-down.
    8. Select the physical or VMM domain you created previously from the Domain drop-down.
    9. Select HA Node for View.
    10. Under Device 1, click the plus (+) icon to the right of Device Interfaces.
    11. Enter a descriptive Name for this interface.
    12. Under Path, select the path to the primary firewall in your HA pair.
    13. Click Update.
    14. Under Device 2, click the plus (+) icon to the right of Device Interfaces.
    15. Enter a descriptive Name for this interface.
    16. Under Path, select the path to the secondary firewall in your HA pair.
    17. Click Update.
    18. Under Cluster, click the plus (+) icon to the right of Cluster Interfaces.
    19. Enter a descriptive Name for the cluster.
    20. Select the two interfaces you configured above from the list under Concrete Interfaces.
      The APIC requires that you configure two interfaces. However, because there is only one connection between the firewall and the ACI fabric, only one of the interfaces is used.
    21. Under Encap, enter a VLAN from the static VLAN pool you created earlier. Traffic is redirected to the firewall on the VLAN that you assigned.
    22. Select Update.
    23. Select Finish.

    Create a Policy-Based Redirect (PBR)

    The policy-based redirect (PBR) leverages the MAC address of the interface on the firewall. Before configuring the PBR setting on the APIC, you must get the MAC address from the firewall.
    1. Get the MAC address of the firewall:
      1. Log in to the firewall CLI.
      2. Use the command show interface all to display the MAC addresses of your configured interfaces.
      3. Copy the MAC address of the interface that will receive the redirected traffic.
    2. Create the L4-L7 policy-based redirect:
      1. Log in to the APIC.
      2. On the Tenants tab, double-click on the name of your tenant.
      3. Select PoliciesProtocol L4-L7 Policy Based Redirect.
      4. Right-click L4-L7 Policy Based Redirect and then select Create L4-L7 Policy Based Redirect.
      5. Enter a descriptive Name for your Policy Based Redirect.
      6. Click the plus (+) icon to the right of Destinations.
      7. In the IP field, enter the IP address of the interface that will receive the redirected traffic.
      8. In the MAC field, enter the MAC address that you copied from the firewall CLI.
      9. Select OK.
      10. Select Submit.

    Create and Apply a Service Graph Template

    This section helps you to create a service graph template that uses the device cluster representing the firewall in a policy-based redirect integration. Apply this service graph to Endpoint Groups (EPGs) to protect the traffic. A contract and contract filter rules define the traffic that can be forwarded to the firewall.
    1. Create a service graph template:
      1. On the Tenants tab, double-click on the name of your tenant.
      2. Select ServicesL4-L7L4-L7 Service Graph Templates.
      3. Right-click L4-L7 Service Graph Template and select Create L4-L7 Service Graph Template.
      4. Enter a descriptive Graph Name for your service graph template.
      5. Select Create a New One for Graph Type.
      6. Click and drag the L4-L7 device you created in the previous procedure between the consumer and provider EPGs.
      7. Select Routed for Firewall.
      8. Select Routed Redirect.
      9. Select Submit.
    2. Apply the service graph template:
      1. On the Tenants tab, double-click on the name of your tenant.
      2. Select ServicesL4-L7.
      3. In the EPGs Information pane, select your consumer and provider EPGs from the Consumer EPG and Provider EPG drop-downs.
      4. Select Create a New Contract.
      5. Enter a descriptive Contract Name.
      6. Unselect No Filter (Allow All Traffic). Using this option is not recommended. To allow all traffic between the EPGs to be redirected to the firewall, it is recommended that you create a filter to do this.
      7. Click the plus (+) icon to the right of Filter Entries.
      8. Create a rule (or rules) to define what traffic is allowed to pass between the EPGs and redirected to the firewall.
      9. Select Next.
      10. Select the service graph template you created in the previous procedure from the Service Graph Template drop-down.
      11. In the consumer and provider pane, select the bridge domain containing your firewall from the BD drop-downs.
      12. Select the policy-based redirect you created previously from the Redirect Policy drop-downs.
      13. Select the cluster interface you created with you L4-L7 device from the Cluster Interface drop-downs.

    © 2026 Palo Alto Networks, Inc. All rights reserved.