>
    Strata Copilot
    Endpoint Monitoring in Cisco ACI
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall in Cisco Application Centric Infrastructure (ACI)
    4. Endpoint Monitoring in Cisco ACI
    Download PDF
    VM-Series

    Endpoint Monitoring in Cisco ACI

    Table of Contents

    Endpoint Monitoring in Cisco ACI

    Monitor the endpoints in Cisco APIC using the Cisco ACI plugin.
    Where Can I Use This?What Do I Need?
    • Cisco ACI
    • VM-Series plugin
    • Panorama
    • VM-Series licenses
    • Cisco ACI Fabric
    • Panorama plugin for Cisco ACI
    The Cisco ACI plugin for Panorama allows you to build security policy for your Cisco ACI fabric using Dynamic Address Groups. The plugin monitors for changes in an Application Policy Infrastructure Controller (APIC) fabric in your Cisco ACI environment and shares that information with Panorama. Each Panorama with the Cisco ACI plugin installed can support up to 16 APIC clusters. And each monitoring definition has one cluster and one notify group.
    The number of endpoints that the Cisco ACI plugin can monitor depends on the amount of memory allocated to Panorama. If you have a Panorama virtual appliance, make sure you assign the necessary amount of memory for the endpoints in your environment. See the Panorama Admin Guide for more information about preparing your virtual Panorama.
    Panorama MemoryEndpoints
    8GB10,000
    16GB20,000
    The Cisco ACI plugin processes the endpoint information and converts it into a set of tags that can be used as match criteria for placing IP addresses in Dynamic Address Groups. The tags are constructed in the following format:
    cisco.cl_<cluster>.tn_<tenant>.ap_<app-profile>.{epg_<EPG> | uepg_<micro-EPG>}
    • cisco.cl_<cluster>—this tag groups IP addresses into a Dynamic Address Group based on the Cisco ACI cluster and displays the name of your cluster.
    • cisco.cl_<cluster>.tn_<tenant>—this tag groups IP addresses into a Dynamic Address Group based on tenant and displays the name of your cluster and tenant.
    • cisco.cl_<cluster>.tn_<tenant>.ap_<app-profile>—this tag groups IP addresses into a Dynamic Address Group base on application profile and displays the name of your cluster, tenant, and application profile.
    • cisco.cl_<cluster>.tn_<tenant>.ap_<app-profile>.epg_<EPG>—this tag groups IP addresses into a Dynamic Address Group based on EPG and displays the name of your cluster, tenant, application profile, and EPG.
    • cisco.cl_<cluster>.tn_<tenant>.ap_<app-profile>.uepg_<micro-EPG>—this tag groups IP addresses into a Dynamic Address Group based on micro-EPG and displays the name of your cluster, tenant, application profile, and micro-EPG.
    • cisco.cl_<cluster>.tn_<tenant>.l2out_<L2-external-endpoint>—this tag groups IP addresses into Dynamic Address Groups based on L2 external endpoint and displays the name of your cluster, tenant, and L2 external endpoint.
    • cisco.cl_<cluster>.tn_<tenant>.bd_<bridge-domain>.subnet_<subnet>—this tag groups IP address into a Dynamic Address Group based on subnet and displays the name of your cluster, tenant, bridge domain, and subnet.
    To retrieve endpoint IP-address-to-tag mapping information, you must configure a Monitoring Definition for each APIC fabric in your Cisco ACI environment. The Monitoring Definition specifies the username and password that allows Panorama to connect to the APICs. It also specifies the device groups and corresponding notify groups containing the firewalls to which Panorama pushes the tags. After you configure the Monitoring Definition and the Cisco ACI plugin retrieves the tags, you can create Dynamic Address Groups and add the tags as match criteria.
    The Cisco ACI plugin uses two intervals to retrieve information from the APIC:
    • Monitoring interval—The monitoring interval is the amount of time that the plugin waits before querying for changes in the fabric. If no changes occurred, the monitoring interval resets. If changes are detected, the plugin processes the changes before resetting the monitoring interval. The default monitoring interval is 60 seconds. You can set the monitoring interval from 60 seconds to one day (86,400 seconds).
    • Full-sync interval—The full-sync interval is the amount of time that the plugin waits before updating the dynamic objects from all fabrics regardless of any changes occurred. This ensures that the plugin is synchronized with the fabric even if a change event is missed by the monitoring interval. The default full-sync interval is 10 minutes. You can set the full-sync interval from 600 seconds (10 minutes) and 86,400 seconds (one day).
    Configure the full-sync interval through the Panorama CLI.
    If you configure a value for the monitoring interval greater than that of the full-sync interval, the full-sync interval is ignored and a full synchronization is performed at every monitoring interval.
    If Panorama loses its connection with the APIC, Panorama will attempt to reconnect five times. After five failed attempts, Panorama stops monitoring for changes in your clusters and displays the reconnection attempts in the system log. To recover and begin monitoring your clusters again, you must perform a commit on Panorama.

    © 2026 Palo Alto Networks, Inc. All rights reserved.