Tech Docs: Panorama Plugin for Cisco ACI

Power Up Your Security with the Panorama Plugin for Cisco ACI

The new Panorama plugin for Cisco ACI gives you the power to dynamically secure the endpoints in your Cisco ACI fabric.  The Cisco ACI plugin regularly polls your APIC for changes in your endpoints.  The plugin then retrieves tags, which map to endpoint IP addresses.  When an endpoint’s tag matches match criteria on Panorama, the endpoint is placed in a Dynamic Address Group (DAG) and matches against the appropriate security policy rules. Panorama sends policy rules to your virtual and physical firewalls and those firewalls begin securing traffic.

You can create DAGs that correspond to a Cluster, Tenant, Application Profile, Endpoint Group (EPG), or micro-EPG.  This gives you the flexibility to create broad policy for your entire cluster down to more narrow policy for specific groups of endpoints.  So, you can be secure in the knowledge that whenever a new endpoint joins your fabric, it is protected.

Get started in five easy steps:

1. Download and install the Cisco ACI plugin on your Panorama running 8.1.6 or later.
2. Establish a connection between Panorama and your APIC.
3. Configure the monitoring definition.
4. Assign the match criteria, based on EPG IP-to-tag mapping, to your DAGs.
5. Use the DAGs in policy.

The 8.1 and 9.0 VM-Series Deployment Guides have the information you need to start protecting your Cisco ACI Environment.

As always, you can find our content at https://docs.paloaltonetworks.com.

Happy reading!

Your friendly Technical Documentation team

documentation@paloaltonetworks.com