You need to look at your security policy for this. My advise would be that if you are load balancing public web servers then the CSS and web servers should be placed on the DMZ. This is standard practice for any firewall installation.
From an operational point of the VIP (Virtual IP Addresses) of the CSS can be natted, packet filtered without an issue but this can be a problem if the application you are trying to load balance has issues. If it is just web servers you are load balancing then generally there is not problem.
This document will provide screenshots to outline the steps to setup
TACACS+ configuration to ACI and also the configuration required on
Cisco ACS server. Please find the official Cisco guide for configuring
TACACS+ Authentication to ACI:
Is it supported or NOT supported? It's a frequently asked question.
Before APIC, release 2.3(1f), transit routing was not supported within a
single L3Out profile. In APIC, release 2.3(1f) and later, you can
configure transit routing with a single L3Out pr...
Cisco Documents are usually accurate, but when it came to the document
on Cisco APIC Signature-Based Transactions it was slightly off the mark.
This document is for those novices to API like me who cant seem to
figure out how to go about performing signat...