What precautions should be taken to secure APIC-EM on DMZ Internet. want to use PnP, what are the prerequisites for the Switch.
Refer this page- Solution Guide for Cisco Network Plug and Play - Cisco
it is recommended that you put APIC-EM behind a proxy.
- Generic HTTP Proxy—Optional component for remote branch deployments where the Cisco APIC-EM is not reachable directly by remote devices because it is behind a DMZ zone. A generic HTTP reverse proxy can be placed before the APIC-EM in the DMZ, to relay messages between devices and the controller. Alternately, you can choose to set up a private VPN link so that the controller is reachable via VPN, without using a generic proxy.