Cisco Security Manager Experience?

[schilling <schilling2006 () GMAIL COM>]

Hi All,

We deployed CSM to replace CiscoWorks, our primary usage of CiscoWorks
is ACL Manager. The ACL manager works fine until we try to enable MPLS
which makes the device unrecognized any more by ACL manager.

Initially, we just want to manger our firewall services in CSM,
basically FWSM, ASA, ACLs on Catalyst 6500. Now we are facing an
uncomfortable dilemma on the usage of the CSM.  The way CSM handle
out-of-band change is remove. Every time we manually make some change
to router/switch configuration not related to firewall services, we
have to rediscovery before apply change of firewall service rules,
otherwise, the change will be removed.  There is option to disable
policy management under CSM administration was saying only available
to router policies.  We uncheck all of them, but CSM still want to
mange all aspect of our catalyst 6500 configuration.

How do you handle the management of catalyst 6500 ACLs and out-of-band
changes? Are you using CSM to mange all your FWSM or ASA?

Thanks.

Shiling Ding
sding () otc fsu edu
Office of Telecommunications
Florida State University



http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.3/user/guide/dpman.html#wp583768

Understanding How Out-of-Band Changes are Handled

Your options for handling out-of-band changes are:

•Overwrite changes and show warning (also called Warn)—When
configurations are deployed, Security Manager uploads the device's
current configuration and compares it against the configuration it has
in its database. If changes were made to the device manually, Security
Manager continues with the deployment and displays a warning notifying
you of this action. Out-of-band changes are removed from the device.

•Cancel deployment (also called Cancel)—When configurations are
deployed, Security Manager uploads the device's current configuration
and compares it against the configuration it has in its database. If
changes were made to the device manually, Security Manager cancels the
deployment and displays a warning notifying you of this action. You
must either manually remove the out-of-band changes, or configure the
same settings in Security Manager, before you can deploy configuration
changes to the device.

•Do not check for changes (also called Skip)—Security Manager does not
check for changes and deploys the changes to the device. No warnings
are issued, and any out-of-band changes are removed from the device
configuration.