Educause Security Discussion mailing list archives
Re: Cisco Security Manager Experience?
From: reflect ocean <reflect.ocean () GMAIL COM>
Date: Thu, 2 Jul 2009 11:30:25 -0500
http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.2.1/user/guide/dpman.html When the deployment method is configured to use the reference configuration in Configuration Archive, out-of-band changes are never removed. This is equivalent to selecting Do not check for changes. On Thu, Jul 2, 2009 at 9:22 AM, schilling<schilling2006 () gmail com> wrote:
Hi All, We deployed CSM to replace CiscoWorks, our primary usage of CiscoWorks is ACL Manager. The ACL manager works fine until we try to enable MPLS which makes the device unrecognized any more by ACL manager. Initially, we just want to manger our firewall services in CSM, basically FWSM, ASA, ACLs on Catalyst 6500. Now we are facing an uncomfortable dilemma on the usage of the CSM. The way CSM handle out-of-band change is remove. Every time we manually make some change to router/switch configuration not related to firewall services, we have to rediscovery before apply change of firewall service rules, otherwise, the change will be removed. There is option to disable policy management under CSM administration was saying only available to router policies. We uncheck all of them, but CSM still want to mange all aspect of our catalyst 6500 configuration. How do you handle the management of catalyst 6500 ACLs and out-of-band changes? Are you using CSM to mange all your FWSM or ASA? Thanks. Shiling Ding sding () otc fsu edu Office of Telecommunications Florida State University http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.3/user/guide/dpman.html#wp583768 Understanding How Out-of-Band Changes are Handled Your options for handling out-of-band changes are: •Overwrite changes and show warning (also called Warn)—When configurations are deployed, Security Manager uploads the device's current configuration and compares it against the configuration it has in its database. If changes were made to the device manually, Security Manager continues with the deployment and displays a warning notifying you of this action. Out-of-band changes are removed from the device. •Cancel deployment (also called Cancel)—When configurations are deployed, Security Manager uploads the device's current configuration and compares it against the configuration it has in its database. If changes were made to the device manually, Security Manager cancels the deployment and displays a warning notifying you of this action. You must either manually remove the out-of-band changes, or configure the same settings in Security Manager, before you can deploy configuration changes to the device. •Do not check for changes (also called Skip)—Security Manager does not check for changes and deploys the changes to the device. No warnings are issued, and any out-of-band changes are removed from the device configuration.
Current thread:
- Cisco Security Manager Experience? schilling (Jul 02)
- <Possible follow-ups>
- Re: Cisco Security Manager Experience? reflect ocean (Jul 02)
- Re: Cisco Security Manager Experience? schilling (Jul 02)