Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IDS and CSPM Integration

I have recently installed both IDS and CSPM on an IDC site. I observed the following integration problem between the two.

First I generate the policy through CSPM and apply it on the Policy Enforcement Points(PEP). With specific to gateway routers, a specific ACL is generated by CSPM.

Later I configure the IDS with the gateway router as a managed device. I also enabled automatic shunning on intrusion detection which the IDS does it by replacing the original ACL with its ACL 199/198 option.

In the process, I observed the following difficulties.

1. ACL 199/198 which the IDS writes on the gateway router (in place of original ACL), does not incorporate allthe policies of the original ACL. Therefore my granular security policy is off the interface, which is as good as void.

2. Next time I update the policies from the CSPM, my revised ACL is generated. But IDS replaces it again upon the first instance of intrusion.

What essentially happening is that my detailed security policy generated from CSPM is almost always outside the PEP interface. Cisco TAC adviced me disable automatic shunning feature (by deselecting managed daemon on IDS) so that CSPM ACL resides on the interface. But I am losing a key functionality of IDS - i.e automatic shunning.

Did any one face similar problem? Any way I can get the complete functionality of both CSPM & IDS?

I would be glad to provide more details if required.


New Member

Re: IDS and CSPM Integration


it's somewhere in the fine docs: you must use a dedicated interface of the router for shunning.

In my view this is a workaround for a missing feature.