Group Based Policy IDS
Cisco's http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-733126.html (Group-Based Policy for OpenStack) describes one use case for GBP networking:
Policy layering: ...layering allows application owners to specify the policy pertaining to an application, while infrastructure owners can prescribe security requirements __such as redirection of traffic to a chain of firewall and intrusion-detection system (IDS) solutions before the traffic is sent to the application.__
One of the accompanying images illustrates this ideas:
http://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-733126.doc/_jcr_content/renditions/white-paper-c11-733126_3.jpg (image description)
My question is: how does one actually configure an IDS to receive network traffic with GBP? The diagram suggests that there should be a "copy" action, but the http://gbp.readthedocs.org/en/latest/usage.html#the-gbp-model (GBP docs) show that there are only "allow" and "redirect" actions.
If the feature has simply not yet been implemented, what is a recommended way to forward application traffic to an IDS?