Cisco Support Community

securing SNMP for Cluster Manager

I'd like to secure my CMS a little using access list for SNMP in my cluster.

I know that after adding a new switch to the cluster the cluster manager switch creates SNMP community public@es1 and private@es1 in member swicth config (let's assume that we are using the public and private community strings for RO and RW access). I'd like to use access lists to control the SNMP access to the cluster. Every switch has its own IP address in my cluster.

I've noticed there is necessary to add the manager switch CMP address to the access list on the member switch. The CMP address is a strange IP address (, e.g.) derived from manager switch MAC address. There is also necessary to add this address to the access list controlling the HTTP access to the member switch (I don't know why exactly).

But I've got no idea what access list should be used on the cluster manager for community strings public@es0 and private@es0. Is the member switch using them for SNMP access to the manager? Why should member switch get write access to the manager?

Reading some documents on CCO I've got a feeling that these @esx strings might not be used at all if the member switch has its lown IP address.... Maybe I could delete them?

Does anybody have a detailed knowledge of SNMP communication inside switch cluster? Or do you know some document describing it?




Re: securing SNMP for Cluster Manager

Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center ( or speak with a TAC engineer. You can open a TAC case online at

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

CreatePlease to create content