Problem Description:
For security reasons, customer requires to avoid DHCP traffic in upstream direction from the Ethernet port of the ONT to the PON port of the OLT service board.
Solution:
A:
To avoid this kind of traffic, it can be implemented a custom access list (5000-5999) in which it can be specified the required parameters; in this case the outboud DHCP traffic from the ONT.
The following commands are input over the equipment in order to avoid this traffic:
MA5600T(config)#acl 5000
MA5600T(config-acl-user-5000)# rule deny 0800 ffff 16 11 ff 27 0044 ffff 40 02 ff 46
Command:
rule deny 0800 ffff 16 11 ff 27 0044 ffff 40 02 ff 46
This is a custom deny rule that includes the following parameters:
800 is for IP packets, 11 is for UDP packets, 0044 is for DHCP 02 is for DHCP reply packets, this denies only the outbound DHCP traffic from ONT.
MA5600T(config-acl-user-5000)#quit
MA5600T(config)# packet-filter inbound user-group 5000 port 0/4/0
This command is to apply this custom access list to a port of a board of the OLT
