This ACL will prevent a port from being able to act as a DHCP server and offer IP addresses. This prevents the inadvertent or malicious offering of DHCP IP addresses by users attached to ports of the system. Typically, IP addresses should only be assigned by servers in the Distribution or Core which would be above the OLT in the network and not from endpoints attached to ONT ports. This ACL should be added as a Card Level ACL to the system to minimize ACL resources used as there will only be one instance of the ACL rather than applied to every port with that ACL.
EMS Deny DHCP Offers Procedure
- Open a Panorama PON (EMS) session, click on the Profile icon button and the ACL tab.
- Select the EMS ACL Create a new profile icon and name the ACL profile to DenyDHCP.
- Click on the Create Rule button and perform the following steps:
Step 1: Enter "Deny-DHCP" in Rule Name: entry box:
Step 2: Select "Extended ACL" from the ACL Type: Dropdown
Step 3: Select "Deny "from the Action: Dropdown
Step 4: Select "Ipv4" from the Filter Type: Radio Selections
Step 5: Select "Any Mac(s)" from the SourceMAC(s): dropdown
Step 6: Click on the Add button to add the MAC address and bit count to the Source Mac(s) window
Step 7: Select the MAC address entry in the Source Mac(s) window
Step 10: Add "67" in the Distribution Port: entry box
Step 11: Click on the Add button to add the Bound SRC IP(s) and bit count to the Bound SRC IP(s): window
Step 12: Click on the Save button to save the rule profile
- Click on the Apply button to add the ACL profile to the Profile Name window list.
- After the Profile has been generated the ACL status is displayed. Click on the Close button to complete the ACL profile.
CLI ACL Deny DHCP Procedure
- Open a CLI session and create a new Deny DHCP ACL profile.
Note: The created ACL profile name will be case sensitive. ESUx> profile acl create name=DenyDHCP <enter> success ESUx> _
- From the ESUx> command line, input profile acl edit name=DenyDHCP rule number=1 extended action=deny l2 et=ipv4 sa=any max-macs=1 l3 protocol=udp l4 source single port=67, and press Enter. Output similar to the following is displayed:
ESUx> profile acl edit name=DenyDHCP rule number=1 extended action=deny l2 et=ipv4 sa=any max-macs=1 l3 protocol=udp l4 source single port=67 <enter> success ESUx> _
Verify the CLI entry
- From the ESUx> command line, input profile acl show name=DenyDHCP, and press Enter. Output similar to the following is displayed:
ESUx> profile acl show name=DenyDHCP <enter> | Access Control List Profile | |============================================================================| | Profile Name : DenyDHCP | | | | Rule #1 | | Rule Identifier : Rule-1 | | Type : extended | | Action : deny | | | | Layer 2 | | Ethertype : IPv4 (0x0800) | | 802.1p Priority : n/a | | | | Source MAC(s) | | MAX Source MACs : 1 | | SA #1 : any | | | | Destination MAC(s) | | | | L2 Flags | | DLF : n/a | | | | Layer 3 | | IP TTL : n/a | | IP DSCP : n/a | | IP TOS : n/a | | IP Protocol : udp (17) | | | | Source IP/Subnet(s) | | | | Destination IP/Subnet(s) | | | | L3 Flags | | DF : n/a | | MF : n/a | | | | Layer 4 | | | | Source | | Type : Single | | Port : 67 | | Port End : n/a | | | | Destination | | Type : n/a | | Port : n/a | | Port End : n/a | | | | L4 Flags | | URG : n/a | | ACK : n/a | | PSH : n/a | | RST : n/a | | SYN : n/a | | FIN : n/a | | | | Meters | | | |============================================================================| ESUx>_
On this page