It's always a good idea to prevent the customers of your network from accessing the management functions in network equipment. The "customers" might be your colleagues in an enterprise network, or subscribers in an access system, but in either case you shouldn't allow them to tamper with the infrastructure. This is a very basic bit of security that should be in every network.
PTP 650 and PTP 700 support out-of-band management, where the management network connects on a separate physical connector. That provides a high degree of segregation between management and customer traffic, but it does result in an extra cable run. That extra cable run might not be so attractive if the ODU is on a tower.
An alternative approach is to keep management and customer traffic apart using VLANs. This provides nearly the same security as out-of-band management, but without the additional cable run. For this approach you need an external VLAN switch at each end of the link, configured to tag all frames received from the management network with one VLAN ID (VID) and all the frames received from the customer data network with a different VID. The port that connects to the PTP 650/700 must allow both types of traffic to pass with the VLAN tags in place.
Then you need to configure the management of the PTP 650/700 to use the VID for the management network. In the diagram below, the management traffic is in the red VLAN and the customer traffic is in the green VLAN. The PTP 650/700 link carries both types of traffic but allows only the management traffic to reach the HTTP and SNMP interfaces in the embedded management agent.
Equipment at the other end of the link is a sort of mirror image.
The VLAN is configured in PTP 650/700 in the LAN Configuration web-page like this:
Not only does this VLAN approach help ensure security, but it also prevents the management agent from having to process broadcast frames in the customer traffic.