Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Configuring Lockout of PPPoE Subscriber Sessions

You can configure the router to temporarily prevent (lock out) a failed or short-lived PPPoE subscriber session from reconnecting to the router for a default or configurable period of time. Configuring a lockout period on the PPPoE underlying interface for static or dynamic PPPoE subscriber sessions protects the router and any external authentication, authorization, and accounting (AAA) servers, such as RADIUS, from excessive loading as a result of failed or short-lived (also known as short-cycle) PPPoE subscriber sessions that occur repeatedly for the same subscriber.

You can configure the router to use the default PPPoE lockout period, 1 through 300 seconds (5 minutes). Alternatively, you can override the default lockout period by specifying a minimum lockout time and maximum lockout time, each of which can be from 1 through 86,400 seconds (24 hours).

Before you begin:

To configure temporary lockout of PPPoE subscriber sessions:

  1. Specify that you want to configure PPPoE-specific options on the underlying interface:
    • For a PPPoE family in a dynamic profile for a VLAN demultiplexing (demux) logical interface:
      [edit dynamic-profiles profile-name interfaces demux0 unit logical-unit-number]user@host# edit family pppoe
    • For a PPPoE family in a dynamic profile:
      [edit dynamic-profiles profile-name interfaces interface-name unit logical-unit-number]user@host# edit family pppoe
    • For a PPPoE underlying interface in a dynamic profile:
      [edit dynamic-profiles profile-name interfaces interface-name unit logical-unit-number]user@host# edit pppoe-underlying-options
    • For a PPPoE family on an underlying interface:
      [edit interfaces interface-name unit logical-unit-number]user@host# edit family pppoe
    • For an underlying interface with PPPoE encapsulation:
      [edit interfaces interface-name unit logical-unit-number]user@host# edit pppoe-underlying-options
  2. Enable duplicate protection to prevent negotiation of a dynamic or static PPPoE client session on the same underlying interface when a PPPoE client session with the same media access control (MAC) source address is already active on that interface.
    [edit interfaces interface-name unit logical-unit-number pppoe-underlying-options] user@host# set duplicate-protection

    Best Practice: When you configure PPPoE subscriber session lockout, we recommend that you enable duplicate protection to ensure that the MAC source address for each PPPoE session is unique on the underlying interface.

  3. Enable PPPoE subscriber session lockout on the PPPoE underlying interface in either of the following ways:

    • To configure PPPoE subscriber session lockout with the default lockout period:
      [edit interfaces interface-name unit logical-unit-number pppoe-underlying-options] user@host# set short-cycle-protection
    • To configure PPPoE subscriber session lockout with a nondefault lockout period:
      [edit interfaces interface-name unit logical-unit-number pppoe-underlying-options] user@host# set short-cycle-protection lockout-time-min minimum-seconds lockout-time-max maximum-seconds
 

Related Documentation

 

Published: 2013-02-11

Previous Page Next Page