Related Documentation
- M, MX Series
- PPPoE Subscriber Session Lockout Overview
- Configuring Lockout of PPPoE Subscriber Sessions
- Clearing Lockout of PPPoE Subscriber Sessions
- Verifying and Managing Dynamic PPPoE Configuration
- Additional Information
- For more information about configuring static PPPoE interfaces, see the Ethernet Interfaces
Understanding the Lockout Period for PPPoE Subscriber Session Lockout
When you configure PPPoE subscriber session lockout, the router applies a time penalty called the lockout period for each failed or short-lived subscriber session. During the lockout period, the router temporarily prevents (locks out) a failed or short-lived PPPoE subscriber session identified by a unique media access control (MAC) source address from reconnecting to the router.
This overview describes how the router determines and applies the PPPoE subscriber session lockout period, and covers the following topics:
Duration of PPPoE Subscriber Session Lockout Period
The duration of the lockout period is based on a default or configured lockout time and the number of consecutive short-cycle (short-lived) events that occur repeatedly for the same subscriber. When you include the short-cycle-protection statement to configure PPPoE subscriber session lockout on a PPPoE underlying interface, you can use the default lockout time range of 1 through 300 seconds (5 minutes), or you can override the default lockout period by configuring a nondefault lockout time in the range 1 through 86,400 seconds (24 hours).
The lockout time penalty applied by the router for each short-cycle event differs depending on the event. For example, some short-cycle events represent normal subscriber behavior, such as a PPPoE subscriber logging in once per hour to check e-mail and logging out shortly thereafter. The router does not noticeably penalize a subscriber for these types of events.
By contrast, other short-cycle events are the result of repeated attempts to log in to the router for reasons such as an incorrectly typed password, customer premises equipment (CPE) that performs repeated auto-retries, or malicious attempts to access the Internet illegally. For these types of short-cycle events, the router applies a lockout time penalty that starts with a short time interval and increases exponentially. In these instances, the initial lockout time is short enough to avoid noticeably penalizing a subscriber who, for example, types a password incorrectly several times before entering the correct one.
For example, using the default lockout time range of 1 through 300 seconds, the increasing lockout period on the router is: 1 second, 2 seconds, 4 seconds, 8 seconds, 16 seconds, 32 seconds, 64 seconds, 128 seconds, 256 seconds, and finally, 300 seconds (5 minutes).
How the Router Determines the PPPoE Subscriber Session Lockout Period
The router uses the following rules to determine the PPPoE subscriber session lockout period for short-lived PPPoE subscriber sessions:
- The lockout period is derived from the following formula:
(minimum lockout time) * (2 ^ n-1)
where n represents the number of consecutive short-cycle events for the same subscriber. The router identifies a PPPoE subscriber session by its MAC source address, which should be unique on the underlying PPPoE interface.
- The router increments the value of n when the time between short-cycle events is either within 15 minutes or the maximum lockout time, whichever is greater.
- When the time between short-cycle events is greater than either 15 minutes or the maximum lockout time, the value of n reverts to 1. This condition is referred to as a lockout grace period.
- The lockout period never exceeds the maximum configured
lockout time.
For example, for a configured (nondefault) lockout time in the range 20 through 120 seconds, the increasing lockout period on the router is: 20 seconds, 40 seconds, 80 seconds, and finally, 120 seconds (2 minutes).
- A short-cycle event is detected,
partially or completely created, and terminated by the router within
150 seconds. The router tracks the time between short-cycle events
to determine whether to increase the lockout time for a subsequent
short-cycle event for the same subscriber.
Note: When the calculated lockout time is equal to or exceeds the maximum lockout time, the router uses the maximum lockout time value until the time to the next short-cycle event exceeds the greater of 15 minutes or the maximum lockout time value. At that point, the lockout time reverts to the minimum lockout time value.
- The minimum lockout time value cannot exceed the maximum
lockout time value.
When the minimum and maximum lockout time values are equal, the lockout time becomes fixed at that value.
Related Documentation
- M, MX Series
- PPPoE Subscriber Session Lockout Overview
- Configuring Lockout of PPPoE Subscriber Sessions
- Clearing Lockout of PPPoE Subscriber Sessions
- Verifying and Managing Dynamic PPPoE Configuration
- Additional Information
- For more information about configuring static PPPoE interfaces, see the Ethernet Interfaces
Published: 2013-07-31
Related Documentation
- M, MX Series
- PPPoE Subscriber Session Lockout Overview
- Configuring Lockout of PPPoE Subscriber Sessions
- Clearing Lockout of PPPoE Subscriber Sessions
- Verifying and Managing Dynamic PPPoE Configuration
- Additional Information
- For more information about configuring static PPPoE interfaces, see the Ethernet Interfaces
