short-cycle-protection (DHCP Local Server and Relay Agent)
Syntax
short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>;
Hierarchy Level
[edit forwarding-options dhcp-relay], [edit forwarding-options dhcp-relay dhcpv6], [edit forwarding-options dhcp-relay dhcpv6 group group-name], [edit forwarding-options dhcp-relay dhcpv6 group group-name interface interface-name], [edit forwarding-options dhcp-relay dual-stack-group dual-stack-group-name], [edit forwarding-options dhcp-relay group group-name], [edit forwarding-options dhcp-relay group group-name interface interface-name] [edit logical-systems name forwarding-options dhcp-relay ...], [edit logical-systems name routing-instances name forwarding-options dhcp-relay ...], [edit routing-instances name forwarding-options dhcp-relay ...], [edit logical-systems name system services dhcp-local-server ...], [edit logical-systems name routing-instances name system services dhcp-local-server dhcp-local-server...], [edit routing-instances name system services dhcp-local-server ...], [edit system services dhcp-local-server], [edit system services dhcp-local-server dhcpv6], [edit system services dhcp-local-server dhcpv6 group group-name], [edit system services dhcp-local-server dhcpv6 group group-name interface interface-name], [edit system services dhcp-local-server dual-stack-group dual-stack-group-name], [edit system services dhcp-local-server group group-name], [edit system services dhcp-local-server group group-name interface interface-name]
Description
Enable DHCP short-cycle protection to reduce resource usage associated with connection and authentication processing in highly scaled networks. You must configure both the minimum duration and the maximum duration for the lockout period.
The router detects short-lived client sessions and clients that repeatedly fail session negotiation, then locks them out from access by dropping subsequent DHCP discover or solicit messages from the client. The clients are tracked by the client identifier (client key), which can be a MAC address or some other unique value for DHCPv4 clients or the DUID for DHCPv6 clients. Locked-out clients are entered in the lockout database. If a locked-out client attempts another session before the grace time threshold is reached, it is locked out again. Each successive lockout period is increased exponentially up to the maximum lockout period. The grace time threshold is automatically set at whichever value is larger, 900 seconds or the configured maximum value.
Options
| lockout-max-time seconds | Maximum length of any lockout period; the upper bound of the lockout range.
|
| lockout-min-time seconds | Minimum length of any lockout period; the lower bound of the lockout period. The minimum value is the length of the first lockout period for a client. It cannot be greater than the maximum value. If you set it to the same value as the maximum, then the lockout period is fixed and does not increase for a client’s subsequent lockouts.
|
Required Privilege Level
interface
Release Information
Statement introduced in Junos OS Release 18.2R1.