Understanding the Lockout Period for PPPoE Subscriber Session Lockout
When you configure PPPoE subscriber session lockout, the router applies a time penalty called the lockout period for each failed or short-lived subscriber session.
This overview describes how the router determines and applies the PPPoE subscriber session lockout period, and covers the following topics:
Duration of PPPoE Subscriber Session Lockout Period
The duration of the lockout period is based on a default or
configured lockout time and the number of consecutive short-cycle
(short-lived) events that occur repeatedly for the same subscriber.
When you include the short-cycle-protection
statement to
configure PPPoE subscriber session lockout on a PPPoE underlying interface,
you can use the default lockout time range of 1 through 300 seconds
(5 minutes), or you can override the default lockout period by
configuring a nondefault lockout time in the range 1 through 86,400 seconds
(24 hours).
The lockout time penalty applied by the router for each short-cycle event differs depending on the event. For example, some short-cycle events represent normal subscriber behavior, such as a PPPoE subscriber logging in once per hour to check e-mail and logging out shortly thereafter. The router does not noticeably penalize a subscriber for these types of events.
By contrast, other short-cycle events are the result of repeated attempts to log in to the router for reasons such as an incorrectly typed password, customer premises equipment (CPE) that performs repeated auto-retries, or malicious attempts to access the Internet illegally. For these types of short-cycle events, the router applies a lockout time penalty that starts with a short time interval and increases exponentially. In these instances, the initial lockout time is short enough to avoid noticeably penalizing a subscriber who, for example, types a password incorrectly several times before entering the correct one.
For example, using the default lockout time range of 1 through 300 seconds, the increasing lockout period on the router is: 1 second, 2 seconds, 4 seconds, 8 seconds, 16 seconds, 32 seconds, 64 seconds, 128 seconds, 256 seconds, and finally, 300 seconds (5 minutes).
How the Router Determines the PPPoE Subscriber Session Lockout Period
The router uses the following rules to determine the PPPoE subscriber session lockout period for short-lived PPPoE subscriber sessions:
The lockout period is derived from the following formula:
(minimum lockout time) * (2 ^ n-1)
where n represents the number of consecutive short-cycle events for the same subscriber. The router identifies a PPPoE subscriber session by its MAC source address, which should be unique on the underlying PPPoE interface, or ACI value.
The router increments the value of n when the time between short-cycle events is either within 15 minutes or the maximum lockout time, whichever is greater.
When the time between short-cycle events is greater than either 15 minutes or the maximum lockout time, the value of n reverts to 1. This condition is referred to as a lockout grace period.
The lockout period never exceeds the maximum configured lockout time.
For example, for a configured (nondefault) lockout time in the range 20 through 120 seconds, the increasing lockout period on the router is: 20 seconds, 40 seconds, 80 seconds, and finally, 120 seconds (2 minutes).
A short-cycle event is detected, partially or completely created, and terminated by the router within 150 seconds. The router tracks the time between short-cycle events to determine whether to increase the lockout time for a subsequent short-cycle event for the same subscriber.
Note:When the calculated lockout time is equal to or exceeds the maximum lockout time, the router uses the maximum lockout time value until the time to the next short-cycle event exceeds the greater of 15 minutes or the maximum lockout time value. At that point, the lockout time reverts to the minimum lockout time value.
The minimum lockout time value cannot exceed the maximum lockout time value.
When the minimum and maximum lockout time values are equal, the lockout time becomes fixed at that value.