- play_arrow Configuring Dynamic VLANs for Subscriber Access Networks
- play_arrow Dynamic VLAN Overview
- Subscriber Management VLAN Architecture Overview
- Dynamic 802.1Q VLAN Overview
- Static Subscriber Interfaces and VLAN Overview
- Pseudowire Termination: Explicit Notifications for Pseudowire Down Status
- Configuring an Access Pseudowire That Terminates into VRF on the Service Node
- Configuring an Access Pseudowire That Terminates into a VPLS Routing Instance
- play_arrow Configuring Dynamic Profiles and Interfaces Used to Create Dynamic VLANs
- Configuring a Dynamic Profile Used to Create Single-Tag VLANs
- Configuring an Interface to Use the Dynamic Profile Configured to Create Single-Tag VLANs
- Configuring a Dynamic Profile Used to Create Stacked VLANs
- Configuring an Interface to Use the Dynamic Profile Configured to Create Stacked VLANs
- Configuring Interfaces to Support Both Single and Stacked VLANs
- Overriding the Dynamic Profile Used for an Individual VLAN
- Configuring a VLAN Dynamic Profile That Associates VLANs with Separate Routing Instances
- Automatically Removing VLANs with No Subscribers
- Verifying and Managing Dynamic VLAN Configuration
- play_arrow Configuring Subscriber Authentication for Dynamic VLANs
- Configuring an Authentication Password for VLAN or Stacked VLAN Ranges
- Configuring Dynamic Authentication for VLAN Interfaces
- Subscriber Packet Type Authentication Triggers for Dynamic VLANs
- Configuring Subscriber Packet Types to Trigger VLAN Authentication
- Configuring VLAN Interface Username Information for AAA Authentication
- Using DHCP Option 82 Suboptions in Authentication Usernames for Autosense VLANs
- Using DHCP Option 18 and Option 37 in Authentication Usernames for DHCPv6 Autosense VLANs
- play_arrow Configuring VLANs for Households or Individual Subscribers Using ACI-Based Dynamic VLANs
- Agent Circuit Identifier-Based Dynamic VLANs Overview
- Configuring Dynamic VLANs Based on Agent Circuit Identifier Information
- Defining ACI Interface Sets
- Configuring Dynamic Underlying VLAN Interfaces to Use Agent Circuit Identifier Information
- Configuring Static Underlying VLAN Interfaces to Use Agent Circuit Identifier Information
- Configuring Dynamic VLAN Subscriber Interfaces Based on Agent Circuit Identifier Information
- Verifying and Managing Agent Circuit Identifier-Based Dynamic VLAN Configuration
- Clearing Agent Circuit Identifier Interface Sets
- play_arrow Configuring VLANs for Households or Individual Subscribers Using Access-Line-Identifier Dynamic VLANs
- Access-Line-Identifier-Based Dynamic VLANs Overview
- Configuring Dynamic VLANs Based on Access-Line Identifiers
- Defining Access-Line-Identifier Interface Sets
- Configuring Dynamic Underlying VLAN Interfaces to Use Access-Line Identifiers
- Configuring Static Underlying VLAN Interfaces to Use Access-Line Identifiers
- Configuring Dynamic VLAN Subscriber Interfaces Based on Access-Line Identifiers
- Verifying and Managing Configurations for Dynamic VLANs Based on Access-Line Identifiers
- Clearing Access-Line-Identifier Interface Sets
- play_arrow High Availability for Service VLANs
-
- play_arrow Configuring DHCP Subscriber Interfaces
- play_arrow VLAN and Demux Subscriber Interfaces Overview
- play_arrow Configuring Sets of Demux Interfaces to Provide Services to a Group of Subscribers
- play_arrow Configuring Dynamic Demux Interfaces That are Created by DHCP
- play_arrow Configuring DHCP Subscriber Interfaces over Aggregated Ethernet
- Static and Dynamic VLAN Subscriber Interfaces over Aggregated Ethernet Overview
- Static or Dynamic Demux Subscriber Interfaces over Aggregated Ethernet Overview
- Configuring a Static or Dynamic VLAN Subscriber Interface over Aggregated Ethernet
- Configuring a Static or Dynamic IP Demux Subscriber Interface over Aggregated Ethernet
- Configuring a Static or Dynamic VLAN Demux Subscriber Interface over Aggregated Ethernet
- Example: Configuring a Static Subscriber Interface on a VLAN Interface over Aggregated Ethernet
- Example: Configuring a Static Subscriber Interface on an IP Demux Interface over Aggregated Ethernet
- Example: Configuring IPv4 Static VLAN Demux Interfaces over an Aggregated Ethernet Underlying Interface with DHCP Local Server
- Example: Configuring IPv4 Dynamic VLAN Demux Interfaces over an Aggregated Ethernet Underlying Interface with DHCP Local Server
- Example: Configuring IPv6 Dynamic VLAN Demux Interfaces over an Aggregated Ethernet Underlying Interface with DHCP Local Server
- Example: Configuring IPv4 Dynamic Stacked VLAN Demux Interfaces over an Aggregated Ethernet Underlying Interface with DHCP Local Server
- play_arrow Using Dynamic Profiles to Apply Services to DHCP Subscriber Interfaces
- play_arrow Configuring DHCP IP Demux and PPPoE Demux Interfaces Over the Same VLAN
- play_arrow Providing Security for DHCP Interfaces Using MAC Address Validation
- play_arrow RADIUS-Sourced Weights for Targeted Distribution
- play_arrow Verifying Configuration and Status of Dynamic Subscribers
-
- play_arrow Configuring MLPPP for Subscriber Access
- play_arrow MLPPP Support for LNS and PPPoE Subscribers Overview
- MLPPP Overview
- MLPPP Support for LNS and PPPoE Subscribers Overview
- Supported Features for MLPPP LNS and PPPoE Subscribers on the MX Series
- Mixed Mode Support for MLPPP and PPP Subscribers Overview
- Understanding DVLAN (Single/Dual tag) for Subscriber Services Scaling (Junos Evolved for ACX7100-48L Devices)
- play_arrow Configuring MLPPP Link Fragmentation and Interleaving
- play_arrow Configuring Inline Service Interfaces for LNS and PPPoE Subscribers
- play_arrow Configuring L2TP Access Client for MLPPP Subscribers
- play_arrow Configuring Static MLPPP Subscribers for MX Series
- play_arrow Configuring Dynamic MLPPP Subscribers for MX Series
- play_arrow Configuring Dynamic PPP Subscriber Services
- Dynamic PPP Subscriber Services for Static MLPPP Interfaces Overview
- Hardware Requirements for PPP Subscriber Services on Non-Ethernet Interfaces
- Configuring PPP Subscriber Services for MLPPP Bundles
- Enabling PPP Subscriber Services for Static Non-Ethernet Interfaces
- Attaching Dynamic Profiles to MLPPP Bundles
- Example: Minimum MLPPP Dynamic Profile
- Example: Configuring CoS on Static LSQ MLPPP Bundle Interfaces
- play_arrow Monitoring and Managing MLPPP for Subscriber Access
-
- play_arrow Configuring ATM for Subscriber Access
- play_arrow Configuring ATM to Deliver Subscriber-Based Services
- play_arrow Configuring PPPoE Subscriber Interfaces Over ATM
- play_arrow Configuring ATM Virtual Path Shaping on ATM MICs with SFP
- play_arrow Configuring Static Subscriber Interfaces over ATM
- play_arrow Verifying and Managing ATM Configurations
-
- play_arrow Troubleshooting
- play_arrow Contacting Juniper Networks Technical Support
- play_arrow Knowledge Base
-
- play_arrow Configuration Statements and Operational Commands
PPPoE Subscriber Session Lockout Overview
PPPoE subscriber session lockout, also called PPPoE encapsulation type lockout, temporarily prevents (locks out) a failed or short-lived static or dynamic PPPoE subscriber session from reconnecting for a certain period of time. This time period, known as the lockout period, is derived from a formula and increases exponentially based on the number of successive reconnection failures.
You can configure PPPoE subscriber session lockout, also known as short-cycle protection, for VLAN, VLAN demultiplexing (demux), and PPP-over-Ethernet-over-ATM (PPPoE-over-ATM) dynamic subscriber interfaces.
This overview describes the concepts you need to understand to configure PPPoE subscriber session lockout, and covers the following topics:
Benefits of Using PPPoE Subscriber Session Lockout
PPPoE subscriber session lockout provides the following benefits:
Reduces excessive loading on the router by:
Reducing the resources required to process PPPoE control packets to negotiate and terminate short-lived connections
Reducing the resources required to allocate and deallocate services, such as class of service (CoS) and firewall filters, for failed or short-lived subscriber sessions
Temporarily deferring failed or short-lived subscriber sessions in favor of sessions that can complete successfully.
Reduces excessive loading on external authentication, authorization, and accounting (AAA) servers, such as RADIUS or Diameter:
As a result of failed or short-lived PPPoE subscriber sessions that occur repeatedly for the same subscriber
By reducing the resources required to authenticate and terminate these connections
Enables lockout of a single failed or short-lived PPP session without disrupting other PPP sessions on the same PPPoE underlying interface
Because PPPoE subscriber session lockout identifies each subscriber session by either its unique media access control (MAC) source address on the underlying interface or by its agent circuit identifier (ACI) value, the router can lock out only the offending PPP session while enabling other PPP sessions on the same underlying interface to successfully negotiate the connection.
Conditions That Cause Short-Lived PPPoE Subscriber Sessions
Conditions that can cause a short-lived subscriber session include:
Authentication denials from external AAA servers, such as RADIUS, due to the absence of a corresponding entry in the RADIUS database or due to improper login attempts
Configuration errors within a dynamic profile or RADIUS record
Insufficient memory resources to create a dynamic PPPoE subscriber interface
Protocol failure or error within the dynamic PPPoE subscriber interface
Client logout shortly after a successful login; this action creates a complete dynamic PPPoE subscriber interface before the interface is torn down
How PPPoE Subscriber Session Lockout Works
PPPoE subscriber session lockout is disabled on the router by default. When you enable PPPoE subscriber session lockout, the router does the following:
Detects a short-lived subscriber session, also referred to as a short-cycle event.
A short-lived subscriber session is detected, partially or completely created, and terminated by the router within 150 seconds. The router identifies each PPPoE subscriber session by its unique MAC source address on the PPPoE underlying interface or by its ACI value.
Tracks the time between repeated short-cycle events to determine whether to increase the lockout time for a subsequent short-cycle event.
Applies a time penalty for each short-cycle event based on a default or configured lockout period and the number of consecutive short-cycle events that occur repeatedly for the same subscriber.
Temporarily locks out the specified PPPoE subscriber by preventing connection to the router.
During lockout, the router drops negotiation packets for the PPPoE subscriber session until the lockout period expires. When the lockout period expires, the PPPoE subscriber session and its associated MAC source address or ACI value resume normal negotiation of the connection.
PPPoE Subscriber Session Lockout on ACI-Based Interfaces
By default, the router identifies a subscriber session using the unique MAC source address on the PPPoE underlying interface. You can configure subscriber session lockout based on the ACI string of the underlying interface, which allows you to lock out all PPPoE subscriber sessions from the same household.
The ACI string is contained in the DSL Forum Agent-Circuit-ID VSA [26-1] (option 0x105) of PPPoE Active Discovery Initiation (PADI) and PPPoE Active Discovery Request (PADR) control packets. This option locks out all PPPoE subscriber sessions on the underlying interface that share the same ACI string in their PPPoE PADI and PADR control packets.
PPPoE subscriber session lockout based on the ACI value is useful when MAC source addresses are not unique on the PPPoE underlying interface. For example:
PPPoE interworking function sessions in which the MAC addresses of all PPPoE inter-working function sessions contain the MAC address of the DSLAM device
Configurations in which the access node (usually a DSLAM device) overwrites the MAC source address in PPPoE packets received from the customer premises equipment (CPE) with its own MAC address for security purposes
Duplicate MAC source addresses across disparate households in an N:1 (service VLAN) configuration, which requires the router to use a combination of the MAC source address and the ACI value to uniquely identify a subscriber
PPPoE Subscriber Session Lockout and Duplicate Protection
Duplicate protection, which is disabled on the router by default, prevents the activation of another PPPoE subscriber session on the same PPPoE underlying interface when a PPPoE subscriber session with the same media access control (MAC) address is already active on that interface. When you configure PPPoE subscriber session lockout, we recommend that you enable duplicate protection to ensure that the MAC source address for each active PPPoE session is unique on the underlying interface.
With PPPoE subscriber session lockout configured, the router identifies subscriber sessions by their unique MAC source address. If the router detects a short-lived (short-cycle) subscriber session, it applies the default or configured lockout period to that MAC source address to temporarily prevent reconnection. If the MAC source address is not unique on the underlying interface, multiple PPPoE subscriber sessions with the same MAC source address might also be affected by the lockout.
Persistence of the Lockout Condition After Automatic Removal of Dynamic Subscriber VLANs
You can configure automatic removal of subscriber VLANs that
have no PPPoE client sessions by issuing the remove-when-no-subscribers statement at the [edit interfaces interface-name auto-configure] hierarchy level. If PPPoE subscriber session
lockout is also configured on the interface, the lockout condition
persists even after the router has removed the dynamic VLAN or VLAN
demux subscriber interface.
When you configure both PPPoE subscriber session lockout and automatic removal of subscriber VLANs with no client sessions, the lockout condition for the affected subscriber sessions persists until the lockout timer expires for each PPPoE client undergoing lockout on the underlying interface. If you create the VLAN or VLAN demux subscriber interface again before all timers expire, the lockout condition persists for the newly created subscriber interface.
Use of Encapsulation Type Identifiers to Clear or Display the Lockout Condition
You can clear the lockout condition for a specific MAC source
address or ACI value, all MAC source addresses or ACI values, or for
an ACI value that matches a UNIX-based regular expression by specifying
VLAN or ATM encapsulation type identifier options in the clear
pppoe lockout vlan-identifier or clear pppoe lockout atm-identifier command, respectively. Similarly, you can display information about
the lockout condition and the status of affected subscriber sessions
by including encapsulation type identifier options in the show
pppoe lockout vlan-identifier or show pppoe lockout atm-identifier command. Specifying encapsulation type lockout identifiers enables
you to clear or display the lockout condition when no underlying interface
exists for the subscriber session.
For the VLAN encapsulation type on VLAN and VLAN demux subscriber interfaces, the identifier options include:
Device name (physical interface or aggregated Ethernet bundle)
S-VLAN ID (outer tag)
VLAN ID (inner tag)
For the ATM encapsulation type on PPPoE-over-ATM subscriber interfaces, the identifier options include:
Device name (physical interface or aggregated Ethernet bundle)
Virtual path identifier (VPI)
Virtual circuit identifier (VCI)
Termination of the Lockout Condition
When a PPPoE subscriber session identified by either an ACI value or a unique MAC source address is undergoing lockout, the lockout condition persists until all lockout timers have expired, except when either of the following occurs:
You administratively clear the lockout condition by issuing the
clear pppoe lockoutoperational command.You reset the interface module on which the subscriber session undergoing lockout is configured.
When you clear the lockout condition or reset the interface module, the router terminates lockout for all PPPoE subscriber sessions on the underlying interface, and clears the lockout history for all affected subscriber sessions.
