Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

PPPoE Subscriber Session Lockout Overview

PPPoE subscriber session lockout, also called PPPoE encapsulation type lockout, temporarily prevents (locks out) a failed or short-lived static or dynamic PPPoE subscriber session from reconnecting for a certain period of time. This time period, known as the lockout period, is derived from a formula and increases exponentially based on the number of successive reconnection failures.

You can configure PPPoE subscriber session lockout, also known as short-cycle protection, for VLAN, VLAN demultiplexing (demux), and PPP-over-Ethernet-over-ATM (PPPoE-over-ATM) dynamic subscriber interfaces.

This overview describes the concepts you need to understand to configure PPPoE subscriber session lockout, and covers the following topics:

Benefits of Using PPPoE Subscriber Session Lockout

PPPoE subscriber session lockout provides the following benefits:

  • Reduces excessive loading on the router by:

    • Reducing the resources required to process PPPoE control packets to negotiate and terminate short-lived connections

    • Reducing the resources required to allocate and deallocate services, such as class of service (CoS) and firewall filters, for failed or short-lived subscriber sessions

    • Temporarily deferring failed or short-lived subscriber sessions in favor of sessions that can complete successfully.

  • Reduces excessive loading on external authentication, authorization, and accounting (AAA) servers, such as RADIUS or Diameter:

    • As a result of failed or short-lived PPPoE subscriber sessions that occur repeatedly for the same subscriber

    • By reducing the resources required to authenticate and terminate these connections

  • Enables lockout of a single failed or short-lived PPP session without disrupting other PPP sessions on the same PPPoE underlying interface

    Because PPPoE subscriber session lockout identifies each subscriber session by either its unique media access control (MAC) source address on the underlying interface or by its agent circuit identifier (ACI) value, the router can lock out only the offending PPP session while enabling other PPP sessions on the same underlying interface to successfully negotiate the connection.

Conditions That Cause Short-Lived PPPoE Subscriber Sessions

Conditions that can cause a short-lived subscriber session include:

  • Authentication denials from external AAA servers, such as RADIUS, due to the absence of a corresponding entry in the RADIUS database or due to improper login attempts

  • Configuration errors within a dynamic profile or RADIUS record

  • Insufficient memory resources to create a dynamic PPPoE subscriber interface

  • Protocol failure or error within the dynamic PPPoE subscriber interface

  • Client logout shortly after a successful login; this action creates a complete dynamic PPPoE subscriber interface before the interface is torn down

How PPPoE Subscriber Session Lockout Works

PPPoE subscriber session lockout is disabled on the router by default. When you enable PPPoE subscriber session lockout, the router does the following:

  1. Detects a short-lived subscriber session, also referred to as a short-cycle event.

    A short-lived subscriber session is detected, partially or completely created, and terminated by the router within 150 seconds. The router identifies each PPPoE subscriber session by its unique MAC source address on the PPPoE underlying interface or by its ACI value.

  2. Tracks the time between repeated short-cycle events to determine whether to increase the lockout time for a subsequent short-cycle event.

  3. Applies a time penalty for each short-cycle event based on a default or configured lockout period and the number of consecutive short-cycle events that occur repeatedly for the same subscriber.

  4. Temporarily locks out the specified PPPoE subscriber by preventing connection to the router.

    During lockout, the router drops negotiation packets for the PPPoE subscriber session until the lockout period expires. When the lockout period expires, the PPPoE subscriber session and its associated MAC source address or ACI value resume normal negotiation of the connection.

PPPoE Subscriber Session Lockout on ACI-Based Interfaces

By default, the router identifies a subscriber session using the unique MAC source address on the PPPoE underlying interface. You can configure subscriber session lockout based on the ACI string of the underlying interface, which allows you to lock out all PPPoE subscriber sessions from the same household.

The ACI string is contained in the DSL Forum Agent-Circuit-ID VSA [26-1] (option 0x105) of PPPoE Active Discovery Initiation (PADI) and PPPoE Active Discovery Request (PADR) control packets. This option locks out all PPPoE subscriber sessions on the underlying interface that share the same ACI string in their PPPoE PADI and PADR control packets.

PPPoE subscriber session lockout based on the ACI value is useful when MAC source addresses are not unique on the PPPoE underlying interface. For example:

  • PPPoE interworking function sessions in which the MAC addresses of all PPPoE inter-working function sessions contain the MAC address of the DSLAM device

  • Configurations in which the access node (usually a DSLAM device) overwrites the MAC source address in PPPoE packets received from the customer premises equipment (CPE) with its own MAC address for security purposes

  • Duplicate MAC source addresses across disparate households in an N:1 (service VLAN) configuration, which requires the router to use a combination of the MAC source address and the ACI value to uniquely identify a subscriber

PPPoE Subscriber Session Lockout and Duplicate Protection

Duplicate protection, which is disabled on the router by default, prevents the activation of another PPPoE subscriber session on the same PPPoE underlying interface when a PPPoE subscriber session with the same media access control (MAC) address is already active on that interface. When you configure PPPoE subscriber session lockout, we recommend that you enable duplicate protection to ensure that the MAC source address for each active PPPoE session is unique on the underlying interface.

With PPPoE subscriber session lockout configured, the router identifies subscriber sessions by their unique MAC source address. If the router detects a short-lived (short-cycle) subscriber session, it applies the default or configured lockout period to that MAC source address to temporarily prevent reconnection. If the MAC source address is not unique on the underlying interface, multiple PPPoE subscriber sessions with the same MAC source address might also be affected by the lockout.

Persistence of the Lockout Condition After Automatic Removal of Dynamic Subscriber VLANs

You can configure automatic removal of subscriber VLANs that have no PPPoE client sessions by issuing the remove-when-no-subscribers statement at the [edit interfaces interface-name auto-configure] hierarchy level. If PPPoE subscriber session lockout is also configured on the interface, the lockout condition persists even after the router has removed the dynamic VLAN or VLAN demux subscriber interface.

When you configure both PPPoE subscriber session lockout and automatic removal of subscriber VLANs with no client sessions, the lockout condition for the affected subscriber sessions persists until the lockout timer expires for each PPPoE client undergoing lockout on the underlying interface. If you create the VLAN or VLAN demux subscriber interface again before all timers expire, the lockout condition persists for the newly created subscriber interface.

Use of Encapsulation Type Identifiers to Clear or Display the Lockout Condition

You can clear the lockout condition for a specific MAC source address or ACI value, all MAC source addresses or ACI values, or for an ACI value that matches a UNIX-based regular expression by specifying VLAN or ATM encapsulation type identifier options in the clear pppoe lockout vlan-identifier or clear pppoe lockout atm-identifier command, respectively. Similarly, you can display information about the lockout condition and the status of affected subscriber sessions by including encapsulation type identifier options in the show pppoe lockout vlan-identifier or show pppoe lockout atm-identifier command. Specifying encapsulation type lockout identifiers enables you to clear or display the lockout condition when no underlying interface exists for the subscriber session.

For the VLAN encapsulation type on VLAN and VLAN demux subscriber interfaces, the identifier options include:

  • Device name (physical interface or aggregated Ethernet bundle)

  • S-VLAN ID (outer tag)

  • VLAN ID (inner tag)

For the ATM encapsulation type on PPPoE-over-ATM subscriber interfaces, the identifier options include:

  • Device name (physical interface or aggregated Ethernet bundle)

  • Virtual path identifier (VPI)

  • Virtual circuit identifier (VCI)

Termination of the Lockout Condition

When a PPPoE subscriber session identified by either an ACI value or a unique MAC source address is undergoing lockout, the lockout condition persists until all lockout timers have expired, except when either of the following occurs:

  • You administratively clear the lockout condition by issuing the clear pppoe lockout operational command.

  • You reset the interface module on which the subscriber session undergoing lockout is configured.

When you clear the lockout condition or reset the interface module, the router terminates lockout for all PPPoE subscriber sessions on the underlying interface, and clears the lockout history for all affected subscriber sessions.

Related Documentation