PPPoE Subscriber Session Lockout Overview

Benefits of Using PPPoE Subscriber Session Lockout

• Reduces excessive loading on the router

  By temporarily locking out failed or short-lived PPPoE sessions, PPPoE subscriber session lockout protects the router from excessive loading by:

  • Reducing the resources required to receive and process PPPoE control packets to negotiate and terminate short-lived connections
  • Reducing the resources required to allocate and deallocate services, such as class of service (CoS) and firewall filters, for failed or short-lived subscriber sessions

  PPPoE subscriber session lockout increases router efficiency by temporarily deferring failed or short-lived subscriber sessions in favor of those sessions that can complete successfully.

• Reduces excessive loading on external authentication, authorization, and accounting (AAA) servers

  PPPoE subscriber session lockout protects any external AAA servers, such as RADIUS or Diameter, from excessive loading:

  • As a result of failed or short-lived PPPoE subscriber sessions that occur repeatedly for the same subscriber
  • By reducing the resources required to authenticate and terminate these connections
• Enables lockout of a single failed or short-lived PPP session without disrupting other PPP sessions on the same PPPoE underlying interface

  In some subscriber network configurations, the PPPoE underlying interface supports multiple upper-layer PPP sessions. Because PPPoE subscriber session lockout identifies each subscriber session by its unique media access control (MAC) source address on the underlying interface, the router is able to lock out only the offending PPP session while enabling other PPP sessions on the same underlying interface to successfully negotiate the connection.

Supported Platforms and Underlying Interfaces for PPPoE Subscriber Session Lockout

• Supported platforms:
  • Intelligent Queuing 2 (IQ2) PICs on M120 Multiservice Edge Router and M320 Multiservice Edge Router
  • Trio MPC/MIC interfaces on MX Series 3D Universal Edge Routers
• Supported PPPoE underlying interfaces:
  • Static VLAN logical interface
  • Static VLAN demultiplexing (demux) logical interface
  • Dynamic VLAN logical interface
  • Dynamic VLAN demux logical interface

How PPPoE Subscriber Session Lockout Works

1. Detects a short-lived subscriber session, also referred to as a short-cycle event.

   A short-lived subscriber session is detected, partially or completely created, and terminated by the router within 150 seconds. The router identifies each PPPoE subscriber session by its unique MAC source address on the PPPoE underlying interface.

2. Tracks the time between repeated short-cycle events to determine whether to increase the lockout time for a subsequent short-cycle event.
3. Applies a time penalty for each short-cycle event based on a default or configured lockout period and the number of consecutive short-cycle events that occur repeatedly for the same subscriber.

   If you enable PPPoE subscriber session lockout but do not configure a lockout time range, the router uses the default lockout time range of 1 through 300 seconds (5 minutes).

4. Temporarily locks out the specified PPPoE subscriber by preventing connection to the router.

   During lockout, the router drops negotiation packets for the PPPoE subscriber session until the lockout period expires. When the lockout period expires, the PPPoE subscriber session and its associated MAC source address resume normal negotiation of the connection.

• Authentication denials from external AAA servers, such as RADIUS, due to the absence of a corresponding entry in the RADIUS database or due to improper login attempts
• Configuration errors within a dynamic profile or RADIUS record
• Insufficient memory resources to create a dynamic PPPoE subscriber interface
• Protocol failure or error within the dynamic PPPoE subscriber interface
• Client logout shortly after a successful login; this action creates a complete dynamic PPPoE subscriber interface before the interface is torn down

PPPoE Subscriber Session Lockout Period

The lockout period is the time during which the router temporarily prevents (locks out) a failed or short-lived PPPoE subscriber session identified by a unique MAC source address from reconnecting to the router. You can use the default lockout time range of 1 through 300 seconds (5 minutes), or you can override the default lockout period by configuring a nondefault lockout time in the range 1 through 86,400 seconds (24 hours).

PPPoE Subscriber Session Lockout and Duplicate Protection

Duplicate protection, which is disabled on the router by default, prevents the activation of another PPPoE subscriber session on the same PPPoE underlying interface when a PPPoE subscriber session with the same media access control (MAC) address is already active on that interface. When you configure PPPoE subscriber session lockout, we recommend that you enable duplicate protection to ensure that the MAC source address for each active PPPoE session is unique on the underlying interface.

With PPPoE subscriber session lockout configured, the router identifies subscriber sessions by their unique MAC source address. If the router detects a short-lived (short-cycle) subscriber session, it applies the default or configured lockout period to that MAC source address to temporarily prevent reconnection. If the MAC source address is not unique on the underlying interface, multiple PPPoE subscriber sessions with the same MAC source address might also be affected by the lockout.

PPPoE Subscriber Session Lockout and Automatic Removal of Dynamic Subscriber VLANs

You can configure automatic removal of subscriber VLANs that have no PPPoE client sessions by issuing the remove-when-no-subscribers statement at the [edit interfaces interface-name auto-configure] hierarchy level. If PPPoE subscriber session lockout is also configured, the router does not remove the unused subscriber VLAN until the lockout time has expired for each PPPoE client undergoing lockout on the underlying interface.