About Configuring ATM for Dynamic Interfaces

To create dynamic interfaces over ATM, you create the static layers of the interface first, and then configure them to support a dynamic interface by means of autodetection. Figure 24 shows an example of the interface stacking of a dynamic IP over ATM 1483 interface and identifies the CLI commands you typically use.

Figure 24: Configuring an ATM 1483 Interface to Support Dynamic Interfaces

On receipt of a packet, all dynamic layers above the ATM 1483 layer are created, starting with the lowest dynamic layer. For example, in the case of a dynamic PPPoE interface, the PPPoE interface is created first, then the PPP interface, and then the IP interface.

If a failure occurs when any layer of the dynamic portion of the interface column is created, then the interface creation fails and the connection is denied. When a dynamic interface is destroyed, all dynamic layers above the ATM 1483 subinterface are destroyed, starting with the highest dynamic layer.

When you configure a dynamic interface, you must assign (or create and assign) a profile to the interface. Profile creation and assignment topics are discussed in depth in Configuring a Dynamic Interface from a Profile.

auto-configure Command

The auto-configure command is used to configure an ATM 1483 subinterface to support a dynamic interface. Once configured, the ATM 1483 subinterface performs autodetection to identify the encapsulation, resulting in the dynamic creation of the higher protocol layers. This command specifies the type(s) of next upper dynamic encapsulations that are accepted or detected by the static ATM 1483 interfaces. Dynamic encapsulations can be bridged Ethernet, IP, PPP, or PPPoE.

Encapsulation Type Lockout

You can configure E-series routers to support dynamic encapsulation type lockout. This feature allows you to temporarily prevent an upper-layer encapsulation type from autodetecting, accepting, and creating dynamic interface columns for a configurable time period. Encapsulation type lockout is the default behavior for IPoA and bridged Ethernet encapsulation types.

NOTE: Encapsulation type lockout for PPP and PPPoE encapsulation types will be available in a future release.

Benefits

Using dynamic encapsulation type lockout provides the following benefits:

• Enables autodetection of other encapsulation types when a dynamic interface for a specified encapsulation type cannot be created.

For example, when running a PPPoE client, DSL modems may transmit bridged Ethernet frames among the PPPoE frames. When bridged Ethernet and PPPoE encapsulation types are configured for autodetection with the auto-configure command, and a subscriber is configured for the bridged Ethernet encapsulation type, RADIUS sends a deny response after the router attempts to authenticate a received bridged Ethernet frame. Receiving an authentication denial from RADIUS causes the router to lock out bridged Ethernet. By locking out bridged Ethernet frames, the router can receive PPPoE frames unimpeded, allowing rapid creation of dynamic PPPoE interfaces.

• Reduces loading on the RADIUS server.

In some cases, IP and bridged Ethernet interfaces configured with a local subscriber do not have a corresponding subscriber entry in the RADIUS database. This can occur inadvertently due to misconfiguration of the E-series router or RADIUS server, or intentionally as a way to prevent creation of dynamic IPoA or bridged Ethernet interfaces.

In previous releases, when the ATM 1483 interface received a deny response from RADIUS due to the missing subscriber entry, it performed continuous authentication retries every few seconds, which caused significant loading on the RADIUS server. Locking out autodetection of the IP or bridged Ethernet encapsulation type for a configurable time period prevents detection of dynamic IPoA or bridged Ethernet interfaces and reduces loading on the RADIUS server.

• Reduces loading on line modules.

Excessive loading on line modules is caused by the repeated creation of multiple short-cycle dynamic interfaces. A short-cycle dynamic interface is one that is detected, partially or completely created, and torn down within a period of 60 seconds.

Events that can cause short-cycle dynamic interfaces include:

• Authentication denials from RADIUS due to the absence of a corresponding entry in the RADIUS database or due to improper login attempts
• Misconfiguration within a dynamic interface profile or RADIUS record
• Insufficient memory resources to create a dynamic interface column
• Protocol failure or error that occurs within a dynamic interface column
• Client logout shortly after a successful login; this action creates a complete dynamic interface column before the column is torn down

How Encapsulation Type Lockout Works

For a given encapsulation type, such as bridged Ethernet, lockout occurs when a dynamic interface of this type cannot be created. For example, an authentication denial from RADIUS causes a lockout. When lockout occurs, the router applies the lockout time range. If you do not configure a lockout-time range, the router uses the default time range.

Encapsulation type lockout is performed by default. You can configure the lockout time range by issuing the auto-configure command with the optional lockout-time keyword.

The following guidelines describe lockout behavior:

• Any encapsulation type that you do not configure for autodetection with the auto-configure command is automatically locked out.
• You can permanently lock out a specified encapsulation type from autodetection and prevent dynamic interface creation by issuing a no auto-configure command for the specified encapsulation type, if previously configured.
• When an encapsulation type is locked out, the router continues to autodetect the remaining encapsulation types and create the dynamic interfaces.

For the IP and bridged Ethernet encapsulation types, temporary lockout occurs automatically on receipt of an authentication deny response from RADIUS when you attempt to create and configure a dynamic IPoA or dynamic bridged Ethernet interface.

Two values make up the lockout time range: a minimum lockout time and a maximum lockout time. The initial lockout time begins with the minimum lockout time. From this point, the lockout time increases exponentially for every successive lockout event within the greater of 15 minutes or the maximum configured lockout time. The lockout time never exceeds the maximum value of the time range.

For example, using the default lockout time range of 1-300 seconds, the increasing lockout time sequence would be: 1 second, 2 seconds, 4 seconds, 8 seconds, 16 seconds, 32 seconds, 64 seconds, 128 seconds, 256 seconds, and finally, 300 seconds (5 minutes).

atm pvc Command

The atm pvc command is used to define the underlying circuit supporting an ATM 1483 subinterface. When you define a circuit with this command by using the aal5autoconfig option, it causes the ATM 1483 encapsulation (LLC/SNAP encapsulation or VC multiplexed) to be autodetected. Alternatively, if you use the aal5snap or aal5mux ip option, the ATM 1483 encapsulation becomes fixed, but allows higher layers to be dynamic.

For example, the following command configures a circuit for autodetection of the ATM 1483 encapsulation and all higher layers.

host1(config-subif)#atm pvc 100 0 100 aal5autoconfig 0 0 0

You can also include the atm pvc command in a base profile assigned to a dynamic ATM 1483 interface to apply encapsulation and traffic-shaping parameters to a bulk-configured range of PVCs. For information, see Configuring ATM 1483 Dynamic Subinterfaces.