short-cycle-protection (DHCP Local Server and Relay Agent)
Syntax
short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>;
Hierarchy Level
[edit forwarding-options dhcp-relay
dhcpv6],
[edit forwarding-options dhcp-relay dhcpv6
group group-name],
[edit forwarding-options dhcp-relay dhcpv6 group
group-name interface interface-name],
[edit forwarding-options dhcp-relay
group group-name],
[edit forwarding-options dhcp-relay group
group-name interface interface-name]
[edit logical-systems
name forwarding-options
dhcp-relay ...],
[edit logical-systems
name routing-instances
name forwarding-options
dhcp-relay ...],
[edit routing-instances
name forwarding-options
dhcp-relay ...],
[edit logical-systems
name routing-instances
name system services dhcp-local-server
dhcp-local-server...],
[edit system services dhcp-local-server
dhcpv6],
[edit system services dhcp-local-server dhcpv6
group group-name],
[edit system services dhcp-local-server dhcpv6 group
group-name interface interface-name],
[edit system services dhcp-local-server
dual-stack-group dual-stack-group-name],
[edit system services dhcp-local-server
group group-name],
[edit system services dhcp-local-server group
group-name interface interface-name]
Release Information
Statement introduced in Junos OS Release
18.2R1.
Description
Enable DHCP short-cycle protection to reduce resource
usage associated with connection and authentication processing in
highly scaled networks. You must configure both the minimum duration
and the maximum duration for the lockout period.
The router detects short-lived client sessions and clients that
repeatedly fail session negotiation, then locks them out from access
by dropping subsequent DHCP discover or solicit messages from the
client. The clients are tracked by the client identifier (client key),
which can be a MAC address or some other unique value for DHCPv4 clients
or the DUID for DHCPv6 clients. Locked-out clients are entered in
the lockout database. If a locked-out client attempts another session
before the grace time threshold is reached, it is locked out again.
Each successive lockout period is increased exponentially up to the
maximum lockout period. The grace time threshold is automatically
set at whichever value is larger, 900 seconds or the configured maximum
value.
Options
lockout-max-time seconds—Maximum length of any lockout period;
the upper bound of the lockout range.
lockout-min-time seconds—Minimum length of any lockout period;
the lower bound of the lockout period. The minimum value is the length
of the first lockout period for a client. It cannot be greater than
the maximum value. If you set it to the same value as the maximum,
then the lockout period is fixed and does not increase for a client’s
subsequent lockouts.
Required Privilege Level
interface
