Dynamic Encapsulation Type Lockout

How Encapsulation Type Lockout Works

For a given encapsulation type, such as bridged Ethernet, lockout occurs when a dynamic interface of this type cannot be created. For example, an authentication denial from RADIUS causes a lockout. When lockout occurs, the router applies the lockout time range. If you do not configure a lockout-time range, the router uses the default time range.

Encapsulation type lockout is performed by default. You can configure the lockout time range by issuing the auto-configure command with the optional lockout-time keyword.

The following guidelines describe lockout behavior:

• Any encapsulation type that you do not configure for autodetection with the auto-configure command is automatically locked out.
• You can permanently lock out a specified encapsulation type from autodetection and prevent dynamic interface creation by issuing a no auto-configure command for the specified encapsulation type, if previously configured.
• When an encapsulation type is locked out, the router continues to autodetect the remaining encapsulation types and create the dynamic interfaces.

For the IP and bridged Ethernet encapsulation types, temporary lockout occurs automatically on receipt of an authentication deny response from RADIUS when you attempt to create and configure a dynamic IPoA or dynamic bridged Ethernet interface.

The lockout time range comprises two values: a minimum lockout time and a maximum lockout time. The initial lockout time begins with the minimum lockout time. From this point, the lockout time increases exponentially for every successive lockout event within the greater of 15 minutes or the maximum configured lockout time. The lockout time never exceeds the maximum value of the time range.

For example, using the default lockout time range of 1–300 seconds, the increasing lockout time sequence is: 1 second, 2 seconds, 4 seconds, 8 seconds, 16 seconds, 32 seconds, 64 seconds, 128 seconds, 256 seconds, and finally, 300 seconds (5 minutes).

Benefits of Encapsulation Type Lockout

Using dynamic encapsulation type lockout provides the following benefits:

• Enables autodetection of other encapsulation types when a dynamic interface for a specified encapsulation type cannot be created.

  For example, when running a PPPoE client, digital subscriber line (DSL) modems might transmit bridged Ethernet frames among the PPPoE frames. When bridged Ethernet and PPPoE encapsulation types are configured for autodetection with the auto-configure command, and a subscriber is configured for the bridged Ethernet encapsulation type, RADIUS sends a deny response after the router attempts to authenticate a received bridged Ethernet frame. Receiving an authentication denial from RADIUS causes the router to lock out bridged Ethernet. By locking out bridged Ethernet frames, the router can receive PPPoE frames unimpeded, facilitating rapid creation of dynamic PPPoE interfaces.

• Reduces loading on the RADIUS server.

  In some cases, IP and bridged Ethernet interfaces configured with a local subscriber do not have a corresponding subscriber entry in the RADIUS database. This can occur inadvertently due to misconfiguration of the E Series router or RADIUS server, or intentionally as a way to prevent creation of dynamic IPoA or bridged Ethernet interfaces.

  In previous releases, when the ATM 1483 interface received a deny response from RADIUS due to the missing subscriber entry, it performed continuous authentication retries every few seconds, which caused significant loading on the RADIUS server. Locking out autodetection of the IP or bridged Ethernet encapsulation type for a configurable time period prevents detection of dynamic IPoA or bridged Ethernet interfaces and reduces loading on the RADIUS server.

  For PPP and PPPoE encapsulation types, incorrect logins coupled with clients configured to perform frequent authentication retries results in significant loading on the RADIUS server. When an incorrect login occurs, the process of autodetecting, creating partial dynamic interface columns, and tearing down the columns due to authentication failures consumes router bandwidth. Enabling temporary lockout of PPP and PPPoE encapsulation types reduces loading on the RADIUS server caused by incorrect logins and auto-retry clients.

• Reduces loading on line modules.

  The repeated creation of multiple short-cycle dynamic interfaces causes excessive loading on line modules. A short-cycle dynamic interface is one that is detected, partially or completely created, and torn down within 60 seconds.

  Events that can cause short-cycle dynamic interfaces include:

  • Authentication denials from RADIUS due to the absence of a corresponding entry in the RADIUS database or due to improper login attempts
  • Misconfiguration within a dynamic interface profile or RADIUS record
  • Insufficient memory resources to create a dynamic interface column
  • Protocol failure or error that occurs within a dynamic interface column
  • Client logout shortly after a successful login; this action creates a complete dynamic interface column before the column is torn down

Encapsulation Type Lockout Based on DSL Forum VSAs for IWF PPPoE Sessions

JunosE Software supports the dynamic encapsulation type lockout functionality for PPPoE sessions that contain the IWF-Session DSL Forum vendor-specific attribute (VSA) (26-254) in the PPPoE active discovery request (PADR) packets. For interworking function (IWF) sessions that involve a set of functions to be processed to interconnect two networks of different technologies (such as PPPoE over ATM to PPPoE), the encapsulation type lockout for the PPPoE clients associated with the dynamic PPPoE subinterface column on the PPPoE major interface is determined using a combination of the Agent-Circuit-Id (26-1) and Agent-Remote-Id (26-2) DSL Forum VSAs, in addition to the media access control (MAC) address.

The DSL Forum VSAs used in the encapsulation type lockout process for IWF PPPoE sessions comprise Agent-Circuit-Id (26-1) and Agent-Remote-Id (26-2). The Agent-Circuit-Id VSA is the identifier for the subscriber agent circuit that corresponds to the digital subscriber line access multiplexer (DSLAM) interface from which subscriber requests are initiated. The Agent-Remote-Id VSA is the unique identifier for the subscriber associated with the DSLAM interface from which requests are initiated. For PPPoE sessions with the IWF-Session VSA, if you configured the pppoe auto-configure lockout-time command in Interface Configuration mode or Subinterface Configuration mode, the MAC address, Agent-Circuit-Id, and Agent-Remote-Id values are used together to identify a subscriber to implement PPPoE lockout.

If subscriber PPP sessions are transported on PPPoE, the PPPoE intermediate agent on the DSLAM adds the Agent-Circuit-Id and Agent-Remote-Id VSAs to the PPPoE PADI and PADR packets. The PPPoE implementation technique captures both the Agent-Circuit-Id and the Agent-Remote-Id sub-options from every PADR packet for every PPPoE session. Dynamic encapsulation type lockout is enabled by default for all IWF PPPoE sessions.

Guidelines for Configuring Encapsulation Type Lockout for PPPoE Sessions

The following rules apply when you configure the lockout time for dynamic encapsulation type lockout:

• The lockout time value is defined as

  (minimum lockout time) * (2 ^ n-1)

  where n represents the number of consecutive lockout events.

• The router increments the value of n when the time between lockout events is either within 15 minutes or the maximum lockout time, whichever is greater.
• When the time between lockout events is greater than either 15 minutes or the maximum lockout time, the value of n reverts to 1. This condition is referred to as a grace period.
• The lockout time never exceeds the maximum configured lockout time. For example, for a configured lockout time in the range 20–120 seconds, the increasing lockout time sequence is 20 seconds, 40 seconds, 80 seconds, and finally, 120 seconds.
• A short-cycle event is a dynamic interface that is created and torn down within 60 seconds. The router tracks the time between short-cycle events to determine whether to increase the lockout time for a subsequent short-cycle event.

  Note: When the calculated lockout time is equal to or exceeds the maximum lockout time, the router uses the maximum lockout time value until the time to the next event exceeds the greater of 15 minutes or the maximum lockout time value. At that point, the lockout time reverts to the minimum lockout time value.

• The minimum lockout time value cannot exceed the maximum lockout time value. When the minimum and maximum values are equal, the encapsulation type lockout time becomes fixed.

Guidelines for Configuring Encapsulation Type Lockout for IWF PPPoE Sessions

Keep the following points in mind while configuring dynamic encapsulation type lockout for IWF PPPoE sessions:

• If the DSLAM network does not add the DSL Forum VSAs (Agent-Circuit-Id and Agent-Remote-Id) that are required to accurately and uniquely identify the subscriber access loop, dynamic encapsulation type lockout for PPPoE clients is performed using MAC address as the only criterion to identify subscribers.

  In such conditions, the mode of working of encapsulation type lockout for PPPoE clients is the same as the behavior that existed when lockout of PPPoE clients was performed using the MAC address of the client as the only matching parameter.

• If the Agent-Circuit-Id DSL Forum VSA (26-1) is not contained in the PADR packet sent from the PPPoE client or is not unique for each IWF PPPoE session that originates from the client, the Agent-Remote-Id DSL VSA (26-2) is used along with the MAC address as the filter criteria to uniquely identify the subscriber session that needs to be locked out.
• When you enter the pppoe auto-configure lockout-time command in Interface Configuration mode or Subinterface Configuration mode to configure dynamic encapsulation type lockout, even if PPPoE sessions associated with a particular MAC address are locked out, other PPPoE sessions that originated with the same MAC address are not terminated (continue to remain logged in) if they are IWF sessions from different access loops (PPPoE clients) and this information is available to the B-RAS application.

Encapsulation Type Lockout for IWF PPPoE Sessions Overview

Consider a sample configuration scenario in which subscriber access loops are connected using ATM links to a digital subscriber line access multiplexer (DSLAM) device. Figure 1 shows a topology in which one DSLAM is connected one PPPoE access concentrator. The ATM traffic is forwarded using an Ethernet circuit from the DSLAM device to the PPPoE access concentrator. The PPPoE over ATM or PPP over ATM (PPPoA) traffic is converted to PPPoE by the DSLAM device, which is connected to an ATM access loop on one side and an Ethernet aggregate network on the other side. The interworking function (IWF) describes the set of mechanisms used to convert a PPPoE over ATM or PPPoA session to a PPPoE session.

Figure 1: Single DSLAM Connected to a PPPoE Access Concentrator

The conversion of PPP, PPPoE, Ethernet, ATM 1483, or ATM connections at the DSLAM access loop interface to PPP, PPPoE, or Ethernet connections at the DSLAM aggregate network interface signifies that the MAC addresses of all such IWF sessions are translated to be the MAC address of the DSLAM Ethernet interface connected to the aggregate network. Therefore, you cannot uniquely identify a subscriber using the media access control (MAC) address only. If the MAC address alone is used to identify a particular subscriber, a single erroneous IWF session can cause other IWF sessions to be locked out.

In this setup, if the PPPoE session contains the IWF-Session DSL Forum VSA (26-254) in the PPPoE active discovery request (PADR) packet that is sent from the PPPoE client, the Agent-Circuit-Id DSL Forum VSA (26-1) is used in addition to the MAC address to identify the PPPoE session to be locked out. This method enables backward compatibility with all non-IWF topologies. The Agent-Circuit-Id is of the format, DSLAM name Slot/Port VPI: VCI, which enables unique identification of the subscriber that has initiated the session. This feature of encapsulation type lockout based on the Agent-Circuit-Id, in addition to the MAC address retrieved from the client, is enabled by default only for IWF sessions.