Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


short-cycle-protection (DHCP Local Server and Relay Agent)


Hierarchy Level


Enable DHCP short-cycle protection to reduce resource usage associated with connection and authentication processing in highly scaled networks. You must configure both the minimum duration and the maximum duration for the lockout period.

The router detects short-lived client sessions and clients that repeatedly fail session negotiation, then locks them out from access by dropping subsequent DHCP discover or solicit messages from the client. The clients are tracked by the client identifier (client key), which can be a MAC address or some other unique value for DHCPv4 clients or the DUID for DHCPv6 clients. Locked-out clients are entered in the lockout database. If a locked-out client attempts another session before the grace time threshold is reached, it is locked out again. Each successive lockout period is increased exponentially up to the maximum lockout period. The grace time threshold is automatically set at whichever value is larger, 900 seconds or the configured maximum value.


lockout-max-time seconds

Maximum length of any lockout period; the upper bound of the lockout range.

  • Range: 1 through 86400

lockout-min-time seconds

Minimum length of any lockout period; the lower bound of the lockout period. The minimum value is the length of the first lockout period for a client. It cannot be greater than the maximum value. If you set it to the same value as the maximum, then the lockout period is fixed and does not increase for a client’s subsequent lockouts.

  • Range: 1 through 86400

Required Privilege Level


Release Information

Statement introduced in Junos OS Release 18.2R1.