Configuring Lockout of PPPoE Subscriber Sessions
You can configure the router to temporarily lock out a failed or short-lived PPPoE subscriber session from reconnecting for a period of time. The PPPoE subscriber session can reside on a VLAN, VLAN demux, or PPPoE-over-ATM underlying interface.
Before you begin:
Configure the PPPoE underlying interface.
To configure the underlying interface for use with a PPPoE dynamic profile, see Configuring an Underlying Interface for Dynamic PPPoE Subscriber Interfaces.
To configure the PPPoE family for an underlying interface, see Configuring the PPPoE Family for an Underlying Interface.
To configure temporary lockout of PPPoE subscriber sessions:
- Specify that you want to configure PPPoE-specific options
on the underlying interface:
For a PPPoE family in a dynamic profile for a VLAN demultiplexing (demux) logical interface:
[edit dynamic-profiles profile-name interfaces demux0 unit logical-unit-number] user@host# edit family pppoe
For a PPPoE family in a dynamic profile:
[edit dynamic-profiles profile-name interfaces interface-name unit logical-unit-number] user@host# edit family pppoe
For a PPPoE underlying interface in a dynamic profile:
[edit dynamic-profiles profile-name interfaces interface-name unit logical-unit-number] user@host# edit pppoe-underlying-options
For a PPPoE family on an underlying interface:
[edit interfaces interface-name unit logical-unit-number] user@host# edit family pppoe
For an underlying interface with PPPoE encapsulation:
[edit interfaces interface-name unit logical-unit-number] user@host# edit pppoe-underlying-options
For a PPPoE family in a dynamic profile for a PPPoE-over-ATM logical interface:
[edit dynamic-profiles profile-name interfaces at-fpc/pic/port unit logical-unit-number] user@host# edit family pppoe
For a PPPoE family on an underlying ATM logical interface:
[edit interfaces at-fpc/pic/port unit logical-unit-number] user@host# edit family pppoe
- Enable duplicate protection to prevent negotiation of
a dynamic or static PPPoE client session on the same underlying interface
when a PPPoE client session with the same media access control (MAC)
source address is already active on that interface.
[edit interfaces interface-name unit logical-unit-number pppoe-underlying-options] user@host# set duplicate-protection
Best Practice:When you configure PPPoE subscriber session lockout, we recommend that you enable duplicate protection to ensure that the MAC source address for each PPPoE session is unique on the underlying interface.
- Enable PPPoE subscriber session lockout using one of
the following filtering mechanisms to identify the subscriber sessions
for lockout:
Media access control (MAC)-address based subscriber session lockout (default)
To configure MAC-based subscriber session lockout with the default lockout period of 1 through 300 seconds:
[edit interfaces interface-name unit logical-unit-number pppoe-underlying-options] user@host# set short-cycle-protection
To configure MAC-based subscriber session lockout with a nondefault lockout period:
[edit interfaces interface-name unit logical-unit-number pppoe-underlying-options] user@host# set short-cycle-protection lockout-time-min minimum-seconds lockout-time-max maximum-seconds
Agent circuit identifier (ACI)-based subscriber session lockout
To configure ACI-based subscriber session lockout with the default lockout period:
[edit interfaces interface-name unit logical-unit-number pppoe-underlying-options] user@host# set short-cycle-protection filter aci
For example, the following statement configures temporary lockout based on ACI information for subscriber sessions on a dynamic VLAN demux underlying interface. It uses the default lockout time range 1 through 300 seconds.
[edit dynamic-profiles my-demux-vlan-profile interfaces demux0 unit “$junos-interface-unit” family pppoe] user@host# set short-cycle-protection filter aci
To configure ACI-based subscriber session lockout with a nondefault lockout period:
[edit interfaces interface-name unit logical-unit-number pppoe-underlying-options] user@host# set short-cycle-protection lockout-time-min minimum-seconds lockout-time-max maximum-seconds filter aci
For example, the following statement configures temporary lockout based on ACI information for subscriber sessions on a dynamic VLAN underlying interface. It specifies a nondefault lockout time in the range 20 through 120 seconds.
[edit dynamic-profiles my-vlan-profile interfaces “$junos-interface-ifd-name” unit “$junos-interface-unit” pppoe-underlying options] user@host# set short-cycle-protection lockout-time-min 20 lockout-time-max 120 filter aci
Note:If the ACI value is not present in the PPPoE attributes when you configure ACI-based subscriber session lockout, the router uses MAC-based lockout by default. With ACI-based encapsulation type lockout, PPPoE clients without an ACI attribute are also locked out.