Configuring Lockout of PPPoE Subscriber Sessions

You can configure the router to temporarily lock out a failed or short-lived PPPoE subscriber session from reconnecting for a period of time. The PPPoE subscriber session can reside on a VLAN or VLAN demux underlying interface.

Before you begin:

Configure the PPPoE underlying interface.

To configure the underlying interface for use with a PPPoE dynamic profile, see Configuring an Underlying Interface for Dynamic PPPoE Subscriber Interfaces.

To configure the PPPoE family for an underlying interface, see Configuring the PPPoE Family for an Underlying Interface.

To configure temporary lockout of PPPoE subscriber sessions:

Specify that you want to configure PPPoE-specific options on the underlying interface:

For a PPPoE family in a dynamic profile for a VLAN demultiplexing (demux) logical interface:

For a PPPoE family in a dynamic profile:

For a PPPoE underlying interface in a dynamic profile:

For a PPPoE family on an underlying interface:

For an underlying interface with PPPoE encapsulation:

Enable duplicate protection to prevent negotiation of a dynamic or static PPPoE client session on the same underlying interface when a PPPoE client session with the same media access control (MAC) source address is already active on that interface.
Best Practice:
When you configure PPPoE subscriber session lockout, we recommend that you enable duplicate protection to ensure that the MAC source address for each PPPoE session is unique on the underlying interface.
Enable PPPoE subscriber session lockout using one of the following filtering mechanisms to identify the subscriber sessions for lockout:
- Media access control (MAC)-address based subscriber session lockout (default)
  - To configure MAC-based subscriber session lockout with the default lockout period of 1 through 300 seconds:
  - To configure MAC-based subscriber session lockout with a nondefault lockout period:
- Agent circuit identifier (ACI)-based subscriber session lockout
  - To configure ACI-based subscriber session lockout with the default lockout period:
    For example, the following statement configures temporary lockout based on ACI information for subscriber sessions on a dynamic VLAN demux underlying interface. It uses the default lockout time range 1 through 300 seconds.
  - To configure ACI-based subscriber session lockout with a nondefault lockout period:
    For example, the following statement configures temporary lockout based on ACI information for subscriber sessions on a dynamic VLAN underlying interface. It specifies a nondefault lockout time in the range 20 through 120 seconds.
  Note:
  If the ACI value is not present in the PPPoE attributes when you configure ACI-based subscriber session lockout, the router uses MAC-based lockout by default. With ACI-based encapsulation type lockout, PPPoE clients without an ACI attribute are also locked out.

Configuring Lockout of PPPoE Subscriber Sessions

Related Documentation