Juniper JUNOSE SOFTWARE 11.0.X - LINK LAYER CONFIGURATION GUIDE 4-1-2010 Configuration Manual page 506

JUNOSe 11.0.x Link Layer Configuration Guide
How Encapsulation Type Lockout Works
For a given encapsulation type, such as bridged Ethernet, lockout occurs when a
dynamic interface of this type cannot be created. For example, an authentication
denial from RADIUS causes a lockout. When lockout occurs, the router applies the
lockout time range. If you do not configure a lockout-time range, the router uses the
default time range.
476
About Configuring Dynamic Interfaces over Static ATM
a received bridged Ethernet frame. Receiving an authentication denial from
RADIUS causes the router to lock out bridged Ethernet. By locking out bridged
Ethernet frames, the router can receive PPPoE frames unimpeded, facilitating
rapid creation of dynamic PPPoE interfaces.
Reduces loading on the RADIUS server.
In some cases, IP and bridged Ethernet interfaces configured with a local
subscriber do not have a corresponding subscriber entry in the RADIUS database.
This can occur inadvertently due to misconfiguration of the E Series router or
RADIUS server, or intentionally as a way to prevent creation of dynamic IPoA
or bridged Ethernet interfaces.
In previous releases, when the ATM 1483 interface received a deny response
from RADIUS due to the missing subscriber entry, it performed continuous
authentication retries every few seconds, which caused significant loading on
the RADIUS server. Locking out autodetection of the IP or bridged Ethernet
encapsulation type for a configurable time period prevents detection of dynamic
IPoA or bridged Ethernet interfaces and reduces loading on the RADIUS server.
For PPP and PPPoE encapsulation types, incorrect logins coupled with clients
configured to perform frequent authentication retries results in significant loading
on the RADIUS server. When an incorrect login occurs, the process of
autodetecting, creating partial dynamic interface columns, and tearing down the
columns due to authentication failures consumes router bandwidth. Enabling
temporary lockout of PPP and PPPoE encapsulation types reduces loading on
the RADIUS server caused by incorrect logins and auto-retry clients.
Reduces loading on line modules.
The repeated creation of multiple short-cycle dynamic interfaces causes excessive
loading on line modules. A short-cycle dynamic interface is one that is detected,
partially or completely created, and torn down within 60 seconds.
Events that can cause short-cycle dynamic interfaces include:
Authentication denials from RADIUS due to the absence of a corresponding
entry in the RADIUS database or due to improper login attempts
Misconfiguration within a dynamic interface profile or RADIUS record
Insufficient memory resources to create a dynamic interface column
Protocol failure or error that occurs within a dynamic interface column
Client logout shortly after a successful login; this action creates a complete
dynamic interface column before the column is torn down