Juniper JUNOSE SOFTWARE 11.2.X - LINK LAYER CONFIGURATION GUIDE 7-7-2010 Configuration Manual page 554

JunosE 11.2.x Link Layer Configuration Guide
522
For PPP and PPPoE encapsulation types, incorrect logins coupled with clients configured
to perform frequent authentication retries results in significant loading on the RADIUS
server. When an incorrect login occurs, the process of autodetecting, creating partial
dynamic interface columns, and tearing down the columns due to authentication
failures consumes router bandwidth. Enabling temporary lockout of PPP and PPPoE
encapsulation types reduces loading on the RADIUS server caused by incorrect logins
and auto-retry clients.
Reduces loading on line modules.
The repeated creation of multiple short-cycle dynamic interfaces causes excessive
loading on line modules. A short-cycle dynamic interface is one that is detected, partially
or completely created, and torn down within 60 seconds.
Events that can cause short-cycle dynamic interfaces include:
Authentication denials from RADIUS due to the absence of a corresponding entry in
the RADIUS database or due to improper login attempts
Misconfiguration within a dynamic interface profile or RADIUS record
Insufficient memory resources to create a dynamic interface column
Protocol failure or error that occurs within a dynamic interface column
Client logout shortly after a successful login; this action creates a complete dynamic
interface column before the column is torn down
How Encapsulation Type Lockout Works
For a given encapsulation type, such as bridged Ethernet, lockout occurs when a dynamic
interface of this type cannot be created. For example, an authentication denial from
RADIUS causes a lockout. When lockout occurs, the router applies the lockout time range.
If you do not configure a lockout-time range, the router uses the default time range.
Encapsulation type lockout is performed by default. You can configure the lockout time
range by issuing the auto-configure command with the optional lockout-time keyword.
The following guidelines describe lockout behavior:
Any encapsulation type that you do not configure for autodetection with the
auto-configure command is automatically locked out.
You can permanently lock out a specified encapsulation type from autodetection and
prevent dynamic interface creation by issuing a no auto-configure command for the
specified encapsulation type, if previously configured.
When an encapsulation type is locked out, the router continues to autodetect the
remaining encapsulation types and create the dynamic interfaces.
For the IP and bridged Ethernet encapsulation types, temporary lockout occurs
automatically on receipt of an authentication deny response from RADIUS when you
attempt to create and configure a dynamic IPoA or dynamic bridged Ethernet interface.
Copyright © 2010, Juniper Networks, Inc.