Configuring EXEC and Absolute Timeouts
Its always good practice to inactivity timeouts on users logged into devices for mgmt purposes. This lab will discuss and demonstrate the configuration and verification of EXEC and absolute timeouts.
Real World Application
It is common to have a session time in a corporate security policy. In a simple way of putting it, the exec-timeout will terminate an exec session after the session has been idle for the configured exec-timeout time. The default is 10 minutes.
An absolute timeout however is a the maximum amount of time a single session can remain established. So if you have an absolute timeout of 12 minutes than even if the user is active, the session will be disconnected at after 12 minutes.
An absolute-timeout is sometimes used on access-servers to force and exec session to terminate regardless if the state is idle after the specified time.
Lab Prerequisites
- If you are using GNS3 than load the Free CCNA Workbook GNS3 topology than start devices; R1.
- Establish a console session with devices R1 than configure the devices respected hostname(s).
- Create a Loopback interface on R1 and assign it the IP address 10.1.1.1/32
- Create a username and password with level 15 privileges and set the VTY lines to authenticate locally.
Lab Objectives
- Configure a one minute exec-timeout on vty lines 0 through 4 of R1 than verify your configuration by establishing a telnet session to the Loopback0 interface IP address. Once authenticated wait one minute.
- Remove the previously configured exec-timeout configuration on R1’s vty lines than configure a two minute absolute timeout on the VTY lines. Afterwards verify your configuration by establishing a telnet session to the Loopback0 interface IP address and waiting two minutes. If configured correctly you will be automatically disconnected after 120 seconds.
Lab Instruction
Step 1. – Configure a 1 minute exec-timeout on vty lines 0 through 4 of R1 and verify your configuration by telnet’ing to the Loopback0 ip address, authenticating and then idling for 1 minute.
R1 con0 is now available Press RETURN to get started. R1>enable R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#line vty 0 4 R1(config-line)#exec-timeout 2 R1(config-line)#end R1#telnet 10.1.1.1 Trying 10.1.1.1 ... Open User Access Verification Username: tom Password: R1# [Connection to 10.1.1.1 closed by foreign host] R1#
Step 2. – Remove the previously configured exec-timeout configuration on R1’s vty lines than configure a two minute absolute timeout on the VTY lines. Afterwards verify your configuration by establishing a telnet session to the Loopback0 interface IP address and waiting two minutes. If configured correctly you will be automatically disconnected after 120 seconds.
R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#line vty 0 4 R1(config-line)#no exec-timeout R1(config-line)#absolute-timeout 2 R1(config-line)#end R1#telnet 10.1.1.1 Trying 10.1.1.1 ... Open User Access Verification Username: tom Password: R1# * * * Line timeout expired * [Connection to 10.1.1.1 closed by foreign host] R1#
