Setting Up Cisco Device Timeouts

By Edward Tetz from Cisco Networking All-in-One For Dummies

Without setting up timeout settings for Cisco Device Privileged EXEC Mode, your sessions stay open indefinitely. This is especially dangerous of the console port. Without timeout parameters enabled, if the administrator doesn't log out an intruder has access and no issues getting elevated permissions.

To avoid this potentially dangerous situation, you need only type a command in each of your configuration line interfaces. The command’s format is exec-timeout <minutes> [seconds]. The default setting disables sessions after ten minutes; exec-timeout 0 disables the timeout altogether.

Router1#enable
Password:
Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#line con 0
Router1(config)# exec-timeout 5
Router1(config)#line vty 0 4
Router1(config)# exec-timeout 5
Router1(config)#end

In addition to setting a timeout on these settings, you can force vty sessions to be encrypted via SSH. This is easy to implement with the following code example:

Router1#enable
Password:
Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#line vty 0 4
Router1(config)# transport input ssh
Router1(config)#end

However, if you do not need to have remote terminal access to these devices, the better option is transport input none, which disables all vty access. In addition to this inbound access, you can create management SSH sessions from one device to another. So by connecting to one device, you can then launch a connection from that device to connect to another device.

Limiting this connection may be accomplished with transport output ssh, which limits you to an outgoing SSH session, whereas transport output none can prevent all outbound connections.