Enabling Absolute Timeouts on VTY Lines

Problem

You want to enable absolute timeouts on your VTY lines.

Solution

To enable absolute VTY timeouts, use the following set of configuration commands:

Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#line vty 0 4 Router1(config-line)#absolute-timeout 5 Router1(config-line)#logout-warning 30 Router1(config-line)#exit Router1(config)#end Router1#

 

Discussion

To prevent users from indefinitely tying up valuable router VTY lines, you can implement absolute timers. Absolute timers differ from the inactivity timers discussed in Recipe 3.9 because they will terminate a session whether it is active or not. Although absolute timers are rarely used, there are times when they can be quite useful. For example, in classroom and lab situations, the absolute timeout can help to ensure that nobody uses more than their faire share of login time.

The prospect of having a session terminated in the middle of troubleshooting a problem in a production network is not appealing to most administrators. So, if you do choose to implement an absolute timer, we recommend setting the timer to a reasonable amount of time (no less than 10 minutes). In addition, you should enable a logout warning to ensure that the user has plenty of notice to save their work. The following is an example of a logout-warning banner:

Router1> * * * Line timeout expired * * Router1>Connection closed by foreign host. Freebsd%

Note that the argument for the absolute-timeout command is a time value in minutes, whereas the logout-warning command uses seconds. In the example, we set the absolute timeout to 5 minutes and the warning message to 30 seconds. A 30-second warning may be too aggressive in a production environment.

See Also

Recipe 3.9

Категории