Idle EXEC sessions are not terminated by default. It is a critical security risk, and it is vulnerable to exploitation. Therefore, the Cisco ‘exec-timeout’ command and the ‘absolute-timeout’ command are utilized to prevent possible security risks brought by the issue.
Cisco exec-timeout Command
The Cisco ‘exec-timeout‘ command sets a specific time to disconnect idle EXEC sessions. The default value for the EXEC timeout is 10 minutes. We can also specify a certain time by indicating how many minutes and seconds the idle EXEC session would run before it will timeout. If there is no user input within the indicated time, then the session will be closed. The command is entered in the line configuration mode. So first, enter the global configuration mode and then access the line configuration mode.
Router>enable Router#configure terminal Router(config)#line con 0 Router(config-line)# exec-timeout 3 30 Router(config-line)# exit Router(config)#line vty 0 4 Router(config-line)#exec-timeout 4 0
In the example configuration above, exec-timeout is set with 3 minutes and 30 seconds of inactivity using the console port or line. With the virtual terminal lines (vty), the timeout value was set to 4 minutes. We can do a ‘show run‘ on the privileged EXEC mode to view the set EXEC timeout values.
line con 0 exec-timeout 5 0 ! line vty 0 4 exec-timeout 2 30 login !
To disable the EXEC timeout, either of the following commands are used:
Router(config-line)#exec-timeout 0 0 Router(config-line)#no exec-timeout
Cisco absolute-timeout Command
The absolute timeout terminates the EXEC session even if it is still active and is used during the set timeout period. To enable absolute timeout, in the command terminal, enter configuration commands ‘absolute-timeout‘ and then specify the timeout value in minutes.
An additional command, ‘logout-warning‘, is also recommended to be used to display a line termination warning to the users regarding the upcoming forced absolute timeout. The logout warning value is in seconds.
Router(config)#line vty 0 4 Router(config-line)#exec-timeout 4 0 Router(config-line)#absolute-timeout 5 Router(config-line)#logout-warning 30
The absolute timeout value is set to 5 minutes in the configuration example above. Therefore, the EXEC session will be terminated even if it is still active and the user is still using it. A logout warning will appear 30 seconds before the absolute timeout.
Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.
We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training:
