Page 472

432

Chapter 11

Access Policies

Setting the usernames won't do any good until you set the login local

command on a line. If you want users to be prompted for a username on cer-
tain lines, make sure you set the login local command on those lines. Do
not set the login local and then forget to set the usernames and passwords
or you will be locked out of your router! The only way to recover is to reload or
reboot the router, and this will work only if you didn't save the new config-
uration. You will have to perform a password recovery technique if you did
save the configuration.

Here is an example of setting the login local on the console and Telnet

lines:

Line con 0

Line vty 0 4

Exit

Session Time-Outs

It is important to not leave open Telnet or console sessions running when
you are not at your workstation. It is very easy to forget to log out, so setting
the time-outs will provide an additional level of security for an unattended
console.

For an IOS-based router, use the exec-timeout command under the

line

command. The exec-timeout 0 0 sets the time-out for the console

EXEC session to zero, or to never time out. To set the line to time out after
10 minutes, use exec-timeout 10.

Here is an example of how to configure the exec-timeout command on

the console and telnet lines:

Router(config)#line con 0

Router(config-line)#exec-timeout ?

<0-35791> Timeout in minutes

Router(config-line)#exec-timeout 0 ?

<0-2147483> Timeout in seconds

<cr>

Router(config-line)#line vty 0 4

Router(config-line)#exec-timeout 10

www.sybex.com