Overview

Cisco Catalyst IR8140 Heavy Duty Series routers

The Cisco Catalyst IR8140 Heavy Duty Router (IR8140H) is a next-generation, modular, IP66/67-rated industrial router that is designed for outdoor use.

The IR8140H router is available in two models:

  • IR8140H-P-K9: Supports Power over Ethernet (PoE).

  • IR8140H-K9: Does not support PoE.

Key points to consider

Consider these points before using this guide:

  • The terms IR8140H , IR8100 , and router are used throughout this document in text and CLI examples to refer to the Cisco Catalyst IR8140 Heavy Duty Series Router, unless otherwise noted.

  • The documentation set for this product strives to use bias-free language. For this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality.

  • Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product.

Supported modules

The IR8140H Series features four external module slots plus two onboard WAN ports and supports:

  • 60W PSU,

  • GNSS onboard transceiver,

  • 900MHz WPAN – OFDM/FSK,

  • 4G/LTE IRMH modules, mSATA module,

  • 1x 1GbE SFP WAN and 1x 1GbE Cu WAN,

  • PoE (15W) – Supported only on the IR8140H-P-K9 PID,

  • 12VDC_OUT port (Only available when PoE is not in use),

  • Battery Backup Units (BBUs) – Up to 3,

  • 2x Alarm ports (Digital IO).

Access CLI using a router console

Cisco IR8140H routers have an RJ45 RS232 serial console port located on the CPU module. The default baud rate is 9600. You can use any RJ45 console cable that is available in the market.

On a device fresh from the factory, you are greeted with a System Configuration Dialog. If the router was ordered for the use of Cisco PnP connect services, in the case of centralized provisioning, the router skips the initial dialog.


Note

Autoinstall will terminate if any input is detected on console.

Procedure

Step 1

Connect the RJ45 console cable to the router's RS232 serial console port on the CPU module.

Step 2

Open a terminal emulator on your computer and configure it to use 9600 baud rate.

Step 3

Power on the router and observe the console output.

The System Configuration Dialog details are displayed as given in the example.

Example:

--- System Configuration Dialog ---
                        Would you like to enter the initial configuration dialog? [yes/no]:
                        WARNING: ** NOTICE ** This is the final IOS XE release to provide support for the H.323 protocol. Consider switching to SIP for multimedia applications before upgrading to 17.6.1.
                        *Jan 27 23:51:55.579: %TAMPER_ALARM-0-TAMPER_ALARM_ASSERT: Tamper alarm slot (Tamper alarm slot 2) asserted
                        *Jan 27 23:51:55.579: %TAMPER_ALARM-0-TAMPER_ALARM_ASSERT: Tamper alarm slot (Tamper alarm slot 3) asserted
                        Autoinstall trying DHCPv6 on GigabitEthernet0/0/0,GigabitEthernet0/0/1
                        Autoinstall trying DHCPv4 on GigabitEthernet0/0/0,GigabitEthernet0/0/1
                        AUTO IP is starting!!!!
                        start Autoip process
                        Acquired IPv4 address 192.168.0.202 on Interface GigabitEthernet0/0/0
                        Received following DHCPv4 options:
                        dns-server-ip : 192.168.0.2
                        si-addr : 192.168.0.2
                        hostname : Router
                        stop Autoip process
                        Press RETURN to get started!
                        *Jan 27 23:53:08.903: %SYS-5-USERLOG_NOTICE: Message from tty0(user id: ): Device in day0 workflow, some non user-configured options may be enabled by default
                        *Jan 27 23:53:08.920: %SYS-5-CONFIG_P: Configured programmatically by process PnP Agent Discovery from console as vty0
                        OK to enter CLI now...
                        pnp-discovery can be monitored without entering enable mode
                        Entering enable mode will stop pnp-discovery
                        *Jan 27 23:53:08.921: %PNP-6-HTTP_CONNECTING: PnP Discovery trying to connect to PnP server (https://devicehelper.cisco.com.:443/pnp/HELLO)
                        *Jan 27 23:53:09.788: AUTOINSTALL: Obtain siaddr 192.168.0.2 (as config server)
                        *Jan 27 23:53:09.788: AUTOINSTALL: Setting hostname Router from DHCP reply
                        *Jan 27 23:53:10.899: %LINK-5-CHANGED: Interface GigabitEthernet0/0/1, changed state to administratively down
                        *Jan 27 23:53:11.899: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to down
                        *Jan 27 23:53:29.880: %PNP-6-HTTP_CONNECTED: PnP Discovery connected to PnP server (https://devicehelper.cisco.com.:443/pnp/HELLO)
                        *Jan 27 23:53:29.883: %PNP-6-PNP_PROFILE_CREATED: PnP profile (pnp_cco_profile) created (1/3) by (pid=656, pname=PnP Agent Discovery, time=23:53:29 UTC Wed Jan 27 2021)
                        *Jan 27 23:53:30.893: %PNP-6-PNP_SUDI_UPDATE: Device SUDI [PID:IR8140H-P-K9,SN:FDO2438J8UN] identified
                        *Jan 27 23:53:30.893: %PNP-6-PNP_RELOAD_INFO_ENCODED: Reload reason (PnP Service Info 2408-Unknown reason) encoded (1/3) by (pid=656, pname=PnP Agent Discovery)
                        *Jan 27 23:53:30.894: %SYS-5-CONFIG_P: Configured programmatically by process PnP Agent Discovery from console as vty0
                        *Jan 27 23:53:35.635: %PNP-6-PNP_RELOAD_INFO_STOPPED: Reload reason (PnP Service Info 2408-Unknown reason) stopped by (profile=pnp_cco_profile, host=devicehelper.cisco.com., port=443)
                        *Jan 27 23:53:56.755: %PNP-6-PNP_BACKOFF_NOW: PnP Backoff now for (60) seconds requested (1/3) by (profile=pnp_cco_profile, host=devicehelper.cisco.com., port=443)
                        *Jan 27 23:54:07.900: %PNP-3-PNP_CCO_PROFILE_UNCONFIGURED: CCO Server profile (pnp_cco_profile) unconfigured (1/10) by (pid=656, pname=PnP Agent Discovery, time=23:54:07 UTC Wed Jan 27 2021)
                        *Jan 27 23:54:07.900: %PNP-6-PNP_PROFILE_DELETED: PnP profile (pnp_cco_profile) deleted (1/3) by (pid=656, pname=PnP Agent Discovery, time=23:54:07 UTC Wed Jan 27 2021)
                        *Jan 27 23:54:07.901: %SYS-5-CONFIG_P: Configured programmatically by process PnP Agent Discovery from console as vty0
                        *Jan 27 23:54:07.909: %SYS-5-CONFIG_P: Configured programmatically by process PnP Agent Discovery from console as vty0
                        *Jan 27 23:54:13.907: %PNP-3-PNP_DOMAIN_NAME_NOT_FOUND: Domain name not found (4/10) on (GigabitEthernet0/0/0) by (pid=656, pname=PnP Agent Discovery, time=23:54:13 UTC Wed Jan 27 2021)
                        *Jan 27 23:54:13.907: %PNP-3-PNP_DOMAIN_NAME_NOT_FOUND: Domain name not found (5/10) on (WPAN0/1/0) by (pid=656, pname=PnP Agent Discovery, time=23:54:13 UTC Wed Jan 27 2021)
                        *Jan 27 23:54:29.911: %PNP-3-PNP_DOMAIN_NAME_NOT_FOUND: Domain name not found (6/10) on (GigabitEthernet0/0/0) by (pid=656, pname=PnP Agent Discovery, time=23:54:29 UTC Wed Jan 27 2021)
                        *Jan 27 23:54:29.911: %PNP-3-PNP_DOMAIN_NAME_NOT_FOUND: Domain name not found (7/10) on (WPAN0/1/0) by (pid=656, pname=PnP Agent Discovery, time=23:54:29 UTC Wed Jan 27 2021)
                        *Jan 27 23:54:37.911: %PNP-3-PNP_DOMAIN_NAME_NOT_FOUND: Domain name not found (8/10) on (GigabitEthernet0/0/0) by (pid=656, pname=PnP Agent Discovery, time=23:54:37 UTC Wed Jan 27 2021)
                        *Jan 27 23:54:37.911: %PNP-3-PNP_DOMAIN_NAME_NOT_FOUND: Domain name not found (9/10) on (WPAN0/1/0) by (pid=656, pname=PnP Agent Discovery, time=23:54:37 UTC Wed Jan 27 2021)
                        *Jan 27 23:54:53.914: %PNP-3-PNP_DOMAIN_NAME_NOT_FOUND: Domain name not found (10/10) on (GigabitEthernet0/0/0) by (pid=656, pname=PnP Agent Discovery, time=23:54:53 UTC Wed Jan 27 2021)
                        *Jan 27 23:55:20.100: %PNP-6-PNP_CCO_SERVER_IP_RESOLVED: CCO server (devicehelper.cisco.com.) resolved to ip (18.205.166.131) by (pid=656, pname=PnP Agent Discovery, time=23:55:20 UTC Wed Jan 27 2021)
                        *Jan 27 23:55:20.100: %PNP-6-PNP_PROFILE_CREATED: PnP profile (pnp_cco_profile) created (2/3) by (pid=656, pname=PnP Agent Discovery, time=23:55:20 UTC Wed Jan 27 2021)
                        *Jan 27 23:55:21.107: %PNP-6-PNP_RELOAD_INFO_ENCODED: Reload reason (PnP Service Info 2408-Unknown reason) encoded (2/3) by (pid=656, pname=PnP Agent Discovery)
                        *Jan 27 23:55:21.108: %SYS-5-CONFIG_P: Configured programmatically by process PnP Agent Discovery from console as vty0
                        *Jan 27 23:55:32.751: %PNP-6-PNP_BACKOFF_NOW: PnP Backoff now for (60) seconds requested (2/3) by (profile=pnp_cco_profile, host=devicehelper.cisco.com., port=443)
                        Autoinstall trying DHCPv6 on GigabitEthernet0/0/0
                        *Jan 27 23:55:43.108: %PNP-3-PNP_CCO_PROFILE_UNCONFIGURED: CCO Server profile (pnp_cco_profile) unconfigured (2/10) by (pid=656, pname=PnP Agent Discovery, time=23:55:43 UTC Wed Jan 27 2021)
                        *Jan 27 23:55:43.108: %PNP-6-PNP_PROFILE_DELETED: PnP profile (pnp_cco_profile) deleted (2/3) by (pid=656, pname=PnP Agent Discovery, time=23:55:43 UTC Wed Jan 27 2021)
                        *Jan 27 23:55:43.109: %SYS-5-CONFIG_P: Configured programmatically by process PnP Agent Discovery from console as vty0
                        *Jan 27 23:55:43.113: %SYS-5-CONFIG_P: Configured programmatically by process PnP Agent Discovery from console as vty0
                        Autoinstall trying DHCPv6 on GigabitEthernet0/0/0
                        Autoinstall trying DHCPv6 on GigabitEthernet0/0/0
                        Autoinstall trying DHCPv6 on GigabitEthernet0/0/0
                        Autoinstall trying DHCPv6 on GigabitEthernet0/0/0
                        Autoinstall trying DHCPv6 on GigabitEthernet0/0/0
                        *Jan 27 23:56:55.316: %PNP-6-PNP_PROFILE_CREATED: PnP profile (pnp_cco_profile) created (3/3) by (pid=656, pname=PnP Agent Discovery, time=23:56:55 UTC Wed Jan 27 2021)
                        *Jan 27 23:56:56.323: %PNP-6-PNP_RELOAD_INFO_ENCODED: Reload reason (PnP Service Info 2408-Unknown reason) encoded (3/3) by (pid=656, pname=PnP Agent Discovery)
                        *Jan 27 23:56:56.324: %SYS-5-CONFIG_P: Configured programmatically by process PnP Agent Discovery from console as vty0
                        Autoinstall trying DHCPv6 on GigabitEthernet0/0/0
                        *Jan 27 23:57:09.810: AUTOINSTALL: script execution not successful for Gi0/0/0.
                        *Jan 27 23:57:10.829: %SYS-5-CONFIG_P: Configured programmatically by process DHCP Autoinstall from console as vty0
                        *Jan 27 23:58:10.003: %PNP-6-PNP_BACKOFF_NOW: PnP Backoff now for (60) seconds requested (3/3) by (profile=pnp_cco_profile, host=devicehelper.cisco.com., port=443)
                        *Jan 27 23:58:21.323: %PNP-3-PNP_CCO_PROFILE_UNCONFIGURED: CCO Server profile (pnp_cco_profile) unconfigured (3/10) by (pid=656, pname=PnP Agent Discovery, time=23:58:21 UTC Wed Jan 27 2021)
                        *Jan 27 23:58:21.323: %PNP-6-PNP_PROFILE_DELETED: PnP profile (pnp_cco_profile) deleted (3/3) by (pid=656, pname=PnP Agent Discovery, time=23:58:21 UTC Wed Jan 27 2021)
                        *Jan 27 23:58:21.324: %SYS-5-CONFIG_P: Configured programmatically by process PnP Agent Discovery from console as vty0
                        *Jan 27 23:58:21.327: %SYS-5-CONFIG_P: Configured programmatically by process PnP Agent Discovery from console as vty0
                        *Jan 27 23:59:34.507: %SYS-5-CONFIG_P: Configured programmatically by process PnP Agent Discovery from console as vty0
                        *Jan 27 23:59:59.507: %PNP-3-PNP_CCO_PROFILE_UNCONFIGURED: CCO Server profile (pnp_cco_profile) unconfigured (4/10) by (pid=656, pname=PnP Agent Discovery, time=23:59:59 UTC Wed Jan 27 2021)
                        *Jan 27 23:59:59.508: %SYS-5-CONFIG_P: Configured programmatically by process PnP Agent Discovery from console as vty0
                        *Jan 27 23:59:59.511: %SYS-5-CONFIG_P: Configured programmatically by process PnP Agent Discovery from console as vty0
                        *Jan 28 00:01:12.715: %SYS-5-CONFIG_P: Configured programmatically by process PnP Agent Discovery from console as vty0
                        *Jan 28 00:02:22.715: %PNP-3-PNP_CCO_PROFILE_UNCONFIGURED: CCO Server profile (pnp_cco_profile) unconfigured (5/10) by (pid=656, pname=PnP Agent Discovery, time=00:02:22 UTC Thu Jan 28 2021)
                        *Jan 28 00:02:22.716: %SYS-5-CONFIG_P: Configured programmatically by process PnP Agent Discovery from console as vty0
                        *Jan 28 00:02:22.719: %SYS-5-CONFIG_P: Configured programmatically by process PnP Agent Discovery from console as vty0
                        Router>en
                        Router#sh ip in
                        *Jan 28 00:02:42.724: %SYS-5-CONFIG_P: Configured programmatically by process PnP Agent Discovery from console as console
                        *Jan 28 00:02:42.724: %PNP-6-PNP_SAVING_TECH_SUMMARY: Saving PnP tech summary (/pnp-tech/pnp-tech-discovery-summary)... Please wait. Do not interrupt.t b
                        *Jan 28 00:02:42.877: %SYS-5-CONFIG_P: Configured programmatically by process PnP Agent Discovery from console as vty0
                        *Jan 28 00:02:42.924: %SYS-5-CONFIG_P: Configured programmatically by process PnP Agent Discovery from console as vty0
                        *Jan 28 00:02:43.394: %SYS-5-CONFIG_P: Configured programmatically by process PnP Agent Discovery from console as vty0
                        *Jan 28 00:02:43.494: %PNP-6-PNP_TECH_SUMMARY_SAVED_OK: PnP tech summary (/pnp-tech/pnp-tech-discovery-summary) saved successfully (elapsed time: 1 seconds).
                        *Jan 28 00:02:43.494: %PNP-6-PNP_DISCOVERY_STOPPED: PnP Discovery stopped (Config Wizard)
                        Interface IP-Address OK? Method Status Protocol
                        GigabitEthernet0/0/0 192.168.0.202 YES DHCP up up
                        GigabitEthernet0/0/1 unassigned YES unset administratively down down
                        WPAN0/1/0 unassigned YES unset up up
                        Router#

Step 4

Press RETURN key to get started and access the CLI prompt.

The device now has a basic configuration that you can build upon.

Access the router using the console interface

Procedure

Step 1

Use the enable command to enable the router.

Example:

Router > enable

Step 2

(Go to Step 3 if the enable password has not been configured.) Enter your system password when prompted for the password.

Example:

 Password:venablepass

Once your password is accepted, the privileged EXEC mode prompt is displayed.

Example:

Router#

You now have access to the CLI in privileged EXEC mode and you can enter the necessary commands to complete your desired tasks.

Step 3

Enter the quit command to exit the console session.

Example:

Router > quit

Initial bootup security

This section contains these topics:

Change the default password

When the device is first booted after a factory reset or when it is new, you will receive a prompt on the console to enter the initial configuration dialog. Cisco recommends using the enable secret command instead of the enable password command for improved encryption.

Procedure

Step 1

Enter your response to the initial configuration dialog prompt on the console.

Example:


            Would you like to enter the initial configuration dialog? [yes/no]: 
            no

If you choose no, the device will proceed with auto-install attempts and then prompt you to set the enable secret password.

Step 2

Use the enable secret command to enter a new password when prompted to set the password.

Example:


            The enable secret is a password used to protect
            access to privileged EXEC and configuration modes.
            This password, after entered, becomes encrypted in
            the configuration.
            -------------------------------------------------
            secret should be of minimum 10 characters with
            at least 1 upper case, 1 lower case, 1 digit and
            should not contain [cisco]
            -------------------------------------------------
            Enter enable secret: 
            **********
            Confirm enable secret: 
            **********

Note

 

  • The initial dialog forces you to set a new enable password using the enable secret command.

  • The password must be at least 10 characters, include upper and lower case letters, at least one digit, and must not contain the word "cisco". If a weak password is entered, you will be prompted again until a strong password is provided.

  • You must enter the password twice for confirmation.

Step 3

Save the configuration and complete the setup process.

Example:


            The following configuration command script was created:
            enable secret 9 $9$rDzH3rLqjlFhek$G9UDZE7moWqsKJEZfJAH2yO.SPhKZeKJsEe./CPEzl.
            !
            end
            [0] Go to the IOS command prompt without saving this config.
            [1] Return back to the setup without saving this config.
            [2] Save this configuration to nvram and exit.
            Enter your selection [2]: 
            2
            Building configuration...
            [OK]
            Use the enabled mode 'configure' command to modify this configuration.
            Press RETURN to get started!
            *Feb 12 00:14:14.305: %LINK-5-CHANGED: Interface GigabitEthernet0/0/0, changed state to administratively down
            *Feb 12 00:14:14.308: %LINK-5-CHANGED: Interface GigabitEthernet0/0/1, changed state to administratively down
            *Feb 12 00:14:15.306: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to down
            Router>
            *Feb 12 00:14:15.653: %PKI-6-TRUSTPOINT_CREATE: Trustpoint: SLA-TrustPoint created succesfully
            *Feb 12 00:14:15.657: %PKI-6-CONFIGAUTOSAVE: Running configuration saved to NVRAM[OK]
            Router>
            Router>
            en
            Password:
            *Feb 12 00:14:18.878: %SYS-6-PRIVCFG_ENCRYPT_SUCCESS: Successfully encrypted private config file
            *Feb 12 00:14:18.910: %CALL_HOME-6-CALL_HOME_ENABLED: Call-home is enabled by Smart Agent for Licensing.
            Router#
            sh run | inc sec
            *Feb 12 00:14:26.299: %SYS-5-CONFIG_P: Configured programmatically by process PnP Agent Discovery from console as vty0ret
            enable secret 9 $9$rDzH3rLqjlFhek$G9UDZE7moWqsKJEZfJAH2yO.SPhKZeKJsEe./CPEzl.
            Router#

Note

 

After you save the configuration, you can access privileged EXEC mode using the new enable secret password. When you enter the password, it is masked, and the configuration will be encrypted and saved to NVRAM.

The device is now secured with a strong enable secret password, and the configuration is saved. You can proceed to further configure the device as needed.

Telnet and HTTP protocols

As of release 17.5.1, the default boot configuration for Telnet and HTTP has changed. For devices after a factory reset or when they are new from the factory, these events take place.

  • Disable telnet.

  • Disable http server.

  • HTTP client works.

  • Enable SSH.

  • Enable https server.

Remote console CLI access methods

The CLI of the IR8100H can be accessed remotely using Telnet or SSH.

  • Remote access is available via Telnet or SSH.

  • Telnet is disabled by default for security reasons.

  • SSH is the preferred and more secure method for remote CLI access.

Router console connections

To access the router remotely using Telnet from a TCP/IP network, you can configure the router to support virtual terminal lines using the line vty global configuration command. You can configure the virtual terminal lines to require users to log in and specify a password.

See the Cisco IOS-XE Device hardening guide at https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html for details.

Configuring the diagnostic and wait banners is optional, but recommended. The banners are especially useful as indicators to users about the status of their Telnet or SSH attempts.

See the Cisco IOS Terminal Services Command Reference document for more information about the line vty global configuration command.

To prevent disabling login on a line, specify a password with the password command when you configure the login command.

If you are using authentication, authorization, and accounting (AAA), configure the login authentication command. To prevent disabling login on a line for AAA authentication when you configure a list with the login authentication command, you must also configure that list using the aaa authentication login global configuration command.

For more information about AAA services, see the Cisco IOS XE Security Configuration Guide: Secure Connectivity and the Cisco IOS Security Command Reference documents. For more information about the login line-configuration command, see the Cisco IOS Terminal Services Command Reference document.

In addition, before you make a Telnet connection to the router, you must have a valid hostname for the router or have an IP address configured on the router. For more information about the requirements for connecting to the router using Telnet, information about customizing your Telnet services, and using Telnet key sequences, see the Cisco IOS Configuration Fundamentals Configuration Guide.

.

Set up the IR8140H to run SSH

To set up your device to run SSH, follow this procedure.

Before you begin

Configure user authentication for local or remote access. This step is required.

Procedure

Step 1

Use the configure terminal command to enter the global configuration mode.

Example:


						Router# 
						configure terminal

Step 2

Use the hostname hostname command to configure a hostname and IP domain name for your device.

Example:


						Router(config)# 
						hostname 
						
							your_hostname

Note

 

You can follow this procedure only if you are configuring the device as an SSH server.

Step 3

Use the ip domain-name domain_name command to configure a host domain for your device.

Example:


						Router(config)# 
						ip domain-name 
						
							your_domain_name

Step 4

Use the crypto key generate rsa command to enable the SSH server for local and remote authentication on the device and generates an RSA key pair.

Example:


						Router(config)# 
						crypto key generate rsa

Note

 

  • You must follow this procedure only if you are configuring the device as an SSH server.

  • Generating an RSA key pair for the device automatically enables SSH.

  • A minimum modulus size of 1024 bits is recommended.

    When you generate RSA keys, you are prompted to enter a modulus length. A longer modulus length might be more secure, but it takes longer to generate and to use.

Step 5

Use the end command to exit to privileged EXEC mode.

Example:


						Router(config)# 
						end

Access a console interface using telnet

Procedure

Step 1

Enter one of these commands, from your terminal or PC.

  • connect host [ port ] [ keyword ]

  • telnet host [ port ] [ keyword ]

Example:


						unix_host% 
						telnet router
						Trying 172.20.52.40...
						Connected to 172.20.52.40.
						Escape character is '^]'.
						unix_host% connect

The example shows you how to use the telnet command to connect to a router named router .

Note

 

In this command, host is the router hostname or IP address, port is a decimal port number with 23 being the default value, and keyword is a supported keyword. For more information about these commands, see the Cisco IOS Terminal Services Command Reference document.

Step 2

Enter password when prompted.

Example:

User Access Verification
						Password: mypassword

Note

 

If no password is configured, then press Return .

Step 3

Enter enable command to enable the router from the user EXEC mode.

Example:


						Router> 
						enable

Step 4

Enter your system password at the password prompt.

Example:

Password: enablepass

Step 5

Privileged EXEC mode prompt is displayed, once the enable password is accepted.

Example:

Router#

Step 6

Enter the necessary commands to complete specific tasks using the CLI access in privileged EXEC mode.

Step 7

Use the exit or logout command to exit the Telnet session.

Example:

 Router# logout

CLI session

CLI session management is a set of mechanisms that control user access, protect system resources, and prevent conflicts during command-line interface sessions.

  • An inactivity timeout can be configured and enforced to automatically end idle sessions.

  • Session locking prevents two users from overwriting each other's changes.

  • Spare capacity is reserved for CLI session access to ensure users can connect even when the system is under load.

Change CLI session timeout

Procedure

Step 1

Use the configure terminal command to enter the global configuration mode.

Step 2

Use the line console 0 command to access the configuration mode for the console line of the router.

Step 3

Use the session-timeout [minutes] command to set the session timeout.

The value of minutes sets the amount of time that the CLI waits before timing out. Setting the CLI session timeout increases the security of a CLI session. Specify a value of 0 for minutes to disable session timeout.

Step 4

Use the show line console 0 to verify the value to which the session timeout has been set, which is shown as the value for idle session.

Lock a CLI session

Before you begin

To configure a temporary password on a CLI session, use the lock command in EXEC mode. Before you can use the lock command, you need to configure the line using the lockable command. In this example the line is configured as lockable , and then the lock command is used and a temporary password is assigned.

Procedure

Step 1

Use the configure terminal command to enter the global configuration mode.

Example:

Router# configure terminal

Step 2

Enter the line upon which you want to be able to use the lock command.

Example:

Router(config)# line console 0

Step 3

Use the lockable command to enable the line to be locked.

Example:

Router(config)# lockable

Step 4

Use the exit command to exit the configuration mode.

Example:

Router(config)# exit

Step 5

Use the lock command to lock the CLI session.

Example:

Router# lock
The system prompts you for a password, which you must enter twice. 
Password: <password>
						Again: <password>
						Locked