How to configure Cisco IOS Banners

Cisco IOS devices support a number of banners that are presented to users when they use the console line or when they connect remotely using telnet or SSH. They are often used to inform users about their legal rights. It might be a good idea to present a banner to users who are trying to connect to your device, here are some items you might want to think about:

  • To show that only authorized users are allowed to connect.
  • That all traffic will be monitored.
  • That there is no expectation of privacy.
  • Don’t use anything that says “welcome”.
  • Don’t add any contact information or information about the router in the banner.

here’s a good example on the website of the California Technology Agency that gives you more information about what a good banner should contain and some sample texts. Before you implement any banners, make sure to check your legal council first. Having said that, let’s look at the different banners…

Different Banners

Cisco IOS routers support a number of banners, here they are:

  • MOTD banner: the “message of the day” banner is presented to everyone that connects to the router.
  • Login banner: this one is displayed just before the authentication prompt.
  • Exec banner: displayed before the user sees the exec prompt.
  • Incoming banner: used for users that connect through reverse telnet.

We’ll take a look at how to configure these different banners now.

MOTD Banner

We’ll start with the message of the day banner that will be presented to anyone accessing the router:

R1(config)#banner motd #
Enter TEXT message.  End with the character '#'.
Authorized users only, violaters will be shot on sight! #

The # symbol is a start and stop character. You can use any other character if you want. This is what the MOTD banner looks like:

R1#exit

R1 con0 is now available

Press RETURN to get started.

Authorized users only, violaters will be shot on sight!

A nice and welcome banner that everyone will see…let’s move on to the login banner now.

Login banner

The login banner is presented to users that access the router remotely using telnet or SSH:

R1(config)#banner login $ Authenticate yourself! $

Let’s try it out:

R1#telnet 1.1.1.1
Trying 1.1.1.1 ... Open

Authorized users only, violaters will be shot on sight!  Authenticate yourself!

Above you see that the login banner is displayed after the MOTD banner. It would have been better if I added some empty lines so that the login banner would show up below the MOTD banner.

Exec banner

The exec banner is shown just before the exec prompt:

R1(config)#banner exec #
Enter TEXT message.  End with the character '#'.
You are connected to line $(line) at router $(hostname)
#

This time I added an extra line in the banner and I also used some operators like $(line) and $(hostname). Let’s see what that looks like:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 654 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

535 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags:


Forum Replies

  1. Hi Rene,
    I cant understand the Reverse Telnet that you have describe in last section. Why we need it/what is the uses of it and how its works. From where we get the IP(1.1.1.1) and port(6097) . Thx

    br//
    zaman

  2. Hello Mohammad

    In order to save space Rene didn’t explain extensively how to configure reverse telnet, but just showed how to configure a banner for it. A nice piece of information about reverse telnet can be found at this Cisco support forum article, but I can tell you a little about it here.

    It basically gives you the ability to telnet into a network connected device (say a router) and then connect to a neighbouring device via its console connection. In essence, this gives you the opportunity to remotely connect to the console connection of a device. This

    ... Continue reading in our forum

  3. Hi Rene,

    I am confused about the cable connection between two device. Which type of cable have to be used on AUX port end and Console end if I dont have NM16-A or NM32-A Module or Cisco 2511-RJ.Please help me to understand .Thx

    br/zaman

  4. Hi Laz,
    I have tried your describe way but can’t connect …My setup is …
    I have a online router(Name DHAKA) that’s loopback is reachable from internet .Now connect this router(DHAKA) AUX port to another router(Name KHULNA) console port using straight through(T568B used) cable and Telnet to loopback of DHAKA Router and configured the aux port like …

    DHAKA#config t
    DHAKA(config)#line aux 0
    DHAKA(config-line)#modem InOut
    DHAKA(config-line)#transport input all
    DHAKA(config-line)#speed 19200
    DHAKA(config-line)#exit
    and check the line of Aux port ....
    DHAKA# sh line
    ... Continue reading in our forum

  5. Hi Zaman,

    It should work like this. First, check the AUX line:

    R1#show line
       Tty Line Typ     Tx/Rx    A Modem  Roty AccO AccI  Uses  Noise Overruns  Int
    *     0    0 CTY              -    -      -    -    -     0      0    0/0      -
          1    1 AUX   9600/9600  -    -      -    -    -     0      0    0/0      -
        514  514 VTY              -    -      -    -    -     0      0    0/0      -
        515  515 VTY              -    -      -    -    -     0      0    0/0      -
        516  516 VTY              -    -      -    -    -     0      0    0/0      -
        51
    ... Continue reading in our forum

5 more replies! Ask a question or join the discussion by visiting our Community Forum