Banners
A very good reason for having a banner is to give any and all who dare attempt to telnet or sneak into your internetwork a little security
notice. And they’re very cool because you can create and customize them so that they’ll greet anyone who shows up on the router with exactly the information you want them to have!
Here are the three types of banners you need to be sure you’re familiar with:
Exec process creation banner
Login banner
Message of the day banner
And you can see them all illustrated in the following code:
tod (config)# banner ?
LINE c banner-text c, where 'c' is a delimiting
character
exec Set EXEC process creation banner
incoming Set incoming terminal line banner
login Set login banner
motd Set Message of the Day banner
prompt-timeout Set Message for login authentication timeout
slip-ppp Set Message for SLIP/PPP
Message of the day (MOTD) banners are the most widely used banners because they give a message to anyone connecting to the router via Telnet or an auxiliary port or even through a console port as seen here:
tod (config)# banner motd ?
LINE c banner-text c, where 'c' is a delimiting character
tod (config)# banner motd #
Enter TEXT message. End with the character '#'.
$ Acme.com network, then you must disconnect immediately.
#
tod (config)# ^Z (Press the control key + z keys to return to
privileged mode)
tod # exit
con0 is now available
Press RETURN to get started.
If you are not authorized to be in Acme.com network, then you
must disconnect immediately.
tod #
This MOTD banner essentially tells anyone connecting to the device to get lost if they’re not on the guest list. The part to focus upon here is the delimiting character, which is what informs the router the message is done. Clearly, you can use any character you want for it except for the delimiting character in the message itself. Once the message is complete, press Enter, then the delimiting character, and then press Enter again. Everything will still work if you don’t follow this routine unless you have more than one banner. If that’s the case, make sure you do follow it or your banners will all be combined int o one message and put on a single line!
You can set a banner on one line like this:
tod (config)# banner motd x Unauthorized access prohibited! x
Let’s take a minute to go into more detail about the other two types of banners I mentioned:
Exec banner You can configure a line-activation (exec) banner to be displayed when EXEC processes such as a line activation or an incoming connection to a VTY line have been created. Simply initiating a user exec session through a console port will activate the exec banner.
Login banner You can configure a login banner for display on all connected terminals. It will show up after the MOTD banner but before the login prompts. This login banner can’t be disabled on a per-
line basis, so to globally disable it you’ve got to delete it with the no banner login command.Here’s what a login banner output looks like:
!
banner login ^C
Cisco Router and Security Device Manager (SDM) is installed on
this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password
have a privilege level of 15.
Please change these publicly known initial credentials using
SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and
password you want to use.
For more information about SDM please follow the instructions
in the QUICK START GUIDE for your router
^C
!
The previous login banner should look pretty familiar to anyone who’s ever logged into an ISR router because it’s the banner Cisco has in the default configuration for its ISR routers.
Remember that the login banner is displayed before the
login prompts and after the MOTD banner.