Add a login banner to your Cisco router

A login banner is displayed whenever someone connects to the router by telnet or console connections.


The syntax for the banner command is:

banner motd {char} {banner text} {char}

where {char} is a special delimeter character that does not exist in the {banner text}. Everything contained between the first and second {char} characters, including carriage returns, is interpreted as the banner message. For example,

config t
banner motd #
******************************************
* Unauthorized access prohibited
******************************************
#

See the comments below for additional, amazing uses for this feature.

 

About Quinn McHenry

Quinn was one of the original co-founders of Tech-Recipes. He is currently crafting iOS applications as a senior developer at Small Planet Digital in Brooklyn, New York.
View more articles by Quinn McHenry

The Conversation

Follow the reactions below and share your own thoughts.

15 Responses to “Add a login banner to your Cisco router”

  1. June 23, 2009 at 3:20 pm, renso said:

    thanks

    Reply

  2. August 03, 2009 at 2:42 pm, Anonymous said:

    you can also use variables like:

    |=================================================================|
    Hostname $(hostname)
    Domain $(domain)
    Line $(line)
    |=================================================================|

    Reply

    • October 10, 2010 at 5:30 pm, VladisLuck said:

      Tack så mycket.

      Reply

      • October 11, 2010 at 1:17 am, Anonymous said:

        Besten Dank für Ihre Nachricht. Ich befinde mich zur Zeit im Urlaub und habe nur bedingt Zugriff auf mein Email- Postfach. Ich bin wieder ab Montag, den 11. Okt 2010 im Büro.

        In dringenden Fällen können Sie sich in Netzwerkbelangen an Herrn Damian Keller (061 260 77 29) wenden und in Client/Serverbelangen an Herrn Christian Halm (061 260 66 33)

        Selbstverständlich steht Ihnen rund um die Uhr unser Pikettdienst zur Verfügung. Bitte kontaktieren Sie uns unter 061 260 66 66 oder unter der auf Ihrem Wartungsvertrag vermerkten Servicehotline!

        Ihre Nachricht wird nicht weitergeleitet!

        Samuel Heinrich
        Network Engineer CCNA
        IT & TelCom

        Reply

    • May 05, 2013 at 3:33 pm, jojo said:

      > you probably don’t want to use these variables in your banner. If i was a hacker and saw these variables in the banner, it would give me great information ot use. Don’t put anything about your topolgy in the banner, unless its your home lab and you don’t have to worrry about intruders

      Hostname $(hostname)
      Domain $(domain)
      Line $(line)

      Reply

      • February 09, 2014 at 5:33 pm, Drive By said:

        > true enough, but if you do it this way you’re only giving information (DNS and login info at that) to those that managed to login, no recon info gained otherwise:

        banner exec ^C
        Login Successful: $(hostname).$(domain) on line $(line)
        ^C
        banner login ^C
        ******************************************
        * Unauthorized access prohibited
        * All activity is logged and abuses
        * will be reported.
        ******************************************
        ^C

        with the added benefit that some scripts that login automatically can parse this and log it (in case of “stuck” lines for exactly).

        Reply

  3. September 23, 2009 at 11:43 am, Anonymous said:

    thanks a lot

    so easy!

    Reply

  4. March 04, 2010 at 11:50 am, Anonymous said:

    Thanks a lot, I forgot, I was trying and trying and this refreshed my memory. And this isn’t a big comand after all, shame on me…..

    Reply

  5. May 26, 2010 at 11:39 am, najam said:

    can you plz tel me how i can mention a perticular level for banner

    Reply

  6. October 10, 2010 at 5:29 pm, jyrki said:

    This is not LOGIN banner. It’s MOTD banner. It’s frustrating to try to find information about why someone would use login banner instead of MOTD banner as every google result there comes directs to answers or directions where some body asks about login banner and another one answers with MOTD banner.

    FYI all. There is several levels of banners in IOS. And for most of you it is enough to know that you should use MOTD banner.
    But i’m looking thorough information about use of LOGIN banner.

    Reply

    • October 11, 2010 at 9:25 pm, CCENT said:

      Banner Typical Use

      Message of the Day (MOTD) —-> Shown before the login prompt. For temporary messages that may change from time to time, such as “Router1 down for
      maintenance at midnight.”

      Login —–> Shown before the login prompt but after the MOTD banner. For
      permanent messages such as “Unauthorized Access Prohibited.”

      Exec —–>Shown after the login prompt. Used to supply information that
      should be hidden from unauthorized users.

      Reply

  7. January 05, 2011 at 8:24 am, Mohd_arbi said:

    hey thnds dear for help

    Reply

  8. May 28, 2012 at 8:30 pm, Akbar said:

    Thanks for valued information on banner creation on cisco router and switch

    Reply

  9. November 07, 2012 at 3:11 pm, Cachinho said:

    if you like to add a logo for that banner use some image to asci generator …prety cool.

    Reply

  10. April 18, 2014 at 5:27 pm, Paul said:

    The documentation for Cisco banner exec is a bit confusing, possibly even contradictory. Page 37 of the v15 “Cisco IOS Configuration Fundamentals Command Reference.pdf” states “This command specifies a message to be displayed when a EXEC process is created (a line is activated, or an incoming connection is made to a vty).”

    The very next paragraph states “When a user connects to a router, the message-of-the-day (MOTD) banner or incoming banner will be displayed, depending on the type of connection. For a reverse Telnet login, the incoming banner will be displayed. For all other connections, the router will display the EXEC banner.”

    A “reverse telent” connection is an in-band, or VTY connection, whereas serial connections are via the aux or console ports. Both statements can’t be true since they directly contradict each other: “…connection made to a vty” and “the Exec banner or incoming banner… depending… reverse Telnet login, the incoming banner… For all other connections,… the Exec banner.”

    I’m confused.

    Reply

Leave a Reply