CCIE Pursuit Blog

December 22, 2008

Lab Tip: Choosing The Correct Banner

Banners!!!!  Arg.  Cisco IOS lets you present different messages depending on which method is being used to access the device.  Without spending time searching the Cisco Documentation (and often after searching the documentation) it’s hard to determine which banner type should be used to fulfill a certain task.  You’ll see task like this:

A banner message should be displayed to all users that telnet into the router that says “Stay out of my router haXors!!!”

Here are our banner choices:

Rack1R5(config)#banner ?
LINE            c banner-text c, where ‘c’ is a delimiting character
exec Set EXEC process creation banner
incoming Set incoming terminal line banner
login Set login banner
motd Set Message of the Day banner
prompt-timeout Set Message for login authentication timeout
slip-ppp Set Message for SLIP/PPP

[Note: This is not a comprehensive list as there are banners like ‘aaa authentication banner’, but these are the ones you’re likely to use for the Routing and Switching lab (although ‘slip-ppp’ is unlikely)]

So which one to use?

Configure them all and see which ones appear:

Rack1R5(config)#banner #no option#
Rack1R5(config)#banner exec #exec#
Rack1R5(config)#banner incoming #incoming#
Rack1R5(config)#banner login #login#
Rack1R5(config)#banner motd #motd#
Rack1R5(config)#banner prompt-timeout #prompt-timeout#
Rack1R5(config)#banner slip-ppp #slip-ppp#

Now telnet into the router:

Rack1R1#telnet 150.1.5.5
Trying 150.1.5.5 … Open
motdlogin

User Access Verification

Password:
exec
Rack1R5>en
Password:
Rack1R5#

We can see that both the motd and login banners are displayed before logging into the router (and the ‘exec’ banner after successfully logging in), with the MOTD being displayed first.  [Note: r5 has ‘login’ configured under the vty lines in this example]  At this point the task becomes an “Ask the proctor” task to determine if you should used the MOTD or the ‘login’ banner.  🙂

If we remove the ‘login’ option from R5’s vty line then we do not see the ‘login’ banner displayed:

Rack1R5(config)#do sh run | sec line vt
line vty 0 4
password cisco
login
Rack1R5(config)#line vty 0 4
Rack1R5(config-line)#no login

Rack1R1#telnet 150.1.5.5
Trying 150.1.5.5 … Open
motdexec
Rack1R5>

But now we see the MOTD and the ‘exec’ (because we are automatically in ‘exec’  mode (user exec mode in this case)) banners when we telnet to the device.

Read more about configuring banners at Enabling Terminal Banners

Advertisements

2 Comments »

  1. Great post dude. Thank you.

    Comment by D Y — December 22, 2008 @ 5:56 pm | Reply

  2. Great illustration.

    Comment by Paul Stewart — December 22, 2008 @ 6:04 pm | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: