Back
Lesson 4 of 5

Banners and MOTD

Lab Objectives

  • Configure a Message of the Day (MOTD) banner on a router to present an informational/legal notice to users before they log in.

  • Configure a login banner to display a pre-login warning for administrative access.

  • Verify banner configuration and troubleshoot common banner mistakes.

                  [Internet]
             203.0.113.1
                  |
             R1 (Gateway)
            Gi0/0: 10.10.10.1
            Gi0/1: 10.10.20.1
            Gi0/2: 10.10.30.1
            /     |     \
         R2      R3      R4

    Gi0/0: 10.10.10.2 | Gi0/0: 10.10.30.2 Gi0/1: 10.10.40.1 | / \ | S1 S2 S3 / \ | /
    PC1 PC2 PC3 PC4 PC5

IP SCHEME (for reference)

  • 10.10.10.0/24 — R1-R2 link
  • 10.10.20.0/24 — R1-R3 link
  • 10.10.30.0/24 — R1-R4 link
  • 10.10.40.0/24 — R2-S1 link
  • 192.168.1.0/24 — VLAN 10 (Sales)
  • 192.168.2.0/24 — VLAN 20 (Engineering)
  • 192.168.3.0/24 — VLAN 30 (Management)
  • 203.0.113.0/24 — Public/Internet simulation

Tip: In production, banners are used for legal notices and to provide contact/identification information. Think of a banner like a sign posted on a door — it tells you who is responsible and warns unauthorized people not to enter.

Lab Tasks (Try It Yourself First!)

Complete these tasks WITHOUT looking at the solution below. Use ? and show commands to figure it out.

Task 1: Configure MOTD on R1

Create a Message of the Day banner on R1 that displays:

  • Organization: NHPREP
  • Hostname: R1
  • Contact: admin@lab.nhprep.com
  • A short legal notice "Authorized use only"

(Do not include the commands here — just plan the text and delimiter.)

Task 2: Configure login banner on R2

Create a login (pre-login) banner on R2 to warn users with the text:

  • "WARNING: Authorized Access Only — All activity is logged."

Task 3: Verify banners on S1

On switch S1, verify the banner MOTD and login banner configured on R1 and R2 by showing their running configurations (from S1, use appropriate access to display the router configs via console or show output where possible). For this lab assume you can inspect each device's running config locally.

Think About It: Why would you use a login banner in addition to an MOTD? Consider when each is displayed and legal implications.

Lab Solution

Task 1 Solution: Configure MOTD on R1

What we are doing: Configure the Message of the Day (MOTD) banner on R1 so anyone who connects (before authentication) sees an informational/legal message identifying the organization and contact.

R1# configure terminal
R1(config)# banner motd #
Enter TEXT message. End with the character '#'.
*** Welcome to NHPREP Router R1 ***
Contact: admin@lab.nhprep.com
Authorized use only.
#
R1(config)# end
R1#

What just happened:

  • configure terminal — enters global configuration mode to change device configuration.
  • banner motd # — begins MOTD banner configuration. The # is a delimiter character; text continues until the same # is entered on a new line. Using a delimiter avoids needing special quoting.
  • The lines between the delimiters are the message that will display to users upon connection (before or after login depending on device/connection type).
  • end — exits configuration mode back to privileged EXEC.

Why it matters: The MOTD displays a general message to all connectees. In many jurisdictions, a clear pre-login message can be important for legal protection and user awareness. In large networks it's also used to direct engineers to the correct contact address (here admin@lab.nhprep.com).

Verify:

R1# show running-config | section banner
banner motd #
*** Welcome to NHPREP Router R1 ***
Contact: admin@lab.nhprep.com
Authorized use only.
#
  • The show running-config | section banner command displays the banner stanza exactly as stored in the running configuration. You should see the MOTD message enclosed by your chosen delimiter.

Task 2 Solution: Configure login banner on R2

What we are doing: Configure a login banner so a pre-login warning is presented to anyone attempting to log in on R2 (this is typically shown before the username/password prompt).

R2# configure terminal
R2(config)# banner login $
Enter TEXT message. End with the character '$'.
WARNING: Authorized Access Only — All activity is logged.
$
R2(config)# end
R2#

What just happened:

  • banner login $ — starts configuration of the login banner. The $ delimiter marks the end of the banner text. The banner is displayed prior to authentication prompts on many connection types (vty/console).
  • The text warns users that access is restricted and monitoring is active, which can have legal importance.

Why it matters: The login banner is often used for formal warnings or consent notices that are displayed before authentication. This can be required for legal compliance or to deter unauthorized attempts.

Verify:

R2# show running-config | section banner
banner login $
WARNING: Authorized Access Only — All activity is logged.
$

Task 3 Solution: Verify banners on S1

What we are doing: Confirm from S1 (or locally on each device) that R1 and R2 banners are configured as expected. On a real device you would show running-config locally; in multi-device labs you inspect each device.

S1# show running-config | include banner
banner motd #
banner login $

What just happened:

  • On S1 the show running-config | include banner shows banner statements if configured on that switch. If S1 was not configured with a banner the output might be empty.
  • To verify R1 and R2 specifically, connect to those devices and run show running-config | section banner as shown in Task 1 and Task 2 verify blocks.

Verify (R1 sample again):

R1# show running-config | section banner
banner motd #
*** Welcome to NHPREP Router R1 ***
Contact: admin@lab.nhprep.com
Authorized use only.
#

Verify (R2 sample again):

R2# show running-config | section banner
banner login $
WARNING: Authorized Access Only — All activity is logged.
$

Real-world note: For remote access (SSH), some platforms show the MOTD after authentication and the login/banner before authentication — always test your specific platform and connection type.

Troubleshooting Scenario

Scenario: Banner text never ends and device appears stuck in config mode

Symptom: After entering the banner, the CLI does not return to the prompt and continues accepting lines. Attempting Ctrl+C or Ctrl+Z does not exit; banner never saved.

Your task: Find and fix the issue.

Hint: Check the delimiter you used to start the banner and ensure you type the exact same delimiter on a new line to finish the banner.

Solution: If you started the banner with a delimiter (for example #), you must end it by entering that same delimiter on a line by itself. Example fix:

R1(config)# banner motd #
Enter TEXT message. End with the character '#'.
This is a test
#
R1(config)#

If you forgot to enter the trailing #, the device will still be in "entering banner" state. Enter the delimiter to finish. If delimiter appears in the message, choose a different delimiter (e.g., @, $, !) that does not appear in the message text.

Verification Checklist

  • R1 has a MOTD banner containing "NHPREP" and contact admin@lab.nhprep.com
  • R2 has a login banner warning "Authorized Access Only"
  • show running-config | section banner on each device shows the configured banner block

Common Mistakes

SymptomCauseFix
CLI never returns after starting bannerDid not enter the ending delimiter character on its own lineEnter the same delimiter character on a new line to finish banner (e.g., # or $)
Banner not displayed over SSHMOTD vs login banner timing; some platforms show MOTD after authUse both banners as needed and test via SSH/console to see exact behavior
Banner delimiter character appears inside message, prematurely ending bannerUsing a delimiter that exists in the messageReconfigure using a unique delimiter character not present in the message

Warning: Avoid including sensitive passwords or private keys in banner text. Banners are visible to anyone who can connect to the device.

Challenge Task

Configure a rotating set of banners on R3 and R4:

  • R3: MOTD should include device name and emergency contact: "R3 — Emergency: +1-555-0100"
  • R4: Login banner must require acknowledgement: "By continuing you acknowledge monitoring and authorized use policy for NHPREP — visit lab.nhprep.com/policy"

Do this without step-by-step instructions. Verify the banners with show running-config | section banner. Consider delimiter selection if your message contains punctuation.

Key Takeaways

  • MOTD and login banners are simple but important tools for legal notices and identification.
  • Always choose a delimiter not present in your message when using banner motd <delim> or banner login <delim>.
  • Verify banners with show running-config | section banner. In production, test banner behavior for each access method (console, Telnet, SSH) because display timing may differ.

Practice with Hands-On Labs

30 step-by-step labs for CCNA, CCNP Enterprise & Security