Hostname, Password, and Banner Configuration (Cisco IOS)
In this lab, you will learn how to configure essential identification and security features on Cisco routers and switches. These configurations are considered basic but mandatory for any real-world network deployment. Before diving in, make sure you are comfortable with the basics of networking and the OSI model — understanding Layer 2 and Layer 3 will help you follow why these configurations matter.
Cisco IOS Quick Tips
You can use the Tab key after typing a few letters to automatically complete the full command in Cisco IOS.
Cisco IOS allows abbreviated commands as long as they are unique. See the cheat sheet below for the most common shortcuts used throughout these labs.
Show Commands (Most Used)
show version - sho ver show interfaces - sho int show interfaces status - sho int status show ip route - sho ip route show ip protocols - sho ip prot show running-config - sho run show startup-config - sho start show vlan brief - sho vlan bri show mac address-table - sho mac add show cdp neighbors - sho cdp nei show cdp neighbors detail - sho cdp nei det show lldp neighbors - sho lldp nei show arp - sho arp show clock - sho clock
Configuration Mode Commands
configure terminal - conf t interface fastEthernet0/1 - int fa0/1 interface gigabitEthernet0/1 - int gi0/1 router ospf 1 - rou ospf 1 router rip - rou rip router eigrp 10 - rou eig 10 exit - ex end - end
Interface Configuration
ip address 192.168.1.1 255.255.255.0 - ip add 192.168.1.1 255.255.255.0 no shutdown - no shut shutdown - shut description Link to SW1 - desc Link to SW1 switchport mode access - sw mo acc switchport mode trunk - sw mo tru
VLAN Commands
vlan 10 - vlan 10 name SALES - name SALES show vlan - sho vlan show vlan brief - sho vlan bri
See also: VLAN Creation and Management Lab
Save & Reload
copy running-config startup-config - copy run start write memory - wr mem reload - rel
See also: Saving and Managing Cisco Configurations
Troubleshooting / Testing
ping 192.168.1.1 - ping 192.168.1.1 traceroute 8.8.8.8 - trace 8.8.8.8 show logging - sho log show processes cpu - sho proc cpu
For deeper troubleshooting techniques, see Understanding Ping, Traceroute Explained, and Show Logging.
Very Important Note (Exam + Real Devices)
Cisco IOS does not require the full command word — only enough characters to make it unique.
show → sho configure → conf interface → int
But ❗
If the shortcut becomes ambiguous, IOS will reject the command with
a "% Ambiguous command" error.
1. Hostname Configuration
Explanation
The hostname is the logical name assigned to a Cisco router or switch. It helps administrators easily identify devices, especially in environments with multiple routers and switches. The hostname also becomes part of the device's CLI prompt, making it immediately visible during any session.
By default, Cisco devices use generic names such as Router or Switch. Changing the hostname is a basic and essential configuration step — and it is also required before you can enable SSH, since the RSA key name is derived from the hostname and domain name. See Cisco IOS Modes for a full overview of the CLI prompt and privilege levels.
Cisco Prompt Commands
Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#hostname NetsTuts_SW1 NetsTuts_SW1(config)#end NetsTuts_SW1# %SYS-5-CONFIG_I: Configured from console by console NetsTuts_SW1#wr Building configuration... [OK] NetsTuts_SW1#
2. Enable Password vs Enable Secret
Explanation
Cisco devices use enable password and enable secret
to protect access to Privileged EXEC mode (the # prompt).
Without one of these, anyone who connects to the device can immediately enter
privileged mode by typing enable — giving them full control over the device.
This is covered in depth in Login Authentication Methods.
See also Cisco IOS Modes for an explanation of User EXEC
vs Privileged EXEC vs Global Configuration mode.
| Feature | Enable Password | Enable Secret |
|---|---|---|
| Encryption | Weak / Reversible (Type 7) | Strong MD5 Hash (Type 5) |
| Stored in config as | Plain text (unless service password-encryption enabled) |
Hashed — never recoverable |
| Security Level | Low | High |
| Recommendation | ❌ Not Recommended | ✅ Always Use This |
Configuring Enable Password (Legacy)
NetsTuts_SW1>en NetsTuts_SW1#conf t Enter configuration commands, one per line. End with CNTL/Z. NetsTuts_SW1(config)#enable password cisco@123 NetsTuts_SW1(config)#end NetsTuts_SW1# %SYS-5-CONFIG_I: Configured from console by console NetsTuts_SW1#wr Building configuration... [OK] NetsTuts_SW1#
Verify with show running-config command:
hostname NetsTuts_SW1 ! enable password cisco@123
Enter the created password (the password you type will be invisible):
NetsTuts_SW1>en Password:
Remove the password using the no enable password command:
NetsTuts_SW1#conf t Enter configuration commands, one per line. End with CNTL/Z. NetsTuts_SW1(config)#no enable password NetsTuts_SW1(config)#end NetsTuts_SW1# %SYS-5-CONFIG_I: Configured from console by console NetsTuts_SW1#wr Building configuration... [OK] NetsTuts_SW1#
NetsTuts_SW1>en NetsTuts_SW1#
Configuring Enable Secret (Recommended)
NetsTuts_SW1>en NetsTuts_SW1#conf t Enter configuration commands, one per line. End with CNTL/Z. NetsTuts_SW1(config)#enable secret cisco@123 NetsTuts_SW1(config)#end NetsTuts_SW1# %SYS-5-CONFIG_I: Configured from console by console NetsTuts_SW1#wr Building configuration... [OK] NetsTuts_SW1#
Verify with show running-config command:
hostname NetsTuts_SW1 ! enable secret 5 $1$mERr$6O7HXbIpaOLamSXRNemy0.
3. MOTD (Message of the Day) Banner
Explanation
The MOTD banner displays a warning or informational message before the login prompt appears. In enterprise environments, MOTD banners serve a legal purpose — they notify users that the system is monitored and that unauthorized access is prohibited. Without a proper banner, legal action against unauthorized users can be harder to pursue.
- Displays legal warnings to deter unauthorized access
- Required for security compliance in many organizations
- Appears on console, VTY (SSH/Telnet), and AUX connections
- Shown before the login prompt — visible even to unauthenticated users
Configuring MOTD Banner
# as the delimiter:NetsTuts_SW1#conf t Enter configuration commands, one per line. End with CNTL/Z. NetsTuts_SW1(config)#banner motd # Enter TEXT message. End with the character '#'. ***Unauthorized access is strictly prohibited.*** ***Disconnect immediately if you are not an authorized user.*** # NetsTuts_SW1(config)#exit NetsTuts_SW1# %SYS-5-CONFIG_I: Configured from console by console NetsTuts_SW1#wr Building configuration... [OK] NetsTuts_SW1#
Note: The # character is used as a delimiter — it marks where the banner text starts and ends. Choose any character that does not appear inside your banner text.
Expected behavior during login:
Press RETURN to get started. ***Unauthorized access is strictly prohibited.*** ***Disconnect immediately if you are not an authorized user.*** NetsTuts_SW1>
4. Console Line Password
Explanation
The console line is the physical port used for direct, out-of-band access to a Cisco device (typically via a rollover cable and terminal emulator such as PuTTY or SecureCRT). By default, the console line requires no password — anyone with physical access can enter the device immediately. Securing the console line is a mandatory step in any real-world deployment. For a full deep-dive into console and VTY line security options, see Console & VTY Line Configuration.
- Applies to direct cable connections only — not remote SSH or Telnet
- Should always be secured, even in lab environments
- Use
loginto enforce a line password, orlogin localto require a username + password from the local database - Always add
exec-timeoutto automatically log out idle sessions
Configuring Console Line Password
NetsTuts_SW1>en NetsTuts_SW1#conf t Enter configuration commands, one per line. End with CNTL/Z. NetsTuts_SW1(config)#line console 0 NetsTuts_SW1(config-line)#password Console@123 NetsTuts_SW1(config-line)#login NetsTuts_SW1(config-line)#exec-timeout 5 0 NetsTuts_SW1(config-line)#logging synchronous NetsTuts_SW1(config-line)#end NetsTuts_SW1# %SYS-5-CONFIG_I: Configured from console by console NetsTuts_SW1#wr Building configuration... [OK] NetsTuts_SW1#
exec-timeout 5 0 automatically disconnects idle sessions after 5 minutes.
logging synchronous prevents log messages
from interrupting your typing mid-command.
Verify with show running-config | section line con:
NetsTuts_SW1#show running-config | section line con line con 0 exec-timeout 5 0 password Console@123 logging synchronous login
Expected behavior — console now requires a password on next connection:
Press RETURN to get started. ***Unauthorized access is strictly prohibited.*** ***Disconnect immediately if you are not an authorized user.*** User Access Verification Password: NetsTuts_SW1>
Remove the console password:
NetsTuts_SW1#conf t Enter configuration commands, one per line. End with CNTL/Z. NetsTuts_SW1(config)#line console 0 NetsTuts_SW1(config-line)#no password NetsTuts_SW1(config-line)#no login NetsTuts_SW1(config-line)#end NetsTuts_SW1#wr Building configuration... [OK] NetsTuts_SW1#
5. VTY Line Password (Telnet / SSH)
Explanation
VTY (Virtual Terminal) lines control remote access to a Cisco device via Telnet or SSH. Most Cisco devices have VTY lines 0–4 (5 simultaneous sessions), and some support up to 0–15. Unlike the console line, VTY access travels over the network — making it critical to both secure and encrypt these connections. For the complete VTY security guide including ACL restrictions, see Console & VTY Line Configuration.
| Feature | Telnet | SSH |
|---|---|---|
| Encryption | ❌ None (plain text) | ✅ Fully Encrypted |
| Port | TCP 23 | TCP 22 |
| Use in production | ❌ Never | ✅ Always |
| Credential exposure | Passwords visible in packet capture | Fully encrypted session |
Configuring VTY Password (Telnet — Lab Only)
NetsTuts_SW1>en NetsTuts_SW1#conf t Enter configuration commands, one per line. End with CNTL/Z. NetsTuts_SW1(config)#line vty 0 4 NetsTuts_SW1(config-line)#password VtyPass@123 NetsTuts_SW1(config-line)#login NetsTuts_SW1(config-line)#exec-timeout 10 0 NetsTuts_SW1(config-line)#transport input telnet NetsTuts_SW1(config-line)#end NetsTuts_SW1#wr Building configuration... [OK] NetsTuts_SW1#
Configuring VTY for SSH (Recommended)
To enable SSH, the device needs a hostname (already done in Section 1), a domain name, and an RSA key pair. For a full step-by-step SSH configuration lab, see SSH Configuration. For a full explanation of SSH security, see Login Authentication Methods and SSH vs Telnet Security.
NetsTuts_SW1>en NetsTuts_SW1#conf t Enter configuration commands, one per line. End with CNTL/Z. NetsTuts_SW1(config)#ip domain-name netstuts.com NetsTuts_SW1(config)#crypto key generate rsa modulus 2048 The name for the keys will be: NetsTuts_SW1.netstuts.com % The key modulus size is 2048 bits % Generating 2048 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 3 seconds) NetsTuts_SW1(config)#ip ssh version 2 NetsTuts_SW1(config)#username admin privilege 15 secret Admin@123 NetsTuts_SW1(config)#line vty 0 4 NetsTuts_SW1(config-line)#login local NetsTuts_SW1(config-line)#transport input ssh NetsTuts_SW1(config-line)#exec-timeout 10 0 NetsTuts_SW1(config-line)#end NetsTuts_SW1#wr Building configuration... [OK] NetsTuts_SW1#
login local requires both username and password from the local database.
transport input ssh disables Telnet and allows
SSH only — the correct setting for all production devices.
Verify SSH is enabled and running version 2:
NetsTuts_SW1#show ip ssh SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3
Verify VTY configuration:
NetsTuts_SW1#show running-config | section line vty line vty 0 4 exec-timeout 10 0 login local transport input ssh
6. Service Password-Encryption
Explanation
By default, passwords configured with password (not secret) are stored
in plain text in the running configuration.
The service password-encryption command applies a
Type 7 (reversible) encoding to all plain-text passwords in the config,
preventing casual shoulder-surfing when someone reads the screen.
secret
(MD5/Type 5 or scrypt/Type 9) for real password security. Use
service password-encryption as an additional layer only.
See Login Authentication Methods for the full security picture.
For enterprise-grade centralized authentication, see
AAA with RADIUS and
AAA with TACACS+.
Enabling Service Password-Encryption
NetsTuts_SW1>en NetsTuts_SW1#conf t Enter configuration commands, one per line. End with CNTL/Z. NetsTuts_SW1(config)#service password-encryption NetsTuts_SW1(config)#end NetsTuts_SW1#wr Building configuration... [OK] NetsTuts_SW1#
Compare the running-config before and after enabling the command:
! ── BEFORE service password-encryption ─────────────────── line con 0 password Console@123 ← plain text, anyone can read this ! ── AFTER service password-encryption ──────────────────── line con 0 password 7 0822455D0A16544541 ← Type 7 encoded (not plain text)
Disable service password-encryption:
NetsTuts_SW1(config)#no service password-encryption
7. Full Secure Baseline Configuration
Explanation
In real network deployments, all of the above configurations are applied together as part of a device hardening checklist. The following is a complete reference baseline combining everything from this lab — hostname, passwords, banners, console/VTY security, and SSH — applied in the correct order. This same approach applies to both routers and switches. For additional hardening including brute-force protection and login rate limiting, see Login Security and Brute-Force Protection.
wr or copy run start. See
Saving and Managing Cisco Configurations
for full details on configuration management.
! ══════════════════════════════════════════════════════════ ! NetsTuts Full Device Hardening Baseline ! Device: NetsTuts_SW1 ! ══════════════════════════════════════════════════════════ Switch>en Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. ! ── Step 1: Hostname ────────────────────────────────────── Switch(config)#hostname NetsTuts_SW1 ! ── Step 2: Domain name (required for SSH) ─────────────── NetsTuts_SW1(config)#ip domain-name netstuts.com ! ── Step 3: Enable Secret (privileged EXEC protection) ─── NetsTuts_SW1(config)#enable secret Admin@Secure1! ! ── Step 4: Local user account ─────────────────────────── NetsTuts_SW1(config)#username admin privilege 15 secret Admin@123 ! ── Step 5: MOTD Banner ────────────────────────────────── NetsTuts_SW1(config)#banner motd # Enter TEXT message. End with the character '#'. ***Unauthorized access is strictly prohibited.*** ***Disconnect immediately if you are not an authorized user.*** ***All activity is monitored and logged.*** # ! ── Step 6: Console line ───────────────────────────────── NetsTuts_SW1(config)#line console 0 NetsTuts_SW1(config-line)#login local NetsTuts_SW1(config-line)#exec-timeout 5 0 NetsTuts_SW1(config-line)#logging synchronous NetsTuts_SW1(config-line)#exit ! ── Step 7: Generate RSA key for SSH ───────────────────── NetsTuts_SW1(config)#crypto key generate rsa modulus 2048 The name for the keys will be: NetsTuts_SW1.netstuts.com % Generating 2048 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 3 seconds) ! ── Step 8: SSH version 2 ──────────────────────────────── NetsTuts_SW1(config)#ip ssh version 2 NetsTuts_SW1(config)#ip ssh authentication-retries 3 NetsTuts_SW1(config)#ip ssh time-out 60 ! ── Step 9: VTY lines (SSH only) ───────────────────────── NetsTuts_SW1(config)#line vty 0 4 NetsTuts_SW1(config-line)#login local NetsTuts_SW1(config-line)#transport input ssh NetsTuts_SW1(config-line)#exec-timeout 10 0 NetsTuts_SW1(config-line)#exit ! ── Step 10: Encrypt plain-text passwords ──────────────── NetsTuts_SW1(config)#service password-encryption ! ── Step 11: Save ──────────────────────────────────────── NetsTuts_SW1(config)#end NetsTuts_SW1# %SYS-5-CONFIG_I: Configured from console by console NetsTuts_SW1#wr Building configuration... [OK] NetsTuts_SW1#
8. Verifying Your Configuration
After completing the lab, use the following commands to verify everything is correctly applied. Compare your output to the examples below. These are the same show commands used in real production environments.
show running-config (Full Output)
NetsTuts_SW1#show running-config Building configuration... Current configuration : 1842 bytes ! version 15.0 service password-encryption ! hostname NetsTuts_SW1 ! enable secret 5 $1$mERr$6O7HXbIpaOLamSXRNemy0. ! username admin privilege 15 secret 5 $1$ABC/$HashValueHere. ! ip domain-name netstuts.com ip ssh version 2 ip ssh authentication-retries 3 ip ssh time-out 60 ! banner motd ^C ***Unauthorized access is strictly prohibited.*** ***Disconnect immediately if you are not an authorized user.*** ***All activity is monitored and logged.*** ^C ! line con 0 exec-timeout 5 0 logging synchronous login local ! line vty 0 4 exec-timeout 10 0 login local transport input ssh ! end
Verification Commands Quick Reference
| Command | What to Verify | Expected Result |
|---|---|---|
show running-config |
Full configuration including all passwords and lines | Hostname set, enable secret hashed, passwords encoded, lines secured |
show running-config | section line |
Console and VTY line settings only | login local, transport input ssh, exec-timeout configured |
show ip ssh |
SSH enabled and version | SSH Enabled - version 2.0 |
show users |
Currently logged-in users and which line they are on | Shows your active console or VTY session |
show version |
Device hostname shown in IOS version output | NetsTuts_SW1 appears in the version output header |
Full Verification Run
NetsTuts_SW1#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 60 secs; Authentication retries: 3
NetsTuts_SW1#show users
Line User Host(s) Idle Location
* 0 con 0 admin idle 00:00:00
NetsTuts_SW1#show running-config | section line
line con 0
exec-timeout 5 0
logging synchronous
login local
line vty 0 4
exec-timeout 10 0
login local
transport input ssh
9. Troubleshooting Common Issues
Use show logging and debug commands alongside the fixes below to diagnose authentication and access issues.
| Problem | Likely Cause | Fix |
|---|---|---|
| Locked out of privileged EXEC mode | Forgot enable secret password | Perform password recovery — see ROMMON Password Recovery to boot into ROMMON and set config-register to 0x2142 to bypass startup-config on next boot |
| SSH connection refused | RSA key not generated, or ip ssh version 2 not set |
Run crypto key generate rsa modulus 2048 and confirm with show ip ssh. See SSH Configuration for the full setup. |
| Cannot SSH — "% No hostname specified" | Hostname is still the default (Router or Switch) | Set hostname first: hostname NetsTuts_SW1, then regenerate RSA key. See SSH Configuration. |
| VTY login fails with correct password | Method mismatch — login used but no line password set, or login local used but no local user exists |
Check show running-config | section line vty and match the login method to how credentials are stored. See Authentication Methods and Console & VTY Line Configuration. |
| MOTD banner not appearing | Delimiter character appears inside the banner text, ending it prematurely | Choose a delimiter not used in your banner text (e.g., #, @, or ^) |
| Log messages interrupting typing | logging synchronous not configured on the line |
Add logging synchronous under line con 0 and line vty 0 4. See Show Logging. |
10. Key Points & Exam Tips
- Always use
enable secret— neverenable passwordalone. If both are set, enable secret takes priority and the enable password is completely ignored. See Login Authentication Methods. secretstores an MD5 hash (Type 5) — it cannot be reversed.passwordstores plain text unlessservice password-encryptionis also enabled.service password-encryptionapplies Type 7 encoding — it hides passwords from casual reading but is not cryptographically secure and can be decoded instantly. For enterprise-grade security, use RADIUS or TACACS+.- The console line (
line con 0) secures physical access. VTY lines (line vty 0 4) secure remote access. Both must be secured independently. See Console & VTY Line Configuration for advanced options including ACL restrictions. loginuses the single password set under the line.login localrequires a username and password from the local database — always preferlogin local.- SSH requires four things: a hostname, a domain name (
ip domain-name), an RSA key pair (crypto key generate rsa modulus 2048), andip ssh version 2. Full lab: SSH Configuration. - Always use
transport input sshon VTY lines in production — never leavetransport input allortransport input telnetactive. See SSH vs Telnet Security. exec-timeoutformat isminutes seconds.exec-timeout 5 0= 5 minutes.exec-timeout 0 0= never timeout — avoid this in production. For brute-force protection, see Login Security.- The MOTD banner appears before the login prompt — visible to all connecting users. The delimiter character ends the banner text, so never use it inside the message.
- Always save with
wrorcopy run startafter every change. The running-config lives in RAM and is lost on reload if not saved. See Saving and Managing Cisco Configurations.
TEST WHAT YOU LEARNED
What is the primary purpose of configuring a hostname on a Cisco device?
A network engineer SSHs into a device and sees the prompt Switch#. What does this most likely indicate?
An engineer configures both enable password cisco and enable secret strong@pass on the same device. What happens when a user types enable?
A junior engineer reads the running-config and sees: enable secret 5 $1$mERr$6O7HXbIpaOLamSXRNemy0. What does the "5" indicate?
Which command shows whether service password-encryption is active and displays the current enable secret?
show running-config displays the active configuration in RAM, including whether service password-encryption is enabled and how passwords are stored.A user connects to a Cisco switch and sees a warning message before being prompted for a password. What type of banner is this?
An engineer configures banner motd # Welcome to NetsTuts_SW1 # End #. What problem will occur?
# inside the text terminates the banner early — only "Welcome to NetsTuts_SW1 " would appear. Choose a delimiter that does not appear in your message.What is the key security difference between service password-encryption and enable secret?
After configuring SSH, an engineer runs show ip ssh and sees "SSH Disabled". What is the most likely cause?
crypto key generate rsa modulus 2048 to generate the keys. Also ensure a hostname and domain name are set, as the key name is derived from both. See SSH Configuration for the complete setup procedure.An engineer configures exec-timeout 0 0 on the VTY lines. What is the risk?
exec-timeout 0 0 disables the idle timeout entirely — sessions remain open indefinitely. This is a security risk in production: an unattended open session could be used by an unauthorized person. Always set a reasonable timeout such as exec-timeout 10 0 (10 minutes). See Console & VTY Line Configuration and Login Security for more session protection measures.