Courseiva
SecurityGlobal Config

login delay [secs]

Configures a delay in seconds before the next login attempt after a failed login, used to slow down brute-force attacks on the console or VTY lines.

Syntax·Global Config
login delay [secs]

When to Use This Command

  • Prevent rapid brute-force password guessing on the console port of a router in a data center.
  • Throttle login attempts on VTY lines for remote SSH access to a branch office router.
  • Comply with security policies requiring a delay between failed login attempts on network devices.
  • Reduce the risk of dictionary attacks on management interfaces of critical infrastructure.

Command Examples

Setting a 5-second login delay globally

Router(config)# login delay 5
Router(config)#

No output is displayed upon successful configuration. The command sets a 5-second delay between failed login attempts on all lines that use the global login delay.

Verifying login delay configuration

Router# show running-config | include login delay
login delay 5

The output shows the configured login delay of 5 seconds. If the command is not present, no delay is configured (default is 0).

Understanding the Output

The 'login delay' command does not produce any output when configured. To verify, use 'show running-config | include login delay' which will display the configured delay in seconds. If no delay is set, the line will not appear. The delay applies after each failed login attempt on console, aux, and VTY lines when using local authentication. A value of 0 means no delay. Typical production values range from 1 to 10 seconds. Watch for missing configuration on devices that require brute-force protection.

CCNA Exam Tips

1.

CCNA exam may ask: 'Which command slows down brute-force attacks on the console line?' Answer: 'login delay'.

2.

Remember that 'login delay' is a global command; it applies to all lines unless overridden by line-specific 'login delay'.

3.

The default delay is 0 seconds; you must explicitly configure a delay to enable throttling.

4.

This command works with both console and VTY lines; it is not limited to a specific line type.

Common Mistakes

Mistake: Configuring 'login delay' under line configuration mode instead of global config. Consequence: The command is rejected or has no effect.

Mistake: Setting a very high delay (e.g., 60 seconds) causing user frustration. Consequence: Legitimate users may be locked out for too long after a single mistake.

Mistake: Forgetting to apply 'login delay' globally and only configuring it on one line. Consequence: Other lines remain unprotected.

Related Commands

login block-for [secs] attempts [n] within [secs]

Configures the router to block login attempts from a source IP address after a specified number of failed attempts within a given time window, used to prevent brute-force attacks on VTY lines.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions