NETWORK
• Relates to: CCNA | CCNP
Now you've done it. You can't remember the password for your Cisco Router or
Catalyst Switch. Or maybe you never even knew it - say, this is a used router or
switch and its former owner can't be found, isn't talking . . . Whatever.
This isn't good.
Not that it won't run. After all, a router doesn't require a password to
function (Imagine if it did. All those users on the network that need to get
from one end of the network to the other - a nightmare). So, sure, it'll boot
just fine, it'll run just fine. But Heaven help you if you want to reconfigure
the thing. Without the router/switch password, you will enable or disable
nothing.
So let's say it's time to reconfigure and, try as you might, you simply
cannot recall the password or you never knew it. Luckily, this is router/switch
configuration, not rocket science. Losing the password is a problem. The
solution is called password recovery, though I cannot explain to you why because
recovering the password isn't the only option.
Now, this article may make it look cut and dry - and, for the most part it is
- but bear in mind there is a certain lack of uniformity for password recovery
from platform to platform. There are almost as many ways to effect password
recovery as there are Cisco routers and catalyst switches. Recovery procedures
will vary and will depend, in large part, on the platform and IOS version. On
most of these platforms, you can do password recovery without changing hardware
jumpers but you will be required to reboot the router.
This article assumes you are familiar with decimal to hexadecimal conversion.
I'm also assuming you know how the configuration register applies that hex
number to its 2-byte numbering scheme. If this is still a mystery to you, click
here to read another Cramsession on Hex.
And remember this: Password recovery can be done ONLY from a console port
physically attached to the router. You will not be able to dial into the router
or switch to do password recovery.
All that said, there are some general rules and guidelines. For instance,
there are three ways to restore access to a router's configuration:
- You can VIEW the password.
- CHANGE the password
- ERASE the router/switch's configuration and start from scratch
Each of the above described procedure follows these basic steps:
- Change the configuration register to tell bootstrap program to ignore the
current NVRAM file at bootup. This often is called placing the router in "test
system mode."
- Reboot the system.
- Access enable mode (this can be done without a password so long as you're in
test system mode).
- Decide whether to VIEW the password, CHANGE the password or ERASE the
configuration and start from square 1.
- Reset the register back to its original status so the router/switch will
boot up and read the NVRAM as it does normally.
- Reboot.
Simple, right? Well, it can be. Sometimes it isn't. Here's more of a
breakdown.
One step that trips up many a tech is the "break signal." Some platforms,
while running password recovery, require a terminal to issue a Break signal.
Whether you'll need to do this will depend on how your terminal or PC terminal
emulator issues this signal. Typically, the break key sequence will be Ctrl+C.
However, the key sequence can be very different. For example, in ProComm, the
keys Alt-B will, by default, generate a Break signal. In Windows 2000, the
sequence is Ctrl+Break. In Apple's Z Terminal, it's Command+B. The break key
sequence interrupts the regular boot process and the ROM monitor prompt will
appear.
What you do at this point will vary but, generally, you will enter "0" and
press the Enter key to view the routers present register settings. The sixth
register bit should be disabled. This is where you'll take the next step. The
sixth register bit controls whether the bootstrap will ignore or use the NVRAM
configuration file. If it's set to ignore the NVRAM configuration file, then
NVRAM will not load.
Enable the sixth register bit to ignore NVRAM by issuing o/r 0x2142 at the
prompt.
Now you've done it (just kidding). You'll get a warning message from the
router telling you that the NVRAM is missing or invalid, possibly due to a write
erase. This will not concern you because you will remember what you've just done
with that sixth bit. You also will suddenly find yourself logged into the router
without a password. Kewl.
At the prompt, type "i" to initialize the router.
On bootup, bypass type "no" in the initial configuration dialog prompt to
bypass it. This will bring up the default prompts (router>) and you need to
enter privileged exec mode by typing "enable" at that prompt.
You've made it this far. Now, reload the original startup-configuration file
into memory by issuing, in privileged mode, the "copy startup-config
running-config: command. It's here that you'll have the option to recover the
password.
Let's make it just a hair more complicated and say you've enabled the process
to recover via the enable secret password. This one will remain encrypted, which
means you won't be able to read it. What to do next will vary but, in general,
the steps you take are:
- Issue the "enable secret password" command to redefine the current secret
password configuration.
- Return the register settings to their original configuration and, from
global configuration mode, key "config-register 0x2102."
- Watch the values reset.
- Key in "copy running-config startup-config" to save the current
configuration and apply the above changes.
Having said all the above, please recall your experience will vary depending
on a number of factors, especially the make and model of the router or switch.
So here's a link to Cisco with a complete list of all Cisco routers and catalyst
switches and their corresponding password recovery procedures. Just look up your
device and read the specific instructions. Good luck.
|
Email this Article
Print this Article
