Friday, March 31, 2006

Password Recovery Procedures For 2500 Routers - And For The CCNA Exam And The Job!

Performing password recovery on a Cisco router makes people nervous, especially if they haven’t done it before. That includes me! Since this is often a network engineer’s first time working with the configuration register, it's understandable to be a little nervous - but as always, prior preparation gets rid of those nerves.

One myth about Cisco password recovery is that there’s one way to do it on all routers and switches. This simply is not the case. On the CCNA exam, you may see some questions referring to the 2500 series password recovery procedure, which we’ll be reviewing in just a moment. I want to share a very important Cisco website with you:

http://www.cisco.com/warp/public/474/

This webpage lists almost every router and switch Cisco’s ever made, and the links for each device goes to the password recovery procedure for each one. It’s a very handy list that I suggest you bookmark. This is also the first match in a Google search for “cisco password recovery”.

Since we’re on this topic, let’s review the password recovery procedure for the 2500 family. Remember, don’t practice this or any other Cisco procedure on a production network. That’s what CCNA / CCNP home labs and rack rentals are for! :)


It's true that setting the configuration register to the wrong value can damage the router, but if you do the proper research before starting the password recovery process, you'll be fine.

Despite what some books say, there is no "one size fits all" approach to Cisco password recovery. What works on a 2500 router may not work on other routers and switches. The following procedure describes the process in recovering from a lost password on a Cisco 2500 router.

The router must first be rebooted and a “break” performed within the first 60 seconds of the boot process. This break sequence can also vary depending on what program is used to access the router, but is the usual key combination. Some versions of Hyperterminal have a real problem sending a break signal. Use your favorite search engine to find alternate key combinations for your particular terminal emulator.

The router will now be in ROM Monitor mode. From the rom monitor prompt, change the default configuration register of 0x2102 to 0x2142 with the o/r 0x2142 command. Reload the router with the letter i. (As you can see, ROM Monitor mode is a lot different than working with the IOS!)

This particular config register setting will cause the router to ignore the contents of NVRAM. Your startup configuration is still there, but it will be ignored on reload.

When the router reloads, you’ll be prompted to enter Setup mode. Answer “N”, and type enable at the router> prompt.

Be careful here. Type configure memory or copy start run. Do NOT type write memory or copy run start!

Enter the command show running-config. You’ll see the passwords in either their encrypted or unencrypted format.

Type config t, then use the appropriate command to set a new enable secret or enable password.

Don’t forget to change the configuration register setting back to the original value! The command config-register 0x2102 will do the job. If you forget to set the configuration register back, the router will ignore NVRAM on the next reload and will prompt the user to go into setup mode when they were not expecting that. Save this change with write memory or copy run start, and then run reload one more time to restart the router.

This process sounds hard, but it's really not. You just have to be careful, particularly when you're copying the startup config over the running config. You don't want to get that backwards! So take your time, check the online Cisco documentation before starting, get some practice with this procedure with lab equipment, and you'll be ready for success on the CCNA exam and in your production network!

To your Cisco success,

Chris Bryant
CCIE #12933


No comments:

Blog Archive