Friday, March 31, 2006

Password Recovery Procedures For 2500 Routers - And For The CCNA Exam And The Job!

Performing password recovery on a Cisco router makes people nervous, especially if they haven’t done it before. That includes me! Since this is often a network engineer’s first time working with the configuration register, it's understandable to be a little nervous - but as always, prior preparation gets rid of those nerves.

One myth about Cisco password recovery is that there’s one way to do it on all routers and switches. This simply is not the case. On the CCNA exam, you may see some questions referring to the 2500 series password recovery procedure, which we’ll be reviewing in just a moment. I want to share a very important Cisco website with you:

http://www.cisco.com/warp/public/474/

This webpage lists almost every router and switch Cisco’s ever made, and the links for each device goes to the password recovery procedure for each one. It’s a very handy list that I suggest you bookmark. This is also the first match in a Google search for “cisco password recovery”.

Since we’re on this topic, let’s review the password recovery procedure for the 2500 family. Remember, don’t practice this or any other Cisco procedure on a production network. That’s what CCNA / CCNP home labs and rack rentals are for! :)


It's true that setting the configuration register to the wrong value can damage the router, but if you do the proper research before starting the password recovery process, you'll be fine.

Despite what some books say, there is no "one size fits all" approach to Cisco password recovery. What works on a 2500 router may not work on other routers and switches. The following procedure describes the process in recovering from a lost password on a Cisco 2500 router.

The router must first be rebooted and a “break” performed within the first 60 seconds of the boot process. This break sequence can also vary depending on what program is used to access the router, but is the usual key combination. Some versions of Hyperterminal have a real problem sending a break signal. Use your favorite search engine to find alternate key combinations for your particular terminal emulator.

The router will now be in ROM Monitor mode. From the rom monitor prompt, change the default configuration register of 0x2102 to 0x2142 with the o/r 0x2142 command. Reload the router with the letter i. (As you can see, ROM Monitor mode is a lot different than working with the IOS!)

This particular config register setting will cause the router to ignore the contents of NVRAM. Your startup configuration is still there, but it will be ignored on reload.

When the router reloads, you’ll be prompted to enter Setup mode. Answer “N”, and type enable at the router> prompt.

Be careful here. Type configure memory or copy start run. Do NOT type write memory or copy run start!

Enter the command show running-config. You’ll see the passwords in either their encrypted or unencrypted format.

Type config t, then use the appropriate command to set a new enable secret or enable password.

Don’t forget to change the configuration register setting back to the original value! The command config-register 0x2102 will do the job. If you forget to set the configuration register back, the router will ignore NVRAM on the next reload and will prompt the user to go into setup mode when they were not expecting that. Save this change with write memory or copy run start, and then run reload one more time to restart the router.

This process sounds hard, but it's really not. You just have to be careful, particularly when you're copying the startup config over the running config. You don't want to get that backwards! So take your time, check the online Cisco documentation before starting, get some practice with this procedure with lab equipment, and you'll be ready for success on the CCNA exam and in your production network!

To your Cisco success,

Chris Bryant
CCIE #12933


I'll be posting three new Cisco certification practice questions per day - one for the CCNA, BSCI, and BCMSN exams. Answers will be posted tomorrow, along with three new questions!

Today's CCNA question:

What term describes the amount of bandwidth that will be available to a frame relay provider's customer?

A. BA

B. DE

C. DC

D. CIR

E. BE

F. BC

Today's BSCI question:

Cisco OSPF design guidelines state that a router should be in no more than how many areas?

A. Two

B. Three

C. Four

D. Five


Today's BCMSN Question:

Which of the following switches will become the root bridge?

A. Switch A, with a BID of 24768:aa-aa-aa-aa-aa-aa

B. Switch B, with a BID of 24768:bb-bb-bb-bb-bb-bb

C. Switch C, with a BID of 24768:cc-cc-cc-cc-cc-cc

D. Switch D, with a BID of 32768:dd-dd-dd-dd-dd-dd


Answers will be posted on Saturday, along with three new questions!

Thursday, March 30, 2006

I always swore that when I got to the top of the Cisco Certification mountain, I'd never turn into one of those guys who act like they know everything and were born that way. Part of that promise to myself included remembering what it's like to see a technology for the first time, or to wonder "why would anyone use that?"

I definitely remember thinking that the first time I learned about Trivial File Transfer Protocol, or TFTP. Sure, I memorized the port number in my Intro studies (as you probably did), but I didn't really understand why anyone would use it. Why would you ever use TFTP instead of FTP? As someone once said to me, "When I transfer files, there's nothing trivial about it!"

Of course, the major drawback of TFTP is that is has no security features, and this includes a lack of password capabilities. Those of you who know your ISDN and have ever read one of my tutorials on that subject know that I warn you again using Password Authentication Protocol (PAP), since PAP sends a clear-text password across an ISDN link. So if I warn you again using PAP in the real world, why would I tell you to know TFTP?

TFTP is used in the Cisco world to perform IOS upgrades and to save configs to a TFTP Server. Cisco routers can themselves serve as TFTP servers, or you can use a workstation to fill that role.

If you needed to copy an IOS image to a router, for example, you could do so easily by connecting your PC to the router’s console port (via a rollover cable, right?). Your PC would need to run TFTP server software. There are quite a few free TFTP server software programs that work quite well – just enter “free tftp server” into Google or your favorite search engine and you’ll see what I mean.

Using TFTP in this fashion is a great way to have backup copies of IOS images or router configs right on your laptop. And take it from me, when the day comes that you need those backups, you’ll be glad you did!

The copy command tends to be a little confusing when you first start using it. Remember that when using the copy command, you first indicate where you’re copying from, then where you’re copying to:

R1#copy flash tftp
Source filename []? Example
Address or name of remote host []?

When performing such a copy, you’ll need to name the file you’re copying, as well as the IP address of the device you’re copying to. Since we're dealing with IOS filenames, these filenames can be a little long, so be careful when entering the filenames.

Using TFTP to perform IOS upgrades takes a little getting used to, especially the syntax of the copy command. But knowing that syntax and how to use TFTP will indeed get you one step closer to the CCNA!

To your Cisco success,

Chris Bryant
CCIE #12933

Wednesday, March 29, 2006

Cisco CCNP / BSCI Exam Tutorial: Configuring EIGRP Packet Authentication

Configuring RIPv2 and EIGRP authentication with key chains can be tricky at first, and the syntax isn't exactly easy to remember. But for BSCI and CCNP exam success, we've got to be able to perform this task.

In a previous tutorial, we saw how to configure RIPv2 packet authentication, with both clear-text and MD5 authentication schemes. EIGRP authentication is much the same, and has the text and MD5 authentication options as well. But EIGRP being EIGRP, the command just has to be a little more detailed!

As with RIPv2, the authentication mode must be agreed upon by the EIGRP neighbors. If one router's interface is configured for MD5 authentication and the remote router's interface is configured for text authentication, the adjacency will fail even if the two interfaces in question are configured to use the same password.

We'll now configure link authentication on the adjacency over an Ethernet segment. Below, you'll see how to configure a key chain called EIGRP on both routers, use key number 1, and use the key-string BSCI. Run show key chain on a router to see all key chains.

R2(config)#key chain EIGRP
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string BSCI


R2#show key chain
Key-chain EIGRP:
key 1 -- text "BSCI"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]


R3(config)#key chain EIGRP
R3(config-keychain)#key 1
R3(config-keychain-key)#key-string BSCI


R3#show key chain
Key-chain EIGRP:
key 1 -- text "BSCI"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]


The EIGRP command to apply the key chain is a bit of a pain to remember, because the protocol and AS number is identified in the middle of the command, not the beginning. Also note that two commands are needed - one to name the key chain, another to define the authentication mode in use.

R2(config)#interface ethernet0
R2(config-if)#ip authentication key-chain eigrp 100 EIGRP
R2(config-if)#ip authentication mode eigrp 100 md5


5d07h: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 172.12.23.3 (Ethernet0) is down: keychain changed

R3(config)#interface ethernet0
R3(config-if)#ip authentication key-chain eigrp 100 EIGRP
R3(config-if)#ip authentication mode eigrp 100 md5


5d07h: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 172.12.23.2 (Ethernet0) is up

As with RIPv2, the existing adjacency was torn down when one side was configured with authentication. If the key chain is correctly defined and applied on both sides, the adjacency will come back up. Always run show ip eigrp neighbor to make sure the adjacency is present.

Learn the details of EIGRP key chains by configuring them on your home lab equipment, and you'll be more than ready for BSCI exam success!

Chris Bryant
CCIE #12933
Welcome to The Bryant Advantage blog! I'll be posting my newest Cisco Certification tutorials and articles here on a daily basis, as well as certification program updates, IT news, and who knows what else! Enjoy!

Blog Archive