Friday, April 16, 2010

"Wait, I thought you knew the password..."

"My voice is my passport. Verify me."

So, there you are, with a cisco 2800 series router that you need to reconfigure. And you're all set to take some down time, reconfigure it, and drop back into service.

Only you don't have the password for it. The password is lost, or forgotten, or was typo'd initially. Something like that. Which makes any further configuration tasks kind of difficult.

Password recovery on the cisco 2800 is pretty trivial. You don't even have to do a full wipe to factory defaults, so no configuration data is lost. You need to be able to power cycle the router, so you need to have either physical access or the ability to remotely control whatever outlet is feeding your router. If you've got that, then it just takes a console connection and about 10 minutes of downtime. Non-enable exec access to the unprivileged command line interface is helpful, but not required.

First, make sure you know how to send a "break" signal with whatever you're using to connect to the console - whether directly to the console from a serial port on your computer, or via some kind of remote console server.

Connect to your router's console port. If you've got the CLI access, run the command "sh ver | inc register". Your output should be something like:
Configuration register is 0x2102

Make a note of that octal number. If you don't have CLI access, just assume it's 0x2102, because that's almost certainly what it is.

This is the configuration register, which tells the router important things at boot time, like "Should I load IOS? Should I load the config that's in my NVRAM?" What you need to do is tell it that, in fact, it should not load the NVRAM config on boot. This is done by modifying the config register. To do that, you need to get into "rommon" mode.

Power cycle your router, and then send the "break" sequence within the first 60 seconds of power-on.

It should display a message "System received an abort due to break key", and then a bit more text, and then the "rommon 1>" prompt. If it starts to self-decompress its IOS image, you've missed your opportunity and you'll need to power cycle the router and try sending the break sequence again.

Change the value for the configuration register with the command
confreg 0x2142

Reset the router with the "reset" command. At this point, the router should go through it's normal boot sequence, decompressing the IOS image and starting up IOS. But since it's not loading the configuration from NVRAM, it will ask you if you want to go through the initial configuration dialog, just as if it were a new router out of the box. You don't want the guided setup, so you can answer "n" to the question:

--- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: n

Hit return a few times to get to the "Router>" prompt, and then go into enable mode -- you will not be prompted for a password -- and then tell the router to load the "startup-config" configuration from NVRAM into running memory.

Router#copy startup-config running-config
Destination filename [running-config]?

You should then see messages about interfaces coming up and other normal messages as the router processes your config information. Once it's done with that, you should have a prompt for the configured hostname of your router. At this point, you can change the passwords and enable secrets as normal, enable your live interfaces, and then save the config to NVRAM to save your changes.

MyPetRouter# conf t
Enter configuration commands, one per line. End with CNTL/Z.
MyPetRouter(config)# (stuff to bring your interfaces up)
MyPetRouter(config)#ena sec Y0ullNeverGuess
MyPetRouter(config)#line con 0
MyPetRouter(config)#pass ThisIsMyPW
MyPetRouter(config)#line vty 0 15
MyPetRouter(config)#pass ThisIsMyPW
09:22:00: %SYS-5-CONFIG_I: Configured from console by console
MyPetRouter#wr t
Building configuration...

Take a look at the configuration, and the interfaces, and verify that the router looks like you want it to -- that interfaces are up and happy. You don't want to be accidentally saving a config that has all your interfaces in "shutdown" mode. Since "no shut" is the default state, the config you loaded won't include the "no shut" commands explicitly. So make sure all your active interfaces are up.

Now, you need to reset the configuration register to the previous value so that the next time the router reboots, it will read the NVRAM config.

MyPetRouter(config)#config-register 0x2102
09:29:00: %SYS-5-CONFIG_I: Configured from console by console

Do a "sh ver" to make sure the configuration register reads "0x2102". If you have the spare time in your downtime window and you want to be extra sure, do a clean reload on the router and make sure it comes up happily. Because nothing sucks like being locked out of a router because of something you did in an attempt to not be locked out of a router.

No comments:

Post a Comment


About Me

My photo
Regis has worked as a network engineer since 1994 for small companies and for large companies.