Managing Configuration Register

All Cisco routers have a 16-bit software register that's written into NVRAM. By default, the configuration register is set to load the Cisco IOS from flash memory and to look for and load the startup-config file from NVRAM. In the following sections, I will discuss the configuration register settings and how to use these settings to provide password recovery on your routers.

Understanding the Configuration Register Bits

The 16 bits (2 bytes) of the configuration register are read from 15 to 0, from left to right. The default configuration setting on Cisco routers is 0x2102. This means that bits 13, 8, and 1 are on, as shown in Table 5.2. Notice that each set of 4 bits (called a nibble) is read in binary with a value of 8, 4, 2, 1.

TABLE 5.2 The configuration register bit numbers

Table 5.3 lists the software configuration bit meanings. Notice that bit 6 can be used to ignore the NVRAM contents. This bit is used for password recovery—something I'll go over with you in the section “Recovering Passwords” later in this chapter.

Table 5.3 Software configuration meanings

The boot field, which consists of bits 0–3 in the configuration register, controls the router boot sequence. Table 5.4 describes the boot field bits.

TABLE 5.4 The boot field (configuration register bits 00–03)

Checking the Current Configuration Register Value

You can see the current value of the configuration register by using the show version command (sh version or show ver for short), as demonstrated here:

Router>sh version
Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version
    12.4(12), RELEASE SOFTWARE (fc1)
[output cut]
Configuration register is 0x2102

The last information given from this command is the value of the configuration register. In this example, the value is 0x2102—the default setting. The configuration register setting of 0x2102 tells the router to look in NVRAM for the boot sequence.

Notice that the show version command also provides the IOS version, and in the preceding example, it shows the IOS version as 12.4(12).

Changing the Configuration Register

You can change the configuration register value to modify how the router boots and runs, as well as perform password recovery. These are the main reasons you would want to change the configuration register:

• To force the system into the ROM monitor mode
• To select a boot source
• To enable or disable the Break function
• To control broadcast addresses
• To set the console terminal baud rate
• To load operating software from ROM
• To enable booting from a Trivial File Transfer Protocol (TFTP) server

You can change the configuration register by using the config-register command. Here's an example. The following commands tell the router to boot a small IOS from ROM and then show the current configuration register value:

Router(config)#config-register 0x2101
Router(config)#^Z
Router#sh ver
[output cut]
Configuration register is 0x2102 (will be 0x2101 at next
  reload)

Notice that the show version command displays the current configuration register value and also what that value will be when the router reboots. Any change to the configuration register won't take effect until the router is reloaded. The 0x2101 will load the IOS from ROM the next time the router is rebooted. You may see it listed as 0x101—that's basically the same thing, and it can be written either way.

Here is my router after setting the configuration register to 0x2101 and reloading:

Router(boot)#sh ver
Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version
  12.4(12), RELEASE SOFTWARE (fc1)
[output cut]

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
Router uptime is 3 minutes
System returned to ROM by power-on
System image file is “f1ash:c2800nm-advsecurityk9-mz.124-12.bin”
[output cut]

Configuration register is 0x2101

At this point, if you typed show flash, you'd still see the IOS in flash memory ready to go. But I told the router to load from ROM, which is why the hostname shows up with (boot).

Router(boot)#sh flash
-#- -length- ---date/time--- path
1     21710744 Jan 2 2007 22:41:14 +00:00 c2800nm-advsecurityk9-mz.124-12.bin
2         1823 Dec 5 2006 14:46:26 +00:00 sdmconfig-2811.cfg
3      4734464 Dec 5 2006 14:47:12 +00:00 sdm.tar
4       833024 Dec 5 2006 14:47:38 +00:00 es.tar
5      1052160 Dec 5 2006 14:48:10 +00:00 common.tar
6         1038 Dec 5 2006 14:48:32 +00:00 home.shtml
7       102400 Dec 5 2006 14:48:54 +00:00 home.tar
8       491213 Dec 5 2006 14:49:22 +00:00 128MB.sdf
9      1684577 Dec 5 2006 14:50:04 +00:00 securedesktop-ios-3.1.1.27-k9.pkg
10      398305 Dec 5 2006 14:50:34 +00:00 ss1c1ient-win-1.1.0.154.pkg

32989184 bytes available (31027200 bytes used)

So, even though I have the full IOS in flash, I changed the default loading of the router's software by changing the configuration register. If you want to set the configuration register back to the default, just type this:

Router(boot)#config t
Router(boot)(config)#config-register 0x2102
Router(boot)(config)#^Z
Router(boot)#reload

In the next section, I'll show you how to load the router into ROM monitor mode so you can perform password recovery.

Recovering Passwords

If you're locked out of a router because you forgot the password, you can change the configuration register to help you get back on your feet. As I said earlier, bit 6 in the configuration register is used to tell the router whether to use the contents of NVRAM to load a router configuration.

The default configuration register value is 0x2102, meaning that bit 6 is off. With the default setting, the router will look for and load a router configuration stored in NVRAM (startup-config). To recover a password, you need to turn on bit 6. Doing this will tell the router to ignore the NVRAM contents. The configuration register value to turn on bit 6 is 0x2142.

Here are the main steps to password recovery:

1. Boot the router and interrupt the boot sequence by performing a break, which will take the router into ROM monitor mode.
2. Change the configuration register to turn on bit 6 (with the value 0x2142).
3. Reload the router.
4. Enter privileged mode.
5. Copy the startup-config file to running-config.
6. Change the password.
7. Reset the configuration register to the default value.
8. Save the router configuration.
9. Reload the router (optional).

I'll cover these steps in more detail in the following sections. I'll also show you the commands to restore access to ISR, 2600, and even 2500 series routers. (You can still use 2500s for labs, and you never know when you might need this information!)

As I said, you can enter ROM monitor mode by pressing Ctrl+Break during router bootup. But if the IOS is corrupt or missing, if there's no network connectivity available to find a TFTP host, or if the mini-IOS from ROM doesn't load (meaning the default router fallback failed), the router will enter ROM monitor mode by default.

Interrupting the Router Boot Sequence

Your first step is to boot the router and perform a break. This is usually done by pressing the Ctrl+Break key combination when using HyperTerminal (personally, I use SecureCRT or Putty) while the router first reboots.

After you've performed a break, you should see something like this for a 2600 series router (it is pretty much the same output for the ISR series):

System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specia1s for info
PC = 0xfff0a530, Vector = 0x500, SP = 0x680127b0
C2600 platform with 32768 Kbytes of main memory
PC = 0xfff0a530, Vector = 0x500, SP = 0x80004374
monitor: command “boot” aborted due to user interrupt
rommon 1 >

Notice the line monitor: command “boot” aborted due to user interrupt. At this point, you will be at the rommon 1> prompt, which is called the ROM monitor mode.

Changing the Configuration Register

As I explained earlier, you can change the configuration register from within the IOS by using the config-register command. To turn on bit 6, use the configuration register value 0x2142.

Cisco ISR/2600 Series Commands

To change the bit value on a Cisco ISR/2600 series router, you just enter the confreg command at the rommon 1> prompt.

rommon 1 >confreg 0x2142
You must reset or power cycle for new config to take effect
rommon 2 >reset

Cisco 2500 Series Commands

To change the configuration register on a 2500 series router, type o after creating a break sequence on the router. This brings up a menu of configuration register option settings. To change the configuration register, enter the command o/r, followed by the new register value. Here's an example of turning on bit 6 on a 2501 router:

System Bootstrap, Version 11.0(10c), SOFTWARE
Copyright (c) 1986-1996 by cisco Systems
2500 processor with 14336 Kbytes of main memory
Abort at 0x1098FEC (PC)
>o
Configuration register = 0x2102 at last boot
Bit#    Configuration register option settings:
15      Diagnostic mode disabled
14      IP broadcasts do not have network numbers
13      Boot default ROM software if network boot fails
12-11   Console speed is 9600 baud
10      IP broadcasts with ones
08      Break disabled
07      OEM disabled
06      Ignore configuration disabled
03-00   Boot file is cisco2-2500 (or “boot system’ command)
>o/r 0x2142

Notice that the last entry in the router output is 03-00. This tells the router what the IOS boot file is. By default, the router will use the first file found in the flash memory, so if you want to boot a different filename, you can use the boot system f1ash:ios_name command. (I'll show you the boot system command in a minute.)

Reloading the Router and Entering Privileged Mode

At this point, you need to reset the router like this:

• From the ISR/2600 series router, type I (for initialize) or reset.
• From the 2500 series router, type I.

The router will reload and ask if you want to use setup mode (because no startup-config is used). Answer no to entering setup mode, press Enter to go into user mode, and then type enable to go into privileged mode.

Viewing and Changing the Configuration

Now you're past the point where you would need to enter the user-mode and privileged-mode passwords in a router. Copy the startup-config file to the running-config file:

copy startup-config running-config

or use this shortcut:

copy start run

The configuration is now running in random access memory (RAM), and you're in privileged mode, meaning that you can now view and change the configuration. But you can't view the enable secret setting for the password since it is encrypted. To change the password, do this:

config t
enable secret todd

Resetting the Configuration Register and Reloading the Router

After you're finished changing passwords, set the configuration register back to the default value with the config-register command.

config t
config-register 0x2102

Finally, save the new configuration with a copy running-config startup-config and reload the router with reload.

Boot System Commands

Did you know that you can configure your router to boot another IOS if the flash is corrupted? Well, you can. In fact, you just might want all your routers to boot from a TFTP host each time anyway because that way, you'll never have to upgrade each router individually. This may be a smooth way to go because it allows you to just change one file on a TFTP host to perform an upgrade.

There are some boot commands you can play with that will help you manage the way your router boots the Cisco IOS—but remember, I'm talking about the router's IOS here, not the router's configuration!

Router>en
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#boot ?
  bootstrap  Bootstrap image file
  config     Configuration file
  host       Router-specific config file
  network    Network-wide config file
  system     System image file

The boot command truly gives you a wealth of options, but first, I'll show you the typical settings that Cisco recommends. So, let's get started—the boot system command will allow you to tell the router which file to boot from flash memory. Remember that the router, by default, boots the first file found in flash. You can change that with the following commands:

Router(config)#boot system ?
  WORD  TFTP filename or URL
  flash Boot from flash memory
  ftp   Boot from a server via ftp
  mop   Boot from a Decnet MOP server
  rcp   Boot from a server via rcp
  rom   Boot from rom
  tftp  Boot from a tftp server
Router(config)#boot system flash c2800nm-advsecurityk9-mz.124-12.bin

The preceding command configures the router to boot the IOS listed in it. This is a helpful command for when you load a new IOS into flash and want to test it or even when you want to totally change which IOS is loading by default.

The next command is considered a fallback routine, but as I said, you can make it a permanent way to have your routers boot from a TFTP host. Personally, I wouldn't necessarily recommend doing this (single point of failure); I'm just showing you that it's possible.

Router(config)#boot system tftp ?
  WORD System image filename
Router(config)#boot system tftp c2800nm-advsecurityk9-mz.124-12.bin ?
  Hostname or A.B.C.D Address from which to download the file
  <cr>
Router(config)#boot system tftp c2800nm-advsecurityk9-mz.124-12.bin 1.1.1.2
Router(config)#

As your last recommended fallback option—the one to go to if the IOS in flash doesn't load and the TFTP host does not produce the IOS—load the mini-IOS from ROM like this:

Router(config)#boot system rom
Router(config)#do show run | include boot system
boot system flash c2800nm-advsecurityk9-mz.124-12.bin
boot system tftp c2800nm-advsecurityk9-mz.124-12.bin 1.1.1.2
boot system rom
Router(config)#

To sum this up, I now have Cisco's suggested IOS backup routine configured on my router: flash, TFTP host, ROM.