All Cisco routers have a 16-bit software register that's written into NVRAM. By default, the configuration register is set to load the Cisco IOS from flash memory and to look for and load the startup-config file from NVRAM. In the following sections, I will discuss the configuration register settings and how to use these settings to provide password recovery on your routers.
The 16 bits (2 bytes) of the configuration register are read from 15 to 0, from left to right. The default configuration setting on Cisco routers is 0x2102. This means that bits 13, 8, and 1 are on, as shown in Table 5.2. Notice that each set of 4 bits (called a nibble) is read in binary with a value of 8, 4, 2, 1.
Add the prefix 0x to the configuration register address. The 0x means that the digits that follow are in hexadecimal.
Table 5.3 lists the software configuration bit meanings. Notice that bit 6 can be used to ignore the NVRAM contents. This bit is used for password recovery—something I'll go over with you in the section “Recovering Passwords” later in this chapter.
Remember that in hex, the scheme is 0–9 and A–F (A = 10, B = 11, C = 12, D = 13, E = 14, and F = 15). This means that a 210F setting for the configuration register is actually 210(15), or 1111 in binary.
The boot field, which consists of bits 0–3 in the configuration register, controls the router boot sequence. Table 5.4 describes the boot field bits.
You can see the current value of the configuration register by using the show version command (sh version or show ver for short), as demonstrated here:
Router>sh version
Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version
12.4(12), RELEASE SOFTWARE (fc1)
[output cut]
Configuration register is 0x2102
The last information given from this command is the value of the configuration register. In this example, the value is 0x2102—the default setting. The configuration register setting of 0x2102 tells the router to look in NVRAM for the boot sequence.
Notice that the show version command also provides the IOS version, and in the preceding example, it shows the IOS version as 12.4(12).
The show version command will display system hardware configuration information, software version, and the names of the boot images on a router.
You can change the configuration register value to modify how the router boots and runs, as well as perform password recovery. These are the main reasons you would want to change the configuration register:
Before you change the configuration register, make sure you know the current configuration register value. Use the show version command to get this information.
You can change the configuration register by using the config-register command. Here's an example. The following commands tell the router to boot a small IOS from ROM and then show the current configuration register value:
Router(config)#config-register 0x2101 Router(config)#^Z Router#sh ver [output cut] Configuration register is 0x2102 (will be 0x2101 at next reload)
Notice that the show version command displays the current configuration register value and also what that value will be when the router reboots. Any change to the configuration register won't take effect until the router is reloaded. The 0x2101 will load the IOS from ROM the next time the router is rebooted. You may see it listed as 0x101—that's basically the same thing, and it can be written either way.
Here is my router after setting the configuration register to 0x2101 and reloading:
Router(boot)#sh ver Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(12), RELEASE SOFTWARE (fc1) [output cut] ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) Router uptime is 3 minutes System returned to ROM by power-on System image file is “f1ash:c2800nm-advsecurityk9-mz.124-12.bin” [output cut] Configuration register is 0x2101
At this point, if you typed show flash, you'd still see the IOS in flash memory ready to go. But I told the router to load from ROM, which is why the hostname shows up with (boot).
Router(boot)#sh flash
-#- -length- ---date/time--- path
1 21710744 Jan 2 2007 22:41:14 +00:00 c2800nm-advsecurityk9-mz.124-12.bin
2 1823 Dec 5 2006 14:46:26 +00:00 sdmconfig-2811.cfg
3 4734464 Dec 5 2006 14:47:12 +00:00 sdm.tar
4 833024 Dec 5 2006 14:47:38 +00:00 es.tar
5 1052160 Dec 5 2006 14:48:10 +00:00 common.tar
6 1038 Dec 5 2006 14:48:32 +00:00 home.shtml
7 102400 Dec 5 2006 14:48:54 +00:00 home.tar
8 491213 Dec 5 2006 14:49:22 +00:00 128MB.sdf
9 1684577 Dec 5 2006 14:50:04 +00:00 securedesktop-ios-3.1.1.27-k9.pkg
10 398305 Dec 5 2006 14:50:34 +00:00 ss1c1ient-win-1.1.0.154.pkg
32989184 bytes available (31027200 bytes used)
So, even though I have the full IOS in flash, I changed the default loading of the router's software by changing the configuration register. If you want to set the configuration register back to the default, just type this:
Router(boot)#config t Router(boot)(config)#config-register 0x2102 Router(boot)(config)#^Z Router(boot)#reload
In the next section, I'll show you how to load the router into ROM monitor mode so you can perform password recovery.
If you're locked out of a router because you forgot the password, you can change the configuration register to help you get back on your feet. As I said earlier, bit 6 in the configuration register is used to tell the router whether to use the contents of NVRAM to load a router configuration.
The default configuration register value is 0x2102, meaning that bit 6 is off. With the default setting, the router will look for and load a router configuration stored in NVRAM (startup-config). To recover a password, you need to turn on bit 6. Doing this will tell the router to ignore the NVRAM contents. The configuration register value to turn on bit 6 is 0x2142.
Here are the main steps to password recovery:
I'll cover these steps in more detail in the following sections. I'll also show you the commands to restore access to ISR, 2600, and even 2500 series routers. (You can still use 2500s for labs, and you never know when you might need this information!)
As I said, you can enter ROM monitor mode by pressing Ctrl+Break during router bootup. But if the IOS is corrupt or missing, if there's no network connectivity available to find a TFTP host, or if the mini-IOS from ROM doesn't load (meaning the default router fallback failed), the router will enter ROM monitor mode by default.
Your first step is to boot the router and perform a break. This is usually done by pressing the Ctrl+Break key combination when using HyperTerminal (personally, I use SecureCRT or Putty) while the router first reboots.
After you've performed a break, you should see something like this for a 2600 series router (it is pretty much the same output for the ISR series):
System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1) Copyright (c) 1999 by cisco Systems, Inc. TAC:Home:SW:IOS:Specia1s for info PC = 0xfff0a530, Vector = 0x500, SP = 0x680127b0 C2600 platform with 32768 Kbytes of main memory PC = 0xfff0a530, Vector = 0x500, SP = 0x80004374 monitor: command “boot” aborted due to user interrupt rommon 1 >
Notice the line monitor: command “boot” aborted due to user interrupt. At this point, you will be at the rommon 1> prompt, which is called the ROM monitor mode.
As I explained earlier, you can change the configuration register from within the IOS by using the config-register command. To turn on bit 6, use the configuration register value 0x2142.
Remember that if you change the configuration register to 0x2142, the startup-config will be bypassed, and the router will load into setup mode.
To change the bit value on a Cisco ISR/2600 series router, you just enter the confreg command at the rommon 1> prompt.
rommon 1 >confreg 0x2142 You must reset or power cycle for new config to take effect rommon 2 >reset
To change the configuration register on a 2500 series router, type o after creating a break sequence on the router. This brings up a menu of configuration register option settings. To change the configuration register, enter the command o/r, followed by the new register value. Here's an example of turning on bit 6 on a 2501 router:
System Bootstrap, Version 11.0(10c), SOFTWARE Copyright (c) 1986-1996 by cisco Systems 2500 processor with 14336 Kbytes of main memory Abort at 0x1098FEC (PC) >o Configuration register = 0x2102 at last boot Bit# Configuration register option settings: 15 Diagnostic mode disabled 14 IP broadcasts do not have network numbers 13 Boot default ROM software if network boot fails 12-11 Console speed is 9600 baud 10 IP broadcasts with ones 08 Break disabled 07 OEM disabled 06 Ignore configuration disabled 03-00 Boot file is cisco2-2500 (or “boot system’ command) >o/r 0x2142
Notice that the last entry in the router output is 03-00. This tells the router what the IOS boot file is. By default, the router will use the first file found in the flash memory, so if you want to boot a different filename, you can use the boot system f1ash:ios_name command. (I'll show you the boot system command in a minute.)
At this point, you need to reset the router like this:
The router will reload and ask if you want to use setup mode (because no startup-config is used). Answer no to entering setup mode, press Enter to go into user mode, and then type enable to go into privileged mode.
Now you're past the point where you would need to enter the user-mode and privileged-mode passwords in a router. Copy the startup-config file to the running-config file:
copy startup-config running-config
or use this shortcut:
copy start run
The configuration is now running in random access memory (RAM), and you're in privileged mode, meaning that you can now view and change the configuration. But you can't view the enable secret setting for the password since it is encrypted. To change the password, do this:
config t enable secret todd
After you're finished changing passwords, set the configuration register back to the default value with the config-register command.
config t config-register 0x2102
Finally, save the new configuration with a copy running-config startup-config and reload the router with reload.
If you save your configuration and reload the router and it comes up in setup mode, the configuration register setting is probably incorrect.
Did you know that you can configure your router to boot another IOS if the flash is corrupted? Well, you can. In fact, you just might want all your routers to boot from a TFTP host each time anyway because that way, you'll never have to upgrade each router individually. This may be a smooth way to go because it allows you to just change one file on a TFTP host to perform an upgrade.
There are some boot commands you can play with that will help you manage the way your router boots the Cisco IOS—but remember, I'm talking about the router's IOS here, not the router's configuration!
Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#boot ? bootstrap Bootstrap image file config Configuration file host Router-specific config file network Network-wide config file system System image file
The boot command truly gives you a wealth of options, but first, I'll show you the typical settings that Cisco recommends. So, let's get started—the boot system command will allow you to tell the router which file to boot from flash memory. Remember that the router, by default, boots the first file found in flash. You can change that with the following commands:
Router(config)#boot system ? WORD TFTP filename or URL flash Boot from flash memory ftp Boot from a server via ftp mop Boot from a Decnet MOP server rcp Boot from a server via rcp rom Boot from rom tftp Boot from a tftp server Router(config)#boot system flash c2800nm-advsecurityk9-mz.124-12.bin
The preceding command configures the router to boot the IOS listed in it. This is a helpful command for when you load a new IOS into flash and want to test it or even when you want to totally change which IOS is loading by default.
The next command is considered a fallback routine, but as I said, you can make it a permanent way to have your routers boot from a TFTP host. Personally, I wouldn't necessarily recommend doing this (single point of failure); I'm just showing you that it's possible.
Router(config)#boot system tftp ? WORD System image filename Router(config)#boot system tftp c2800nm-advsecurityk9-mz.124-12.bin ? Hostname or A.B.C.D Address from which to download the file <cr> Router(config)#boot system tftp c2800nm-advsecurityk9-mz.124-12.bin 1.1.1.2 Router(config)#
As your last recommended fallback option—the one to go to if the IOS in flash doesn't load and the TFTP host does not produce the IOS—load the mini-IOS from ROM like this:
Router(config)#boot system rom Router(config)#do show run | include boot system boot system flash c2800nm-advsecurityk9-mz.124-12.bin boot system tftp c2800nm-advsecurityk9-mz.124-12.bin 1.1.1.2 boot system rom Router(config)#
To sum this up, I now have Cisco's suggested IOS backup routine configured on my router: flash, TFTP host, ROM.
3.16.167.241