Email this Article  Print this Article

This isn't good.

Not that it won't run. After all, a router doesn't require a password to function (Imagine if it did. All those users on the network that need to get from one end of the network to the other - a nightmare). So, sure, it'll boot just fine, it'll run just fine. But Heaven help you if you want to reconfigure the thing. Without the router/switch password, you will enable or disable nothing.

So let's say it's time to reconfigure and, try as you might, you simply cannot recall the password or you never knew it. Luckily, this is router/switch configuration, not rocket science. Losing the password is a problem. The solution is called password recovery, though I cannot explain to you why because recovering the password isn't the only option.

Now, this article may make it look cut and dry - and, for the most part it is - but bear in mind there is a certain lack of uniformity for password recovery from platform to platform. There are almost as many ways to effect password recovery as there are Cisco routers and catalyst switches. Recovery procedures will vary and will depend, in large part, on the platform and IOS version. On most of these platforms, you can do password recovery without changing hardware jumpers but you will be required to reboot the router.

This article assumes you are familiar with decimal to hexadecimal conversion. I'm also assuming you know how the configuration register applies that hex number to its 2-byte numbering scheme. If this is still a mystery to you, click here to read another Cramsession on Hex.

And remember this: Password recovery can be done ONLY from a console port physically attached to the router. You will not be able to dial into the router or switch to do password recovery.

All that said, there are some general rules and guidelines. For instance, there are three ways to restore access to a router's configuration:

1. You can VIEW the password.
2. CHANGE the password
3. ERASE the router/switch's configuration and start from scratch

Each of the above described procedure follows these basic steps:

1. Change the configuration register to tell bootstrap program to ignore the current NVRAM file at bootup. This often is called placing the router in "test system mode."
2. Reboot the system.
3. Access enable mode (this can be done without a password so long as you're in test system mode).
4. Decide whether to VIEW the password, CHANGE the password or ERASE the configuration and start from square 1.
5. Reset the register back to its original status so the router/switch will boot up and read the NVRAM as it does normally.
6. Reboot.

Simple, right? Well, it can be. Sometimes it isn't. Here's more of a breakdown.

One step that trips up many a tech is the "break signal." Some platforms, while running password recovery, require a terminal to issue a Break signal. Whether you'll need to do this will depend on how your terminal or PC terminal emulator issues this signal. Typically, the break key sequence will be Ctrl+C. However, the key sequence can be very different. For example, in ProComm, the keys Alt-B will, by default, generate a Break signal. In Windows 2000, the sequence is Ctrl+Break. In Apple's Z Terminal, it's Command+B. The break key sequence interrupts the regular boot process and the ROM monitor prompt will appear.

What you do at this point will vary but, generally, you will enter "0" and press the Enter key to view the routers present register settings. The sixth register bit should be disabled. This is where you'll take the next step. The sixth register bit controls whether the bootstrap will ignore or use the NVRAM configuration file. If it's set to ignore the NVRAM configuration file, then NVRAM will not load.

Enable the sixth register bit to ignore NVRAM by issuing o/r 0x2142 at the prompt.

Now you've done it (just kidding). You'll get a warning message from the router telling you that the NVRAM is missing or invalid, possibly due to a write erase. This will not concern you because you will remember what you've just done with that sixth bit. You also will suddenly find yourself logged into the router without a password. Kewl.

At the prompt, type "i" to initialize the router.

On bootup, bypass type "no" in the initial configuration dialog prompt to bypass it. This will bring up the default prompts (router>) and you need to enter privileged exec mode by typing...

Subscribe to our Free Must Know News Newsletter  Name:     Email:

IT Certifications may waive some degree requirements for an online degree. Free catalog!
For several of the IT degrees at WGU, if you hold a relevant IT certification (such as MCSE), you automatically clear a significant portion of the degree requirements. Don't hold an IT certification yet? Don't worry. Not every WGU degree program requires an IT certification in advance. You can earn both at the same time. Lower tuition too!

FREE subscription to Network World.
Your complimentary subscription will include 50 weekly issues jam packed with news analysis, expert industry opinion and management/career advice, all of which is packaged with your business needs in mind. We want to help you connect the technology dots and help you advance your company's business goals.