Today we will talk about recovering passwords for routers and switches, updating, reinstalling and restoring IOS, and the Cisco licensing system for the IOSv15 operating system. These are very important topics regarding network device management.
How can I recover my password? You may ask why this might be necessary. Suppose you configured the device and set all the necessary passwords: on VTY, on the console, on privileged mode, on the Telnet and SSH connection, and then forgot these passwords. It is possible that the employee of the company who installed them left and did not give you the records, or you bought a router on eBay and do not know the passwords that the previous owner set, so you cannot access the device.
In such situations, "hacker" techniques should be used. You hack a Cisco device and reset passwords, but it's not real hacking if the device is yours. This requires three things: a Break Sequence, a configuration register, and a system reboot.
You use the switch, turn off the power of the router and then turn it back on so that the router starts rebooting, "ciscos" call this the word "bouncing". At the time of unpacking the IOS image, you need to apply a boot interrupt, that is, connect to the device through the console port and run Break Sequence. The key combination that starts Break Sequence depends on the terminal emulation program you are using, i.e. for Hyperterminal, breaking the boot is performed by one combination, for SequreSRT - by another. Below this video I provide a link , where you can find all the keyboard shortcuts for different terminal emulators, different compatibility and different operating systems.
When using boot interrupt, the router will start in ROMmon mode. ROMmon is similar to the BIOS of a computer, it is an elementary base OS that allows you to execute basic service commands. In this mode, you can use the configuration register. As you know, during the boot process, the system checks for the presence of boot settings, and if they are not there, it boots with the default settings.
Normally, the value of the router configuration register is 0x2102, which means that the boot configuration is starting. If you change this value to 0x2142, then during the Break Sequence, the boot configuration will be ignored, since the system will not pay attention to the contents of the non-volatile NVRAM memory, and the default configuration will be loaded, corresponding to the settings of the router out of the box.
Thus, to boot with default settings, you need to change the value of the configuration register to 0x2142, which literally tells the device: βplease ignore the boot configuration at any boot!β. Since this configuration contains all passwords, by booting with the default settings, you get free access to privileged mode. In this mode, you can reset your passwords, save your changes, reboot your system, and take full control of your device.
Now I will launch Packet Tracer and show what I just talked about. You see the network topology, consisting of a router in which you need to reset the passwords, a switch and a laptop. In all the video tutorials, I clicked on the device icon in Packet Tracer, went to the CLI console tab and configured the device. Now I want to do it differently and show how this is done on a real device.
I will connect the serial port of the RS-232 laptop with a console cable to the console port of the router, in the program this is a blue cable. I don't need to configure any IP addresses because they are not needed to communicate with the router's console port.
On the laptop, I go to the Terminal tab and check the settings: baud rate 9600 bps, data bits 8, no parity, stop bits 1, flow control no, and then I press the OK button, which gives me access to the router console. If we compare the information in both windows - the CLI of the R0 router and on the screen of the Laptop0 laptop, it will be exactly the same.
Packet Tracer allows you to do these things, but in practice we will not use the CLI console window of the router, but will work only through the computer terminal.
So, we have a router on which we need to reset the password. You go to the laptop terminal, check the parameters, go to the router settings panel and see that access is blocked by a password! How to get there?
I go to the router, to the tab that shows it as a physical device, flip the power switch, and immediately turn it back on. You can see that a message appeared in the terminal window about the self-extracting of the OS image. At this point, you should use the Ctrl+C key combination, it is used to switch to rommon mode in Packet Tracer. If you are logged in via Hyperterminal, then you need to press Ctrl+Break.
You see that a line with the title rommon 1 has appeared on the screen, and if you enter a question mark, then the system will then give a number of hints about which commands can be used in this mode.
The boot option starts the internal boot process, confreg starts the registry adjustment utility, and this is the command we are interested in. I type in the terminal confreg 0x2142. This means that on reboot, the information stored in the NVRAM flash memory will be ignored and the router will boot with default settings as a completely new device. If I typed the confreg 0x2102 command, then the router would use the last saved boot parameters.
Next, with the reset command, I reboot the system. As you can see, after loading it, instead of prompting me to enter a password, like last time, the system simply asks if I intend to continue the setup dialog. Now we have a router with default settings, without any user configuration.
I type no followed by enter and change from user mode to privileged mode. Since I want to view the boot configuration, I use the show startup-config command. You see the NwKing router hostname, welcome banner, and password on the "console" console. Now I know this password and I can copy it so as not to forget, or I can change it to another one.
What I need first of all is to load the launch configuration into the current router configuration. To do this, I use the copy startup-config running-config command. Now our current configuration is the previous router configuration. You can see that after that, the name of the router on the command line has changed from Router to NwKingRouter. Using the show run command, you can view the current configuration of the device, where you can see that the password for the console is the word βconsoleβ, we did not use enable password, this is correct. You need to remember that the restore "kills" the privileged mode and you are back in the user mode of the command line.
We can still make changes to the registry, and if the password were secret, that is, the enable secret function was used, obviously you would not be able to decrypt it, so you can return to global configuration mode with the config t command and set a new password. To do this, I type the enable secret enable command, or I can use any other word as a password. If you type show run, you will see that the enable secret function is enabled, the password now looks not like the word βenableβ, but like a string of encrypted characters, and you can not worry about security, because you just set and encrypted a new password yourself.
Here is how you can reset your router password. One important thing to note is that if you enter the show version command, you will see that the value of the configuration register is 0x2142. This means that even if I use the copy running to startup command and reboot the router, the system will load the default settings again, that is, the router will return to the factory settings. We do not need this at all, because we have reset the password, gained control of the device and want to use it in production mode.
Therefore, you need to enter the Router(config)# global configuration mode and enter the config-register 0x2102 command, and only after that use the command to copy the current configuration to the copy run start boot. You can also copy the current settings to the boot configuration using the write command. If you now type show version, you will see that the current configuration register value is 0x2102, and the system reports that the changes will take effect the next time the router is rebooted.
Therefore, we initiate a reboot with the reload command, the system reboots, and now we have all the configuration files, all the settings and we know all the passwords. This is how the router passwords are recovered.
Let's look at how to implement the same procedure for a switch. The router has a switch that allows you to turn the power off and on again, but the Cisco switch does not have such a switch. We must connect to the console port with a console cable, then disconnect the power cable from the back of the switch, after 10-15 seconds, insert it back and immediately press and hold the MODE button for 3 seconds. This will automatically put the switch into ROMmon mode. In this mode, you must initialize the flash file system and rename the config.text file to, for example, config.text.old. If you simply remove it, then the switch will βforgetβ not only passwords, but also all previous settings. After that, you reboot the system.
What at the same time happens to a switch? At the time of reboot, it accesses the config.text configuration file. If it does not find this file in the flash memory of the device, then it loads the IOS with default settings. This is the difference: in the router you have to change the register setting, and in the switch you just need to change the name of the boot settings file. Let's see how this happens in the Packet Tracer program. This time I connect the laptop with a console cable to the console port of the switch.
We do not use the switch CLI console, but simulate a situation where the switch settings can only be accessed using a laptop. I use the same laptop terminal settings as in the case of the router, and by pressing "Enter" I connect to the console port of the switch.
In Packet Tracer, I can't unplug and plug the power cable like I can with a physical device. If I had a password for the console, I could reboot the switch, so I enter the enable password enable command to assign a local access password to the privileged console mode.
Now if I go to the settings, I will see that the system is asking for a password that I do not know. So, you need to initiate a system reboot. As you can see, the system does not accept the reload command that came from the user's device in user mode, so I have to use privileged mode. As I said, in real life, I would just unplug the switch's power cable for a few seconds to force a reboot, but since this is not possible in the program, I have to remove the password and reboot right from here. You understand why I'm doing this, right?
So, I switch from the CLI tab to the Physical Device tab, and when the device starts rebooting, I hold the virtual MODE button for 3 seconds and enter ROMmon mode. You can see that the information in the CLI window of the switch is the same as in the window on the laptop screen. I go to the laptop, which displays the switch's ROMmon mode, and enter the flash_init command. This command initializes the flash filesystem, after which I issue the dir_flash command to view the contents of the flash.
There are two files here - the IOS operating system file with the .bin extension and the config.text file, which we must rename. To do this, I use the rename flash:config.text flash:config.old command. If we now use the dir_flash command, we can see that the config.text file has been renamed to config.old.
Now I enter the reset command, the switch reboots and after the system boots it goes to the default settings. This is evidenced by changing the device name on the command line from NwKingSwitch to simply Switch. There is a rename command in the real device, but it cannot be used in Packet Tracer. Therefore, I use show running conf, as you can see, the switch uses all the default settings, and enter the more flash:config.old command. Here's the hack: you just have to copy the current device configuration displayed on the screen, go into global configuration mode, and paste the copied information. Ideally, we copy absolutely all the settings, and you see that the device name has changed and the switch has switched to normal operation.
Now it remains to copy the current configuration to the boot configuration, that is, create a new config.text file. The easiest way is to simply rename the old file back to config.text, i.e. copy the contents of config.old to the current config and then save it as config.text. This is how the switch password is recovered.
We will now look at how to back up and restore the Cisco IOS operating system. Backup consists of copying the IOS image to a TFTP server. Next, I will explain how to transfer the system image file from this server to your device. The third topic is System Restore in ROMmon mode. This may be necessary if your colleague accidentally deleted IOS and the system stopped booting.
We will look at how to get a system file from a TFTP server in ROMmod mode. There are 2 ways to do this, one of them is xmodem. Packet Tracer doesn't support xmodem, so I'll briefly explain what it is and then use Packet Tracer to show you how to use the second method, System Restore via TFTP.
The diagram shows Router0, which has an IP address of 10.1.1.1. This router is connected to the server with IP address 10.1.1.10. I forgot to assign an address to the router, so I'll do it quickly now. Our router is not connected to the laptop, so the program does not allow you to use the CLI console, and I will have to fix this.
I connect the laptop to the router with a console cable, the system asks for a password on the console, and I use the word console. In global configuration mode, I give interface f0/0 the correct IP address and subnet mask 255.255.255.0 and add the no shutdown command.
Next, I type the show flash command and see that there are 3 files in memory. File number 3 is the most important, this is the IOS file of the router. Now I need to configure the TFTP server, so I click on the Server0 device icon and open the SERVICES tab. We see that the TFTP server is enabled and it contains files from many Cisco operating systems, including IOS for our c1841 router - this is the third file in the list. I need to remove it from the server because I'm going to copy another IOS file here from our router Router0. To do this, I select the file and click Remove file, and then go to the laptop console tab.
From the console of the router, I type copy flash tftp <source filename> <destination address/hostname>, then copy and paste the operating system filename.
Next, in the command, you need to specify the address or name of the remote host to which you want to copy this file. Just like when saving the boot configuration of the router, you need to be careful here. If you mistakenly copy not the current configuration to the boot configuration, but vice versa, the boot configuration to the current one, then after rebooting the device you will lose all the settings you have made. Similarly, in this case, the source and destination should not be confused. So, first we specify the name of the file to be copied to the server, and then the IP address of this server is 10.1.1.10.
You see that the file transfer has begun, and if you look at the list of TFTP files, you can see that instead of the deleted file, a new IOS file of our router has appeared here. This is how IOS is copied to the server.
Now we return to the router settings window on the laptop screen and enter the copy tftp flash command, specify the remote host address 10.1.1.10 and the source filename Source filename, that is, the IOS that needs to be copied to the flash router: Ρ1841-ipbase-mz.123 -14.T7.bin. Next, the destination filename is specified Destination filename, which in our case will be exactly the same as the source name. After that, I press Enter and the new IOS file is copied to the flash memory of the router. You can see that we now have two operating system files: the new one at number 3 and the previous original one at number 4.
In the IOS designation, the version is important for us - in the first file at number 3 it is 124, and in the second at number 4 it is 123, that is, an older version. In addition, advipservicesk9 indicates that this version of the system is more functional than ipbase, as it allows the use of MPLS and the like.
Another possibility is that you deleted flash by mistake - I type delete flash and specify the name of the IOS file to be deleted.
But before that, I want to say that now, by default, during boot, the system file number 3 will be used, that is, c1841-advipservicesk9-mz.124-15.T1.bin. Suppose, for some reason, I want file number 4, c1841-ipbase-mz.123-14.T7.bin, to be used the next time the system boots. To do this, I enter the global configuration mode and type the boot system flash command: Ρ1841-ipbase-mz.123-14.T7.bin.
Now, at the next boot, this file will be used as the default OS, even if we have two operating systems stored in the flash.
Let's go back to deleting the OS and type the delete flash command: Ρ1841-ipbase-mz.123-14.T7.bin. After that, we will also delete the second OS with the delete flash command: Ρ1841-advipservicesk9-mz.124-15.T1.bin, so that the router will lose both operating systems.
If we now type show flash, we can see that now we don't have any OS at all. What happens if I give the command to reboot? You can see that after entering the reload command, the device immediately goes into ROMmon mode. As I said, when booting, the device looks for an OS file, and if it is missing, it jumps to the rommon base OS.
There are no xmodem commands in Packet Tracer that can be used on an actual physical device. There you enter xmodem and add the necessary options regarding booting the OS. If you are using a SecureCRT terminal, you can click on the file, select the option that does the transfer, and then select xmodem. Once you have selected xmodem, you select the operating system file. Let's assume this file is on your laptop, then you type xmodem, point to this file, and send it. However, xmodem is a very, very slow thing, and the transfer process can take 1-2 hours depending on the file size.
The TFTP server is much faster. As I said, there are no xmodem commands in Packet Tracer, so we will download tftp with the tftpdnld command, after which the system will give hints on how to restore the system image through the TFTP server. You see the various options that you will need to specify in order to load the OS file. Why are these parameters needed? They must be used because in rommon mode this router does not have the functionality of a device with a full IOS. Therefore, we must first manually specify the IP address of our router using the IP_ADDRESS=10.1.1.1 parameter, then the subnet mask IP_SUBNET_MASK=255.255.255.0, the default gateway DEFAULT_GATEWAY=10.1.1.10, the server TFTP_SERVER=10.1.1.10 and the file TFTP_FILE=c1841- advipservicesk9-mz.124-15.T1.bin.
After I have done this, I run the tftpdnld command, and the system asks me to confirm this action, because all the data existing in the flash will be lost. If I answer βYesβ, you will see that the color of the router-server connection ports has changed to green, that is, the process of copying the operating system from the server is in progress.
After the file download is complete, I use the boot command, after which the unpacking of the system image begins. You can see that after that, the router goes into a working state, since the operating system is returned to the device. This is how the restoration of the health of a device that has lost its operating system occurs.
Now let's talk a little about Cisco IOS licensing.
Before version 15, there were previous versions of licenses, for example 12, after which version 15 was immediately released, do not ask where the numbers 13 and 14 have gone. So, when you bought a Cisco device, then with the basic functionality of IOS IP Base it cost, say, 1000$. This was the minimum price of hardware with the basic configuration operating system installed.
Let's say your friend wanted his device to have advanced Advance IP Services functionality, then the price was, say, $10. I'm giving random numbers just so you get the idea. When you both have the same hardware, the difference is only in the installed software. Nothing could stop you from asking a friend for a copy of his software, installing it on your hardware, and thereby saving $9. Even if you do not have such a friend, with the modern development of the Internet, you can download and install a pirated copy of the software. It's illegal and I don't recommend you do it, but people often do it. That is why Cisco decided to implement a mechanism that prevents such fraud, and developed the version of IOS 15, which provides for licensing.
In previous versions of IOS, for example, 12.4, the very name of the system indicated its functionality, so when you went into the device settings, you could identify them by the name of the OS file. In fact, there were several operating systems of the same version, in the way that Windows Home, Windows Professional, Windows Enterprise, etc. exist.
In version 15, there is only one universal operating system - Cisco IOSv15, which has several levels of licensing. The system image contains all the functions, but they are locked and divided into packages.
The IP Base is active by default, has a lifetime validity, and is available to anyone who purchases a Cisco device. The other three packages, Data, Unified Communication and Security, can only be activated with a license. If you need a Data package, you can go to the company's website, pay a certain amount, and Cisco will send a license file to your email. You copy this file to your device's flash memory using TFTP or another method, after which all functions of the Data package are automatically available. If you need advanced security features such as encryption, IPSec, VPN, firewall, etc., you purchase a license for the Security package.
Now, with the help of Packet Tracer, I'll show you what it looks like. I go to the CLI tab of the router settings and enter the show version command. You can see that we are running OS version 15.1, this is a universal OS that contains all the functionality. If you scroll down the window, you can see the license information.
This means that the ipbase package is permanent and available every time the device boots, while the security and data packages are not available because the system does not currently have the appropriate licenses.
You can use the show license all command to view detailed license information. In addition, you can view the details of the current license using the show license detail command. The license features can be viewed using the show license features command. This is a summary of the Cisco licensing system. You go to the company's website, buy the required license, and insert the license file into the system. This can be done in the global settings configuration mode using the license install command.
Thank you for staying with us. Do you like our articles? Want to see more interesting content? Support us by placing an order or recommending to friends, 30% discount for Habr users on a unique analogue of entry-level servers, which was invented by us for you: (available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only here in the Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $99! Read about
Source: habr.com