Building network automation solutions

9 module online course

Start now!

Category: 2800

Recovering from disabled password recovery might not be possible

IOS release 12.3T (and 12.4) introduced a great security feature: the ability to disable password recovery (using the well-known break key sequence) with the no service password-recovery global configuration command. However, once you configure this feature on some routers, you might have no means whatsoever to get it under control if you forget the password.

The IOS documentation states that you should be able to erase NVRAM (thus losing the config, but protecting the password integrity) if you press the break key a few seconds after the Image text-base: 0x........, data-base: 0x........ message appears. Unfortunately, that does not work on the router I've been doing my tests on (2811 with c2800nm-advipservicesk9-mz.124-6.T.bin and ROMMON Version 12.4(1r)). There was simply no way to erase NVRAM, so the router would remain locked up if I had really forgotten the enable password.

Note: After my tests, I was told that pressing the break key as soon as the router is powered up might work.

Moral of the story: test whether you can recover the router with your particular combination of IOS/ROMMON versions before disabling password recovery (and forgetting the password).

see 33 comments

USB usability in ISR routers

In his USB Usability Q&A article, Scott Morris states that ISR routers (1800, 2800, 3800) use USB port for security keys. While that's definitely true, the usability of the USB ports go way beyond that. Once you insert a USB token into the port (and IOS release 12.4 recognizes tokens up to at least 1GB), you get a generic storage device (usbflash0: and/or usbflash1:) that can be used to:
see 1 comments

Boot a 2800-router with an USB image

If you would like to boot an ISR router (for example, a 2800) from USB flash, but cannot upgrade the ROMMON, all is not lost - you can specify the USB-based image with the boot system configuration command (for example, boot system usbflash1:c2800nm-advipservicesk9-mz.124-11.T1.bin), but the boot process will take significantly longer (this also applies to any other scenarios where the ROMMON cannot get the image specified in the boot system command):
  • When the router is reloaded, ROMMON reads the router configuration and tries to start the required image
  • If ROMMON cannot load the image specified in the boot system command, it starts the default image (usually whatever is stored in on-board flash)
  • When the first IOS image loads (after being copied and decompressed in most cases), it discovers that it's not the correct image
  • The now-operational IOS image loads the new image in RAM (in our case from usbflash1:), decompresses it and transfers the control to it
see 2 comments

Upgrade 2800 series router to support USB boot

A while ago we were faced with a 2800-series router with no software in its CF card. As all 2800-series routers have USB slots, I started investigating whether you could boot the IOS image from an USB flash token. The product documentation states you can't, but as always, reality changes quicker than documentation in Ciscosphere.

To support IOS boot from USB token, you need a newer version of 2800-series ROMMON which you'll get from the ROMMON download page (registered CCO users only). You need ROMMON release 12.4(13r)T (description: C2800 ROMMON Upgrade; adds boot from usb flash drive capability).

read more see 41 comments
Sidebar