Managing Device Configuration Files. Cisco Password Recovery Procedure

What we’re calling your attention to is this thing called the merge behavior inside of Cisco IOS. Just like when you’re learning how to drive, merging onto a freeway is one of the more challenging things. If you’re dealing with Cisco configs, Cisco config management, you have to be mindful of this, okay. What this means is when you are putting something into your running-config, when you type in a command, let’s say I’m putting in the IP address command on an interface in the router. Is that configuration merged in the running-config?

It’s copied into that running-config and the rest of the config is still there.

 

So when we type in commands, we expect this merge behavior. We don’t know it’s merging, we don’t think of it as merging. You would be pretty weird if you would thought, “Oh, I’m merging this command with the pre-existing command in the running config.” But that is, in fact, what’s going on. And we have to think to ourselves now running-config. That is different than all of the other locations out there. What makes it different is it’s not a file anymore. Startup-config is a file in NVRAM, our operating system, those are files stored here and there. File on a TFTP server by it’s very name is a file. But the running-config is not a file. It’s this workspace stored in Random Access Memory. And so we need to think of it’s very nature is going to influence how it behaves. Now, entering commands and getting the merge behavior is not the reason why we’re here, is it?

Managing Device Configuration Files

When we are copying from NVRAM into RAM or copying from a TFTP server into RAM, that can cause some significant problems for us. When we are at the console or we’ve Telnetted in and we’re just typing those individual commands, it’s not a big deal, we’re in total control of what is happening. But when you start importing configs from NVRAM or TFTP into RAM, there are a lot of commands being brought in. And so you lose control at that point, and when we lose control, things can happen that we don’t want to happen.

And what you have on your hands is a zombie config if you are not mindful of this. Let’s show you, in fact, because the better way to talk about it is to see it in effect.

The code in a sample running-config file is as follows:

interface GigabitEthernet0/0
    ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/1
    ip address 10.2.2.2 255.255.255.0
!
interface Serial10/0/0
    no ip address

The code in a sample TFTP server file called saved.config is as follows:

interface GigabitEthernet0/1
    ip address 172.16.1.1 255.255.255.0
!
interface Serial10/0/0
    ip address 192.168.1.1 255.255.255.0

When these files are merged at the Router prompt using the command copy tftp run, the running.config file is created. The contents of this file are as follows:

interface GigabitEthernet0/0
    ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/1
    ip address 172.16.1.1 255.255.255.0
!
interface Serial10/0/0
    ip address 192.168.1.1 255.255.255.0

So in this example, we have our current running-config, so what is running right now on our device, and we’re going to copy a configuration that we have stored on a TFTP server. So what happens? We get our Frankenstein configuration in the running-config. Can you see it here folks? When we copy the config from the TFTP server, is that the config we want? Yeah, that’s why we’re copying it. But look at the result, is that what we received?

I want to do some simple math with you. How many IP addresses are in the running-config, in the source running-config up in upper left?

I see two.

Okay, and then how many IP addresses do I have on the TFTP server?

I see two.

So, what’s two plus two?

Four.

Wrong, it’s three as we can see here. So in any case, you can see this merge behavior. How come I don’t have four IP addresses total in the configuration down below?

Well let’s think about it for a second. We’ll look at Gigabit Ethernet 0/1. I see that on the TFTP server, I see that in the running-config. The IP address for Gigabit Ethernet 0/1 has been replaced by the IP address for the TFTP server, that’s perfect, that’s the type of behavior I expect. Same thing with serial 0/0/0. But notice it had no IP address, now it has an IP address. So that’s great. But on the TFTP server, there was no config for Gigabit Ethernet 0/0. For example, it had no IP address. But look at the running-config right now, we still have the IP address associated with Gigabit Ethernet 0/0 when it shouldn’t have one. That is the problem and we’re just looking at it from a small example. But as we said, think about your configuration file that would be on that TFTP server or the configuration file that’s in NVRAM, it contains everything. This is just one thing that’s out of sorts. Imagine many configurations that are different, that just wreck havoc now, and we have this Frankenstein running configuration, not good for us at all.

Now I’ll tell you what, next time you’re doing a lab, do a copy anything question mark like copy tftp ?. You’re going to see that they’re now telling us, I don’t think that they used to do this, in fact. So do a copy tftp? and you’ll see “Hey, if your destination is running-config, you’ll get this”, which is pretty cool stuff.

So let me ask you folks, copy running-config tftp, copy source destination, is that a merge? Is that a merge? I copy from my running-config to TFTP?

It’s all about the destination. If the destination is your running-config, then you get the merge. So the answer there, TFTP is the destination. No merge behavior there.

Password recovery – Step-by-Step guide

I forget my password, what do I do? Help. Is there a way we can recover our password? Well folks, let’s put it this way, it’s called password recovery. But will the device, specifically, tell me my password? Yes and no. If passwords are being stored on the device in plain text, I could find out the password. But if we are using the security mechanisms that we’re supposed to be using by hashing passwords, encrypting passwords, then we won’t be able to see them directly. So we really have to have a way to, essentially, reset our password here.

So here’s how to do it. This is a really good walk through and it generally works for all routers, okay. It’s a real router chassis, it’s going to work for you.

First thing you got to do, get yourself near to the chassis itself. You must be able console into it. Step one, move yourself to the device itself. So we’re not secure shelling, we’re not Telnetting, we’re consoling. Get that rollover cable prepared, get your laptop, you’re probably using a laptop at this point. Then I want you to familiarize yourself with the terminal program that you’re using because you’re going to have to send a break key sequence through the terminal to the device.

Now if we look at the keyboard, as I’m doing right now, looking at my keyboard, this is equivalent to control pause break right? We press control pause break (Ctrl + Pause Break). But not all terminal programs will even supply that, not all terminal programs will send that. So sometimes, you’ll actually have to trigger a terminal feature to send the break sequence through the rollover cable. So we’ve prepared you now to then embark on this step-by-step process. So, I’m consoled in, I know how to send the break sequence in my terminal program whether that’s Putty or Poderosa. And I’m ready as I know that I have about a five-second window to send that break sequence. Otherwise, I’ve to start the whole thing over again, if I miss that window of opportunity. What then do I do to execute password recovery?

We have to change the configuration register. What’s our default value? It’s 2102. We have to change it so that way there, it’s going to load slightly different. Why? Well what do we want to do? We want to ensure that we don’t load our configuration file from NVRAM. Why? What does the configuration file in NVRAM contain? It contains the passwords! And if that loads, then when I access the device, it’s going to ask me for a password. So what are we trying to do here? We are changing the configuration register value to tell the device not to load the contents from NVRAM, and we do that by specifying 0x2142. Notice the boot field is the same, it’s still 2. So we don’t affect the IOS image, but I do want to affect the loading of the config file from NVRAM. So the 4 says, don’t load the configuration file from NVRAM.

rommon 1>confreg 0x2142

rommon 1>reset

Router>enable

Okay, so long story short, turn on my router, press pause break, that gets us into this ROM monitor, or ROMMON, mode that you’re in. You do this and then you say reset because that basically, says power off. It’s like pressing the reset button on the router. Don’t look for reset button though because there isn’t one. Okay, so I’ve seen a lot of people buy eBayed equipment, by the way that’s questionably legal, just make yourself aware of that. But they buy like an eBayed 2811 and the person who sold it left it this way, they left it as confreg 2142. So don’t be too shocked if your devices are not loading the startup-config and it doesn’t mean that they’re broken. In fact, there is pretty darned rare for NVRAM to ever be truly broken. So your assumption should be, “Oh, they messed with the confreg value.” Do a show version, you see 2142. Go into global config, reset it to 0x2102, reload the chassis, and your startup-config is working.

So, we’ve reset it, we typed in enable to get to the privileged EXEC mode. But wait, we would have been prompted with the system configuration dialog, why? Because configuration file was not loaded from NVRAM. What do we say? We say no, no, no, don’t use, I don’t want to use that.

Router#copy startup-config running-config

Router#configure terminal

So as you can see what’s our hostname – Router. What are we doing now? We’re copying the startup-config to running-config, why? Because the running-config is the default running-config right now, right bare bones and basics. What we want to do is, we want to take that startup-config and bring it into the config now, which is, what type of process is that, a merge? Yes, and this is problematic right now because since it’s a merge, even though the startup-config has IP addresses on interfaces and the interfaces were up in that startup-config, now when I merge it back over, think about all those interfaces that it would have to default no shutdown command specified.

And by the way that happens in a few other circumstances as well when you’re copying configs to your chassis. So don’t be super shocked if you’ve recovered a config and your interfaces are still down. Now once you’ve done that merge behavior, you’ve got a problem on your hands that you need to address. You just reloaded the password you forgot, it’s now working. So don’t exit out and disable yourself and do a re-enable because you don’t know how to get back in right now, you don’t. So you want to rewrite, overwrite the existing enable secret password and then you’re in a better place. Oh, by the way, don’t forget to change your config reg back to the default also because you will perpetually bypass the startup-config. You will perpetually do this if you don’t do that.

Router(config)#enable secret newpassword

Router(config)#config-register 0x2102

Router#copy running-config startup-config

Because right now we’re set to 2142, which means don’t load the config from NVRAM. So change it back to loading the config from NVRAM, so 0x2102 default, set it back to that. And then lastly, don’t forget, probably, the most important step and what is that? Copy running-config to startup-config, because what is in the startup-config right now? The old configuration that has the old password that you forgot. The running-config has the new password, copy it over.

You know this is a really cool thing we taught you how to do. It’s very cool. You’re now at a place where you can recover other people’s passwords, you inherit these devices that you don’t know how to get yourself into. Now you do, that is truly powerful and it’s an elegant config. Well that’s kind of a weird word to apply to this. But when you can do this and can keep it all straight in your head, you now have gotten to that next step where you’ve gained a lot of confidence. This is a confidence builder we’re teaching you right here, so I think it’s great that we’re exposing it to you.

Our Recommended Premium CCNA Training Resources

These are the best CCNA training resources online:

Click Here to get the Cisco CCNA Gold Bootcamp, the most comprehensive and highest rated CCNA course online with a 4.8 star rating from over 30,000 public reviews. I recommend this as your primary study source to learn all the topics on the exam. Cisco CCNA Gold Bootcamp
Want to take your practice tests to the next level? AlphaPreps purpose-built Cisco test engine has the largest question bank, adaptive questions, and advanced reporting which tells you exactly when you are ready to pass the real exam. Click here for your free trial. Cisco CCNA Gold Bootcamp