Thursday, June 08, 2006

Cisco CCNA Exam Tutorial: Password Recovery Procedures

by: Chris Bryant, CCIE #12933

It might happen on your CCNA exam, it might happen on your production network - but sooner or later, you're going to have to perform password recovery on a Cisco router or switch. This involves manipulating the router's configuration register, and that is enough to make some CCNA candidates and network administrators really nervous!

It's true that setting the configuration register to the wrong value can damage the router, but if you do the proper research before starting the password recovery process, you'll be fine.

Despite what some books say, there is no "one size fits all" approach to Cisco password recovery. What works on a 2500 router may not work on other routers and switches. There is a great master Cisco document out on the Web that you should bookmark today. Just put "cisco password recovery" in your favorite search engine and you should find it quickly.

The following procedure describes the process in recovering from a lost password on a Cisco 2500 router. As always, don't practice this at home. It is a good idea to get some practice with this technique in your CCNA / CCNP home lab, though!

The password recovery method examined here is for 2500 routers.

An engineer who finds themselves locked out of a router can view and change the password by changing the configuration register.

The router must first be rebooted and a “break” performed within the first 60 seconds of the boot process. This break sequence can also vary depending on what program is used to access the router, but is the usual key combination.

The router will now be in ROM Monitor mode. From the rom monitor prompt, change the default configuration register of 0x2102 to 0x2142 with the o/r 0x2142 command. Reload the router with the letter i. (As you can see, ROM Monitor mode is a lot different than working with the IOS!)

This particular config register setting will cause the router to ignore the contents of NVRAM. Your startup configuration is still there, but it will be ignored on reload.

When the router reloads, you’ll be prompted to enter Setup mode. Answer “N”, and type enable at the router> prompt.

Be careful here. Type configure memory or copy start run. Do NOT type write memory or copy run start!

Enter the command show running-config. You’ll see the passwords in either their encrypted or unencrypted format.

Type config t, then use the appropriate command to set a new enable secret or enable password.

Don’t forget to change the configuration register setting back to the original value! The command config-register 0x2102 will do the job. Save this change with write memory or copy run start, and then run reload one more time to restart the router.

This process sounds hard, but it's really not. You just have to be careful, particularly when you're copying the startup config over the running config. You don't want to get that backwards! So take your time, check the online Cisco documentation before starting, get some practice with this procedure with lab equipment, and you'll be ready for success on the CCNA exam and in your production network!

About The Author

Chris Bryant, CCIE #12933, is the owner of The Bryant Advantage (www.thebryantadvantage.com), home of free CCNA and CCNP tutorials! For my FREE "How To Pass The CCNA" or "CCNP" ebook, visit the website and download your copies. Pass your CCNA exam with The Bryant Advantage!

chris@thebryantadvantage.com

Sunday, June 04, 2006

Cisco CCNP / BCMSN Exam Tutorial: Changing Root Bridge Election Results

by: Chris Bryant, CCIE #12933

Your BCMSN and CCNP studies will include mastering the details of Spanning Tree Protocol (STP). While you learned some of these details in your CCNA studies, quite a bit of it may be new to you. Before going on to the intermediate and advanced STP features, let's review the root bridge election process and learn how to change these results.

Each switch will have a Bridge ID Priority value, more commonly referred to as a BID. This BID is a combination of a default priority value and the switch's MAC address, with the priority value listed first. For example, if a Cisco switch has the default priority value of 32,768 and a MAC address of 11-22-33-44-55-66, the BID would be 32768:11-22-33-44-55-66. Therefore, if the switch priority is left at the default, the MAC address is the deciding factor.

Switches are a lot like people - when they first arrive, they announce that they are the center of the universe! Unlike some people, the switches will soon get over it. BPDUs will be exchanged until one switch is elected Root Bridge, and it's the switch with the lowest BPDU that will end up being the Root Bridge.

If STP is left totally alone, a single switch is going to be the root bridge for every single VLAN in your network. Worse, that single switch is going to be selected because it has a lower MAC address than every other switch, which isn't exactly the criteria you want to use to select a single root bridge.

The time will definitely come when you want to determine a particular switch to be the root bridge for your VLANs, or when you will want to spread the root bridge workload. For instance, if you have 50 VLANs and five switches, you may want each switch to act as the root bridge for 10 VLANs each. You can make this happen with the spanning-tree vlan root command.

SW1(config)#spanning-tree vlan 1 ?

forward-time Set the forward delay for the spanning tree

hello-time Set the hello interval for the spanning tree

max-age Set the max age interval for the spanning tree

priority Set the bridge priority for the spanning tree

root Configure switch as root

In this example, we've got two switches, and SW1 has been elected the root bridge for VLANs 10, 20, and 30. We'll use the spanning-tree vlan root command on SW2 to make it the root bridge for VLANs 20 and 30.

SW2(config)#spanning-tree vlan 20 root primary

SW2(config)#spanning-tree vlan 30 root primary

SW2#show spanning vlan 20

VLAN0020

Spanning tree enabled protocol ieee

Root ID Priority 24596

Address 000f.90e2.1300

This bridge is the root

SW2#show spanning vlan 30

VLAN0030

Spanning tree enabled protocol ieee

Root ID Priority 24606

Address 000f.90e2.1300

This bridge is the root

SW 2 is now the root bridge for both VLAN 20 and 30. Notice that the priority value has changed from the default of 32768.

In the next CCNP / BCMSN tutorial, we'll take a look at more STP features.

About The Author

Chris Bryant, CCIE #12933, is the owner of The Bryant Advantage (www.thebryantadvantage.com), home of free CCNP and CCNA tutorials! For my FREE "How To Pass The CCNA" or "CCNP" ebook, visit the website and download your copies. Pass your CCNP exam with The Bryant Advantage!