Recovering from disabled password recovery might not be possible

IOS release 12.3T (and 12.4) introduced a great security feature: the ability to disable password recovery (using the well-known break key sequence) with the no service password-recovery global configuration command. However, once you configure this feature on some routers, you might have no means whatsoever to get it under control if you forget the password.

The IOS documentation states that you should be able to erase NVRAM (thus losing the config, but protecting the password integrity) if you press the break key a few seconds after the Image text-base: 0x........, data-base: 0x........ message appears. Unfortunately, that does not work on the router I've been doing my tests on (2811 with c2800nm-advipservicesk9-mz.124-6.T.bin and ROMMON Version 12.4(1r)). There was simply no way to erase NVRAM, so the router would remain locked up if I had really forgotten the enable password.

Note: After my tests, I was told that pressing the break key as soon as the router is powered up might work.

Moral of the story: test whether you can recover the router with your particular combination of IOS/ROMMON versions before disabling password recovery (and forgetting the password).

USB usability in ISR routers

In his USB Usability Q&A article, Scott Morris states that ISR routers (1800, 2800, 3800) use USB port for security keys. While that's definitely true, the usability of the USB ports go way beyond that. Once you insert a USB token into the port (and IOS release 12.4 recognizes tokens up to at least 1GB), you get a generic storage device (usbflash0: and/or usbflash1:) that can be used to:

• Store IOS images, giving you the ability to have a large selection of IOS releases readily available for testing purposes.
• Store Tcl procedures and Embedded Event Manager policies.
• Store configuration archives.
• Accumulate periodic printouts of show commands.

Boot a 2800-router with an USB image

If you would like to boot an ISR router (for example, a 2800) from USB flash, but cannot upgrade the ROMMON, all is not lost - you can specify the USB-based image with the boot system configuration command (for example, boot system usbflash1:c2800nm-advipservicesk9-mz.124-11.T1.bin), but the boot process will take significantly longer (this also applies to any other scenarios where the ROMMON cannot get the image specified in the boot system command):

• When the router is reloaded, ROMMON reads the router configuration and tries to start the required image
• If ROMMON cannot load the image specified in the boot system command, it starts the default image (usually whatever is stored in on-board flash)
• When the first IOS image loads (after being copied and decompressed in most cases), it discovers that it's not the correct image
• The now-operational IOS image loads the new image in RAM (in our case from usbflash1:), decompresses it and transfers the control to it

Upgrade 2800 series router to support USB boot

A while ago we were faced with a 2800-series router with no software in its CF card. As all 2800-series routers have USB slots, I started investigating whether you could boot the IOS image from an USB flash token. The product documentation states you can't, but as always, reality changes quicker than documentation in Ciscosphere.To support IOS boot from USB token, you need a newer version of 2800-series ROMMON which you'll get from the ROMMON download page (registered CCO users only). You need ROMMON release 12.4(13r)T (description: C2800 ROMMON Upgrade; adds boot from usb flash drive capability).

After you've downloaded the file onto a USB token, upgrade the router ROMMON with the upgrade rom-monitor file usbflash0:C2800NM_RM2.srec.124-13r.T command (requires router reboot).

Test the upgraded ROMMON with the dev command. You should see the USB flash devices:

rommon 1 > dev
Devices in device table:
        id  name
    flash:  compact flash
bootflash:  boot flash
usbflash0:  usbflash0
usbflash1:  usbflash1
    eprom:  eprom

You can use USB token-resident IOS releases in two ways:

• As an emergency boot mechanism when you have problems with the CF card. Remove the CF card, insert USB token, restart the router and use the boot rommon command, for example boot usbflash0:c2800nm-advipservicesk9-mz.124-11.T1.bin.


• As a regular boot image. Use the boot system global configuration command to specify the USB token image to use, for example boot system usbflash0:c2800nm-advipservicesk9-mz.124-11.T1.bin. The router will not boot off USB token without the boot system command ... and, obviously, you should never remove the USB token from the router.