Cisco IOS和Cisco IOS XE路由器中的口令恢復故障排除
簡介
本檔案介紹在Cisco IOS®和Cisco IOS® XE路由器中執行密碼復原的程式。
必要條件
需求
- 本文檔適用於來自ISRG2、ISR4000、ASR1000和ISR1000系列的Cisco路由器。
對於運行不同Cisco IOS和Cisco IOS XE系列的路由器,該過程可能會發生更改。 - 為了執行密碼恢復,您必須具有裝置控制檯連線。
- 您必須具有物理裝置訪問許可權或可用性才能遠端管理受影響裝置的電源。
- 必須使用終端模擬器才能傳送Break序列。
採用元件
本文中的資訊係根據以下軟體和硬體版本:
- 運行Cisco IOS XE 16.12.4的路由器ISR4331
- Putty終端會話版本0.71
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
背景資訊
此步驟可用於恢複使用者名稱和密碼憑據以及啟用密碼。
根據當前裝置配置,可以提取密碼,也可以直接用新密碼替換。
Cisco IOS和Cisco IOS XE路由器將配置儲存在startup-config和running-config。
預設情況下,啟動配置檔案儲存在NVRAM中,運行配置(實際裝置配置)儲存在DRAM中。
密碼恢復過程的主要目的是使用預設配置引導裝置,一旦有訪問裝置的許可權,載入當前配置並更改憑據。
Cisco IOS和Cisco IOS XE路由器中的密碼恢復
步驟 1.重新啟動裝置。您需要從電源/交換機重新啟動裝置,因為您無權通過命令列訪問該裝置。
步驟 2.當裝置啟動時,您必須發出break序列。
如果是Putty,請導航到Special Command > Break選項,如下圖所示。
- 你必須傳送多個中斷訊號。POST通過後,緊接在Cisco IOS完成啟動之前,會識別break訊號:
Initializing Hardware ...
Checking for PCIe device presence...done
System integrity status: 0x610
Rom image verified correctly
System Bootstrap, Version 16.12(2r), RELEASE SOFTWARE
Copyright (c) 1994-2019 by cisco Systems, Inc.
Current image running: Boot ROM1
Last reset cause: LocalSoft
ISR4331/K9 platform with 4194304 Kbytes of main memory
........
Located isr4300-universalk9.16.12.04.SPA.bin
################################################################################
Failed to boot file bootflash:isr4300-universalk9.16.12.04.SPA.bin
.......
rommon 1 >
步驟 3.登入到裝置。在rommon模式下,必須將配置暫存器配置為0x2142,以便使用預設配置在下一次重新載入時啟動。
您可以使用reset指令重新載入。您必須保持裝置正常啟動。
rommon 1 > confreg 0x2142
You must reset or power cycle for new config to take effect
rommon 2 > reset
Resetting .......
Initializing Hardware ...
Checking for PCIe device presence...done
System integrity status: 0x610
Rom image verified correctly
System Bootstrap, Version 16.12(2r), RELEASE SOFTWARE
Copyright (c) 1994-2019 by cisco Systems, Inc.
Current image running: Boot ROM1
Last reset cause: LocalSoft
ISR4331/K9 platform with 4194304 Kbytes of main memory
........
Located isr4300-universalk9.16.12.04.SPA.bin
################################################################################
Package header rev 3 structure detected
IsoSize = 609173504
Calculating SHA-1 hash...Validate package: SHA-1 hash:
calculated 9E1353EB:8A02B6C4:C7B841DC:7A78BA24:5D48AA9B
expected 9E1353EB:8A02B6C4:C7B841DC:7A78BA24:5D48AA9B
RSA Signed RELEASE Image Signature Verification Successful.
Image validated
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software [Gibraltar], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.12.4, RELEASE SOFTWARE (fc5)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2020 by Cisco Systems, Inc.
Compiled Thu 09-Jul-20 21:44 by mcpre
This software version supports only Smart Licensing as the software licensing mechanism.
PLEASE READ THE FOLLOWING TERMS CAREFULLY. INSTALLING THE LICENSE OR
LICENSE KEY PROVIDED FOR ANY CISCO SOFTWARE PRODUCT, PRODUCT FEATURE,
AND/OR SUBSEQUENTLY PROVIDED SOFTWARE FEATURES (COLLECTIVELY, THE
"SOFTWARE"), AND/OR USING SUCH SOFTWARE CONSTITUTES YOUR FULL
ACCEPTANCE OF THE FOLLOWING TERMS. YOU MUST NOT PROCEED FURTHER IF YOU
ARE NOT WILLING TO BE BOUND BY ALL THE TERMS SET FORTH HEREIN.
Your use of the Software is subject to the Cisco End User License Agreement
(EULA) and any relevant supplemental terms (SEULA) found at
http://www.cisco.com/c/en/us/about/legal/cloud-and-software/software-terms.html.
You hereby acknowledge and agree that certain Software and/or features are
licensed for a particular term, that the license to such Software and/or
features is valid only for the applicable term and that such Software and/or
features may be shut down or otherwise terminated by Cisco after expiration
of the applicable license term (for example, 90-day trial period). Cisco reserves
the right to terminate any such Software feature electronically or by any
other means available. While Cisco may provide alerts, it is your sole
responsibility to monitor your usage of any such term Software feature to
ensure that your systems and networks are prepared for a shutdown of the
Software feature.
All TCP AO KDF Tests Pass
cisco ISR4331/K9 (1RU) processor with 1694893K/3071K bytes of memory.
Processor board ID FLM1922W1BZ
3 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
3223551K bytes of flash memory at bootflash:.
0K bytes of WebUI ODM Files at webui:.
Press RETURN to get started!
步驟 4.此時,路由器具有預設配置。您必須備份運行配置中的配置,您需要使用儲存在啟動配置檔案或其他檔案中的配置。 為了使用startup-config檔案,您必須在全域性模式下將該檔案複製到running-config。
- 備份後,您可以進入配置模式並更改/檢查憑據。
- 必須將配置暫存器修改為0x2102。之後,您可以儲存更改並重新啟動裝置。
Router#copy startup-config running-config
Destination filename [running-config]?
% Please write mem and reload
% The config will take effect on next reboot
2793 bytes copied in 0.363 secs (7694 bytes/sec)
Router#show running-config | sec password
enable password cisco
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#enable password cisco123
Router(config)#config-register 0x2102
Router(config)#exit
Router#show running-config | sec password
enable password cisco123
Router#write
Building configuration...
[OK]
Router#reload
步驟 5.若要確認組態暫存器是否正確修改,可以執行show version指令,並檢查show version輸出中的最後一行。
Router#show version
Cisco IOS XE Software, Version 16.12.04
Cisco IOS Software [Gibraltar], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.12.4, RELEASE SOFTWARE (fc5)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2020 by Cisco Systems, Inc.
Compiled Thu 09-Jul-20 21:44 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2020 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: 16.12(2r)
Router uptime is 19 minutes
Uptime for this control processor is 22 minutes
System returned to ROM by Reload Command at 21:14:19 UTC Tue Apr 13 2021
System image file is "bootflash:isr4300-universalk9.16.12.04.SPA.bin"
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Suite License Information for Module:'esg'
--------------------------------------------------------------------------------
Suite Suite Current Type Suite Next reboot
--------------------------------------------------------------------------------
FoundationSuiteK9 None Smart License None
securityk9
appxk9
AdvUCSuiteK9 None Smart License None
uck9
cme-srst
cube
Technology Package License Information:
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
appxk9 appxk9 Smart License appxk9
uck9 uck9 Smart License uck9
securityk9 None Smart License None
ipbase ipbasek9 Smart License ipbasek9
The current throughput level is 300000 kbps
Smart Licensing Status: UNREGISTERED/EVAL MODE
cisco ISR4331/K9 (1RU) processor with 1694893K/3071K bytes of memory.
Processor board ID FLM1922W1BZ
3 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
3223551K bytes of flash memory at bootflash:.
0K bytes of WebUI ODM Files at webui:.
Configuration register is 0x2142 (will be 0x2102 at next reload)
模擬Break訊號
預設串列/控制檯配置可以在Putty配置中檢視,如下圖所示。
如果路由器無法正確識別中斷訊號,可以使用Putty模擬該訊號,以便進入rommon模式。
步驟 1.為了模擬Break訊號,您必須按以下步驟設定序列/主控台組態:
- 速度:1200。
- 資料位:8。
- Srop位元:1。
- 同位:無。
- 流量控制:無。
此串列配置的配置如圖所示。
將裝置與先前的配置連線後,您將不再從控制檯看到任何輸出。這是預期行為。
步驟 2.您必須重新啟動裝置電源,然後按空格鍵10-15秒,以便在路由器中生成中斷訊號。
之後,路由器處於rommon模式,但無法看到rommon提示。
步驟 3.使用預設值開啟Putty會話,然後再次嘗試連線到控制檯。它顯示rommon提示。
修訂記錄
| 修訂 | 發佈日期 | 意見 |
|---|---|---|
2.0 |
29-Jan-2024 |
已新增Alt文本。
更新的品牌推廣要求、簡介和格式。 |
1.0 |
15-Apr-2021 |
初始版本 |
意見