Linux Systems Articles for better insights

Reset enable pass without config loss on 6500 Cataylist Series Routers

Cataylist 65xx (6509, 6506, 6513) Password Recovery


These are cute big routers. They're actually switches that have a customized IOS for routing + dedicated 'fabric' for processing. If you're here to reset the enable and vty passwords without config loss, you've found the right article.

An absolute beginner will want to plan for 30 minutes of downtime, but might tell their boss 1 hour for Scotty Principle overhead. The biggest concern is the switch comes back online with all ports administrative DOWN. Plan in advance! You have to no shutdown every production interface before your maintenance window is over. All other configurations are preserved.

The other introductory note is that the 6500 series has multiple 'ROMmon' modes. There is a SP (Switching Processor) and RP (Routing Processor) mode. While breaking in, many switches crash when a break sequence happens after the Routing Processor starts, this is expected behavior.

Connect your console/serial cable

You're going to want to plug a console to the supervisor (SUP-2-2GE/SUP720-3B) so you can manage the switch directly. Be sure to use these settings:

9600 baud rate 
No parity 
8 data bits 
1 stop bit 
No flow control

Get the current config register

The configuration register is what tells the switch/router which behavior to boot into, it is a hexadecimal pointer to control the load point of configuration. This controls htings like:

  • How the router boots (into ROMmon, NetBoot)
  • Options while booting (ignore configuration, disable boot messages)
  • Console speed (baud rate for a terminal emulation session)

The configuration register can be set from configuration mode using the config-register command. From ROMmon, use the confreg command. Issue the show version command to view the current setting of the configuration register:

Router#show version
Cisco Internetwork Operating System Software 
IOS (tm) 2500 Software (C2500-JS-L), Version 12.1(5), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Wed 25-Oct-00 05:18 by cmong
Image text-base: 0x03071DB0, data-base: 0x00001000
ROM: System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE
BOOTFLASH: 3000 Bootstrap Software (IGS-RXBOOT), Version 10.2(8a),
Router uptime is 7 minutes
System returned to ROM by reload
System image file is "flash:c2500-js-l_121-5.bin"
cisco 2500 (68030) processor (revision D) with 16384K/2048K bytes of memory.
Processor board ID 03867477, with hardware revision 00000000
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
1 Token Ring/IEEE 802.5 interface(s)
2 Serial network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read ONLY)
Configuration register is 0x2102

The factory-default setting for the configuration register is 0x2102. If you don't know or can't run show version you can assume register 0x2102.

Pull the plug on the router.

Your router will begin to reboot, and should be ready for action within 30-60 seconds.

Break once the routing processor starts

The ROMmon boots into SP (switch processor) first, on some systems it will boot to Rommon 1> and you need to type boot. The system will boot into RP next (routing processor) which is your sign to BREAK SEQUENCE over to ROMmon.

Start pressing the BREAK sequence as soon as RP gains control:

00:00:03: %OIR-6-CONSOLE: Changing console ownership to route processor

DO NOT INTERRUPT UNTIL AFTER THIS MESSAGE. You may have to issue BREAK a few times.

Pro Tip: Ctrl-A + F sends break sequence using Minicom on Linux.

Pro Tip: Command + B sends break sequence using Z-Terminal on Mac.

Pro Tip: Ctrl + BREAK sends break sequence using Hyperterminal on Windows.

Change the configuration register to boot ROM (ignore NVRAM)

If your break sequence worked, you should see a RomMon 1> prompt.

Immediately type confreg 0x2142 and press enter. This is important because after 10 seconds the router has a tendecy to crash and reboot, so it's important you change config register before it does. If it crashes, simply wait and it will reboot into the proper config mode.

Here is what the 'software forced crash' looks like:

rommon 1 > 
 00:00:41: %SYS-SP-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure co. 
00:00:41: %SYS-SP-2-INTSCHED: 't_idle' at level 7 
 -Process= "SCP Download Process", ipl= 7, pid= 57 
 -Traceback= 4013991C 401232B4 402827F4 40282994 40283010 405CB010 402A9858 4013C 
 00:00:41: %SYS-SP-2-INTSCHED: 't_idle' at level 7 
 -Process= "SCP Download Process", ipl= 7, pid= 57 
 -Traceback= 4013991C 401232B4 402827F4 40282994 40283010 405CB010 402A9858 4013C 
 00:00:41: %SYS-SP-2-INTSCHED: 't_idle' at level 7 
 -Process= "SCP Download Process", ipl= 7, pid= 57 
 -Traceback= 4013991C 401232B4 402827F4 40282994 40283010 405CB010 402A9858 4013C 
 00:00:41: %OIR-SP-6-CONSOLE: Changing console ownership to switch processor

*** System received a Software forced crash *** 
 signal= 0x17, code= 0x24, context= 0x4269f6f4 
 PC = 0x401370d8, Cause = 0x3020, Status Reg = 0x34008002

The router will reboot and ignore NVRAM configuration because of config register 0x2142. If you see that the router configuration is still present (still previous hostname), it indicates that the configuration register was not changed to 0x2142 in time prior to the crash.

Cancel the 'initial switch configuration'

Unless you want to lose your configurations, please say 'no' when it asks to run first-time configuration.

Enable yourself to administrator!

Type enable at the Router> prompt. You are in enable mode with no password. The Router# prompt is displayed.

Copy NVRAM config into running memory.

configure memory or copy start running will copy NVRAM to RAM. Do not issue configure terminal yet!

Check your config

Run write terminal or show running These commands show the configuration of the router. In this configuration, you see the shutdown command under all the interfaces.

Conf t

Issue the configure terminal command to enter global configuration mode and make the changes. The prompt is now hostname(config)#.

Change enable password

Issue the enable secret < password > in global configuration mode to change the enable password.

Set config-register 0x2102 again.

Issue the config-register 0x2102 command, or the hexadecimal value you recorded in Step 2 in global configuration mode.

Change vty passwords, if present.

Router(config)#line vty 0 4
Router(config-line)#password cisco

Bring up interfaces

Issue the no shutdown command on every interface that is normally in use. Issue a show ip interface brief command to see a list of interfaces and their current status.

Exit conf t mode

CTL-Z or end should leave configuration mode, and write memory or copy running startup will write the changes to NVRAM.

Reload / Restart Router

Now bring the router back up by running reset or power cycle the device and ensure everything comes back online!