Chào các bạn.Nếu bạn vừa học thi xong CCNA xong, hoặc thâm chí thi xong CCNP dùng dump có sẵn thì kiến thức khi bạn đi làm sẽ rất hổng. Ví dụ trường hợp bạn mới vào công ty làm IT, sếp giao cho 1 con router bị mất mật khẩu, hoặc yêu cầu bạn nâng cấp software cho nó thì mình nghĩ lúc đó chứng chỉ CCNACCNP cũng ko giúp gì nhiều. Vì vậy cách tốt nhất là thủ sẵn những thủ tục thực hành để phòng thân .Tài liệu này do mình mua ở trên trang Anh này hướng dẫn rất dễ hiểu và đơn giản, mình xem là có thể thực hành chuẩn luôn. Đây là 1 tài liệu rất đáng để download và lưu lại cho các bạn làm IT, quản trị mạng.
TÀI LIỆU GỒM PHẦN : HƯỚNG DẪN PHÁ MẬT KHẨU ROUTER VÀ NÂNG CẤP IOS Cisco IOS Router Password Recovery It happens to the best of us, you are doing some labs and forgot what password you set for enable mode…perhaps another student was working on the router before and you have no idea what password he picked Maybe you need to reset the password of a router you didn’t configure… Whatever the reason, let me show you how to reset the password of your Cisco router This only applies to routers, if you need to reset the password for a switch then you need another tutorial Let’s take a look: Router>enable Password: Password: Password: % Bad secrets Ouch…bad secrets means we didn’t type the correct password To fix this problem you need to connect your router to the console port, you can’t this remotely through telnet or SSH Reboot the router (just hit the power switch) and send the BREAK signal This tells the router to ignore loading the IOS (Cisco’s Operating System) If you are using Windows and Putty you can probably use the CTRL-BREAK combination to send a break signal If this doesn’t work you can try some of the other methods that are described here When the router accepts your BREAK it will head into ROMMON mode ROMMON is like a mini operating system that helps to initialize the hardware and boots the Cisco IOS Here’s what it looks like: Readonly ROMMON initialized rommon > This tells us that we are in ROMMON mode We can only configure a couple of items here, one of the things we can is tell the router to ignore it’s startup-configuration when booting the IOS image This is exactly what we want because it means it will also not load the password that we configured (and forgot) Here’s how to it: rommon > confreg 0x2142 You must reset or power cycle for new config to take effect We set the configuration-register to 0x2142 with the confreg command This tells the router to ignore the startup-configuration when booting The router is nice enough to tell us we should reboot so let’s follow its advice: rommon > reset c2811 platform with 786432 Kbytes of main memory Main memory is configured to 64 bit mode with ECC enabled Readonly ROMMON initialized program load complete, entry program load complete, entry program load complete, entry Self decompressing the image point: 0x8000f000, size: 0xcb80 point: 0x8000f000, size: 0xcb80 point: 0x8000f000, size: 0x38bbd64 : ####################### The router will boot and load its IOS image, once it’s ready you will see the following wizard: - System Configuration Dialog Would you like to enter the initial configuration dialog? [yes/no]: no Because the router is not loading its startup-configuration it will show you the wizard that is shown when there is no configuration Just type no and you will end up at the commandline We will now go to enable mode: Router>enable Router# Great! We now have full access to the router and it didn’t prompt for a password We will now copy the startup-configuration to the running-configuration ourselves By doing this your configuration will be active but we will still be in privileged mode which allows us to change the password: Router#copy startup-config running-config Destination filename [running-config]? 1831 bytes copied in 1.012 secs (1809 bytes/sec) Your configuration is now active, let's see what the password that we forgot about looks like: Router#show run | include enable enable secret $1$aAHw$ZUJuS7oxPrVfap1ev8YaU This router has an "enable secret" which is a hash of our password There's no way to tell what the original password was but I change it to something else If you used the "enable password" command you will be able to retrieve it because it's clear-text However saving clear-text passwords in your configuration is not a good idea To change the password we need to go to configuration mode first: Router#configure terminal Enter configuration commands, one per line End with CNTL/Z Now I can set a new password I'll call mine "mypassword" Also we should not forget to set the configuration-register to the default value If you forget this the router will ignore the startup-configuration again next time you boot: Router(config)#enable secret mypassword Router(config)#config-register 0x2102 Now you can exit the configuration mode: Router(config)#end Router# Don't forget to save your configuration: Router#copy running-config startup-config Destination filename [startup-config]? Building configuration How to upgrade Cisco IOS Image Cisco IOS devices typically use their flash memory to store the IOS image On most routers, this flash memory can be easily replaced On some switches, it is integrated in the device and can’t be replaced In this lesson, I’ll show you some different options how to copy a new IOS image to your Cisco IOS router or switch I will use a Cisco 2800 IOS router in these examples Filename: Above you can see the file name and MD5 checksum The checksum can be used to check if the file that you downloaded is the same or has changed I’ll show you this later Once you downloaded the IOS image, check if you have enough space left on your flash memory: R1#show flash: -#- length -date/time path 1119 Sep 29 2015 11:11:52 +00:00 r1-r2-r3.cfg 1184 Dec 2014 15:14:06 +00:00 R1-R2-ASA1-ASA2.cfg 1125 Dec 23 2014 13:41:32 +00:00 ASA1-R1-R2-R3.cfg 76 Jul 17 2014 12:09:10 +00:00 System Volume Information/IndexerVolumeGuid 1060 Aug 11 2015 12:53:50 +00:00 mpls-pe-ce-basicaddressing.cfg 1213 Sep 30 2015 15:05:02 +00:00 router-on-a-stick.cfg 67926080 Apr 2015 14:21:46 +00:00 c2800nm-adventerprisek9mz.151-4.M10.bin 3862364160 bytes available (137428992 bytes used) On my flash memory, there are a bunch of configuration files and the current IOS image There are 3862364160 bytes available (3862 MB) so we have plenty of space When we want to copy something to or from this router, we have to use the copy command: R1#copy ? /erase /error /noverify /verify archive: cns: flash: ftp: http: https: null: nvram: pram: rcp: running-config scp: startup-config system: tar: tftp: tmpsys: xmodem: ymodem: Erase destination file system Allow to copy error file Don't verify image signature before reload Verify image signature before reload Copy from archive: file system Copy from cns: file system Copy from flash: file system Copy from ftp: file system Copy from http: file system Copy from https: file system Copy from null: file system Copy from nvram: file system Copy from pram: file system Copy from rcp: file system Copy from current system configuration Copy from scp: file system Copy from startup configuration Copy from system: file system Copy from tar: file system Copy from tftp: file system Copy from tmpsys: file system Copy from xmodem: file system Copy from ymodem: file system We have a lot of options The most common options for copying an IOS image are: TFTP FTP SCP I will explain all three options to you Newer routers also support copying from USB sticks This will show up as usbflash: in the filesystem overview TFTP TFTP (Trivial File Transfer Protocol) is similar to FTP but much simpler, like a light weight version It doesn’t support authentication or encryption and uses UDP for transmission I will use the following topology: We need a TFTP server application, a great choice here is TFTPD32 You can download it for free and it’s an executable, no need to install anything Once you downloaded TFTPD32, start it: And you will see the main screen: Make sure you select the correct directory where you downloaded your IOS image and if you have multiple network interfaces, select the correct interface The copy command works in both directions I can copy to and from the TFTP server Here’s how to copy the current IOS image to the TFTP server: R1#copy flash: tftp: Source filename []? c2800nm-adventerprisek9-mz.151-4.M10.bin Address or name of remote host []? Destination filename [c2800nm-adventerprisek9-mz.151-4.M10.bin]? !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! 67926080 bytes copied in 312.508 secs (217358 bytes/sec) When you use the copy flash: tftp: command, it will ask you for the IP address and filename When you see something between [] (brackets), you can just hit the enter button For example, since I specified the source name, the router assumes I want to use the same file name for the destination Don’t type “y” or “yes” here or that will become the destination filename If you are unable to connect to the TFTPD32 server, check your Windows firewall We can see the transfer on our router or you can see it in TFTPD32: We now have a backup of our current IOS image Let’s copy the new image to the router: R1#copy tftp: flash: Address or name of remote host []? Source filename []? c2800nm-adventerprisek9-mz.151-4.M12a.bin Destination filename [c2800nm-adventerprisek9-mz.151-4.M12a.bin]? Accessing tftp:// Loading c2800nm-adventerprisek9-mz.151-4.M12a.bin from (via FastEthernet0/0): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [OK - 67929600 bytes] 67929600 bytes copied in 316.628 secs (214541 bytes/sec) The transfer has completed, let’s take a look at our flash memory: R1#show flash: | include bin 67926080 Apr 2015 14:21:46 +00:00 c2800nm-adventerprisek9mz.151-4.M10.bin 25 67929600 Nov 2016 12:11:22 +00:00 c2800nm-adventerprisek9mz.151-4.M12a.bin Above we can see the new IOS image The copy command also allows you to enter parameters like the IP address of the TFTP server and filenames Here is an example: R1#copy tftp:// flash: Destination filename [c2800nm-adventerprisek9-mz.151-4.M12a.bin]? Above you can see that I already entered the IP address and filename Once I hit enter, it will only ask me for the destination filename (which I also could have entered) If you have to upgrade the IOS image on multiple devices, this is more convenient as you can just copy/paste the above line on all devices FTP Copying to or from an FTP server is also no problem, we can this with the same copy command One thing you might have to deal with is authentication Most FTP servers will require a username and password Here is the topology I will use: There are two things we can to supply a username and password Here is option one:: R1(config)#ip ftp username admin R1(config)#ip ftp password cisco We can globally configure the username and password that we want to use for the FTP server When you use the copy command, Cisco IOS will use these values for authentication Personally, I don’t like leaving this information in the running configuration It’s also possible to supply a username and password with the copy command Here is an example: R1#copy ftp://admin:cisco@ flash: Destination filename [c2800nm-adventerprisek9-mz.151-4.M12a.bin]? Accessing ftp://*****:*****@ Loading c2800nm-adventerprisek9-mz.151-4.M12a.bin from (via FastEthernet0/0): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [OK - 67929600 bytes] 67929600 bytes copied in 884.704 secs (76782 bytes/sec) Above you can see I embedded the username “admin”, the password “cisco” and the IP address of my FTP server This way is also easier, you can copy/paste this line on all devices that require an IOS image upgrade SCP Last but not least, we have SCP (Secure Copy) which uses SSH This is a great method because of two reasons: It allows you to use your router/switch as an SCP server It uses encryption You probably already have SSH configured on your router or switch I will show you how to configure your router as an SCP server and how to copy files to/from it I’m going to use two routers for this: R1 Configuration First, we have to configure SSH: R1(config)#ip domain-name NETWORKLESSONS.LOCAL R1(config)#line vty R1(config-line)#transport input ssh R1(config-line)#login local R1(config)#crypto key generate rsa The name for the keys will be: R1.NETWORKLESSONS.LOCAL Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys Choosing a key modulus greater than 512 may take a few minutes How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable [OK] (elapsed time was seconds) R1(config)#ip ssh version Now we only need two additional commands for SCP The first one is to enable the SCP server: R1(config)#ip scp server enable And we need a user that has full access to the router: R1(config)#username admin privilege 15 password cisco Let’s continue with R2, our SCP client R2 Configuration R2 will be our SCP client Let’s try the copy command: R2#copy scp: flash: Address or name of remote host []? Source username []? admin Source filename []? c2800nm-adventerprisek9-mz.151-4.M12a.bin Destination filename [c2800nm-adventerprisek9-mz.151-4.M12a.bin]? Password: !!!!!!!!!!! 67929600 bytes copied in 884.704 secs (76782 bytes/sec) The copy command will ask for the remote IP address, username, password, and filename MD5 Verification So far we copied a couple of files but how we know that these files are valid? When we downloaded the Cisco IOS image, I showed you the MD5 checksum that Cisco publishes on their website We can verify this checksum on our router: R1#verify /md5 flash:c2800nm-adventerprisek9-mz.151-4.M12a.bin Done! verify /md5 (flash:c2800nm-adventerprisek9-mz.151-4.M12a.bin) = fcdaeb55b292534e97ecc29a394d35aa This MD5 checksum is the same as the one we found on the Cisco website This tells us that we have the same file as Cisco published and that the file has not been tampered with If the checksum fails, maybe someone has added something nasty to the image Boot System Our router currently has two IOS images: R1#show flash: | include bin 67926080 Apr 2015 14:21:46 +00:00 c2800nm-adventerprisek9mz.151-4.M10.bin 25 67929600 Nov 2016 12:11:22 +00:00 c2800nm-adventerprisek9mz.151-4.M12a.bin Which IOS image will it select when the router boots? Deleting the old IOS image is one option but there is another way Most routers will select the first filename that they find on the flash memory so in our case, it means it would boot the older IOS image We can change this with the boot sytem command: R1(config)#boot system flash:c2800nm-adventerprisek9-mz.1514.M12a.bin Let’s reload the router: R1#reload System configuration has been modified Save? [yes/no]: yes Building configuration [OK] Once the router has reloaded, verify that we are running the new IOS image: R1#show version Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M12a, RELEASE SOFTWARE (fc1) Technical Support: Copyright (c) 1986-2016 by Cisco Systems, Inc Compiled Tue 04-Oct-16 03:37 by prod_rel_team ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) R1 uptime is 14 minutes System returned to ROM by reload at 14:01:00 UTC Fri Nov 2016 System image file is "flash:c2800nm-adventerprisek9-mz.1514.M12a.bin" Above we can see we booted the new Cisco IOS image Conclusion You have now learned how to upgrade your Cisco IOS image through TFTP, FTP and SCP You have seen how this can be done from your computer to your router/switch or between two routers We also checked how to verify the integrity of the file with the MD5 checksum and how to configure your router to boot the new IOS image ... lesson, I’ll show you some different options how to copy a new IOS image to your Cisco IOS router or switch I will use a Cisco 2800 IOS router in these examples Filename: Above you can see the file... router will ignore the startup-configuration again next time you boot: Router( config)#enable secret mypassword Router( config)#config-register 0x2102 Now you can exit the configuration mode: Router( config)#end... c2800nm-adventerprisek9mz.151-4.M12a.bin Which IOS image will it select when the router boots? Deleting the old IOS image is one option but there is another way Most routers will select the first filename