Skip to main content
Your first session is free. Claim mine
PacketMentor logo
Open menu
Home
Training
Cisco Mentorship
CCNACCNP
Short Courses
Python for Network EngineersAI for Network OperationsDevNet Associate PrepInterview Sprint
Custom Training
Corporate Training
All training →
CCNA Library (74)
Browse all CCNA topics →
Network (13)
OSI Model & TCP/IPIPv4 AddressingTCP vs UDPSubnettingIPv6 BasicsARP — Address Resolution ProtocolICMP — Internet Control Message ProtocolTCP 3-Way HandshakeCabling & Media StandardsMTU & FragmentationWAN Connection TypesHierarchical Network DesignNetwork Virtualization & Containers
Device Operations (5)
Cisco IOS Device ManagementPower over Ethernet (PoE)Cisco IOS File SystemPassword Recovery & Configuration RegisterNetwork Troubleshooting Methodology
Network Access (12)
MAC Address TableVLANsTrunks & 802.1Q TaggingSpanning Tree Protocol (STP)EtherChannel (Link Aggregation)Switching OperationCDP & LLDP — Neighbor DiscoveryBPDU Guard & Root GuardCatalyst Boot ProcessVTP — VLAN Trunking ProtocolRapid STP & MSTPPrivate VLANs (PVLAN)
Wireless (6)
Wireless LAN BasicsWLAN Architectures — Autonomous, Centralized (WLC), Cloud, EmbeddedWi-Fi Security — WEP, WPA, WPA2, WPA3Wi-Fi 6, 6E, and 7 FeaturesWireless RF FundamentalsAccess Point Operating Modes
IP Connectivity (10)
Inter-VLAN RoutingStatic RoutingDefault RoutingRouting Decision ProcessFHRP — HSRP, VRRP & GLBPLayer-3 Switch & SVI RoutingOSPF Single-AreaRoute SummarizationIPv6 SLAAC & DHCPv6IPv6 Transition Mechanisms
IP Services (11)
HSRP vs VRRP vs GLBP — FHRP ComparedDHCP — Dynamic Host Configuration ProtocolNAT & PATDNS — Domain Name SystemNTP — Network Time ProtocolSyslogQoS BasicsSNMP — Simple Network Management ProtocolIGMP & IGMP SnoopingNTP Authentication & SecurityDHCP Relay & IP Helper
Security (10)
Access Control Lists (ACLs)Port SecurityDHCP SnoopingAAA · RADIUS & TACACS+802.1X — Port-Based Network Access ControlVPN Basics — IPsec & SSLDynamic ARP Inspection (DAI)IP Source Guard (IPSG)Encryption FundamentalsCybersecurity Threats & Mitigation
Automation (7)
REST APIs for Network EngineersAnsible for Network EngineersJSON, YAML & XML for Network EngineersNETCONF & YANGPython for Network EngineersSDN & Controller-Based NetworkingAI & ML in Network Operations
CCNP Library (15)
Browse all CCNP topics → SPAN, RSPAN & ERSPAN — Port MirroringGRE TunnelsEIGRPOSPF Multi-AreaIPv6 Routing — Static & OSPFv3BGP BasicsTCP Connection StatesCisco AnyConnect / Remote Access VPNCisco ISE BasicsNetFlow & Flow-Based MonitoringgRPC & gNMI — Streaming TelemetrySD-WAN ConceptsMPLS BasicsCisco DNA Center / Catalyst CenterVRF Basics — Virtual Routing and Forwarding
LabsPricing
Contact 📞 +1 (860) 556-3010 Book a Call
← All topics
Device Operations Intermediate

Password Recovery & Configuration Register

How to recover access to a Cisco router or switch when you've lost the enable password. Covers the configuration register, ROMMON, the standard CCNA recovery procedure, and the security implications of physical access.

TL;DR
  • If you have physical/console access to a Cisco device, you can recover the password by changing the configuration register to ignore the startup-config on boot.
  • Standard register `0x2102` = boot normally. `0x2142` = boot but skip startup-config (give yourself a clean device, copy old config in, change password).
  • This is why **physical security matters** — anyone at the console can own the device. Console passwords and `no service password-recovery` are the mitigations.

Mental model

You inherit a router. No one knows the enable password. The previous engineer left. Telnet/SSH won’t help — you can’t get past login. You need physical console access plus a power cycle.

The trick: tell the device to skip loading its startup-config when it boots. The device boots with no config (no passwords either), you log in, look at the existing startup-config (still safe in NVRAM), copy it into running-config, set a new password, save.

The setting that controls boot-time behavior is the configuration register — a 16-bit value stored in NVRAM that the bootloader (ROMMON) reads at power-on.

The configuration register — what each value means

0x2102   ← default. Normal boot. Load IOS from flash, load startup-config.
0x2142   ← password recovery. Boot but IGNORE startup-config in NVRAM.
0x2120   ← boot into ROMMON instead of IOS.
0x0000   ← boot into ROMMON (same intent, different bits).

The hex bits aren’t random — each bit toggles a behavior (console speed, boot source, etc.) but for CCNA you memorize the two important values.

The password-recovery procedure — Cisco router

  1. Console in. Cable plugged into the console port, terminal at 9600/8/N/1.
  2. Power-cycle the router.
  3. During the first 60 seconds, hit Ctrl-Break (or Ctrl-] then break, terminal-specific). This drops you into ROMMON.
rommon 1 >
  1. Set the config-register to ignore startup-config:
rommon 1 > confreg 0x2142
rommon 2 > reset
  1. Device reboots, comes up with empty running-config. No passwords. You’re at the user prompt.
Router>
Router> enable     ← no password asked
Router#
  1. Copy the saved startup-config into running-config (NOT the other way around — don’t overwrite NVRAM yet):
Router# copy startup-config running-config

You now have the previous engineer’s config running — interfaces, OSPF, ACLs, everything — but with privileged access.

  1. Change the password and reset the config-register:
Router# configure terminal
Router(config)# enable secret NewStrongPassword!
Router(config)# config-register 0x2102
Router(config)# end
Router# copy running-config startup-config
Router# reload

Device reboots normally. You now have the working config plus the password you set.

Password recovery — Cisco switch (Catalyst)

Slightly different. Switches don’t use the config-register the same way:

  1. Console in. Power-cycle.
  2. Hold the Mode button on the front panel while plugging in power.
  3. Switch boots into a special menu / switch: prompt.
  4. Run:
switch: flash_init
switch: dir flash:
switch: rename flash:config.text flash:config.text.old
switch: boot
  1. Switch boots with no config. Press n on initial setup wizard.
  2. Restore the config:
Switch> enable
Switch# rename flash:config.text.old flash:config.text
Switch# copy flash:config.text running-config
  1. Change password, write to startup-config:
Switch# configure terminal
Switch(config)# enable secret NewPassword!
Switch(config)# end
Switch# write memory

The security implication

If someone has physical console access, they can take over the device. Period. Password recovery is a designed feature of Cisco IOS.

Mitigations:

1. Disable password recovery

Router(config)# no service password-recovery

Now if someone enters ROMMON, they cannot bypass startup-config. The device boot prompt warns:

PASSWORD RECOVERY FUNCTIONALITY IS DISABLED.

If you forget the password on a device with this set, your only option is to wipe the device and start fresh — losing the saved config. Use this only in high-security environments where you keep the config backed up externally.

2. Physical security

Locked racks. Camera coverage. Console cable not left plugged in. Standard datacenter discipline.

3. Strong console-line authentication

Console login should require AAA (RADIUS/TACACS+), so even if someone gets to the console, they need real credentials. Combined with no service password-recovery, you’ve raised the bar significantly.

Verifying current register value

Router# show version
...
Configuration register is 0x2102

Router# show version | include register

After changing in config mode, the change takes effect on next reloadshow version shows the live value plus “(will be 0x2142 at next reload)”.

Common mistakes

  1. Skipping the copy startup-config running-config step. You set 0x2142, rebooted, set a new password — but you skipped loading the old config. You now have a working blank device and you’ve lost OSPF, interfaces, ACLs, everything. (NVRAM still has the old startup-config — copy startup-config running-config rescues you.)

  2. Forgetting to reset 0x2142 back to 0x2102. Device works fine for now, but on the next reboot it skips startup-config again — the next person sees an unconfigured device.

  3. Not writing the new password to startup-config. enable secret only changes running-config. copy running-config startup-config makes it persist across reboots.

  4. Wrong break key. PuTTY: Ctrl-Break. macOS Terminal/iTerm: Ctrl-A then Ctrl-B, or send a BREAK signal via the menu. Linux screen: Ctrl-A then Ctrl-B. Look up your terminal’s BREAK key beforehand.

  5. Trying password recovery remotely. You can’t. Console + physical access is required.

  6. Using no service password-recovery without an offline config backup. If you ever forget the password, you have to factory-reset and rebuild. Backup the config first.

Real-world scenario

You’re a new hire at a hospital network team. The previous network engineer left abruptly. There’s an old 2911 router in a wiring closet that no one has the password for, but it’s running OSPF and the radiology VLAN is depending on it.

Wrong move: factory-reset it. Radiology goes down.

Right move: schedule a maintenance window, console in, password-recover. The OSPF config and interfaces stay intact because you copy startup-config → running-config before reloading. You change the enable secret to something documented in your password vault.

This is exactly the scenario this procedure is designed for.

Lab to try tonight

  1. In CML or Packet Tracer, build a router with an OSPF config and an enable secret SecretPassword!.
  2. write memory, then reload.
  3. As it boots, hit Ctrl-Break to enter ROMMON.
  4. confreg 0x2142, reset.
  5. Verify the router comes up with empty config. Type enable — no password asked.
  6. show startup-config — your old config is still there.
  7. copy startup-config running-config — old config comes back live.
  8. configure terminalenable secret NewSecret!config-register 0x2102endwrite memoryreload.
  9. Login with the new password. Confirm OSPF + interfaces survived.
  10. Bonus: enable no service password-recovery. Reboot. Try the ROMMON trick — see the device refuse to bypass startup-config.

Cheat strip

ConceptPlain English
Config register16-bit value in NVRAM controlling boot behavior
0x2102Default — normal boot
0x2142Boot but skip startup-config (password recovery)
ROMMONThe bootloader. rommon> prompt. Reached via Ctrl-Break during boot
confreg 0x2142 in ROMMONSet register for password recovery
config-register 0x2102 in IOSSet register from configure mode
Copy startup → runningCritical step — restores original config before you change password
Switch recoveryMode button + power, then rename config.text instead of using confreg
no service password-recoveryDisables this — but locks you out if you ever lose the password
Why it mattersPhysical console = root access by design. Lock your wiring closets.
← Previous topic

Cisco AnyConnect / Remote Access VPN

How a remote user's laptop gets put 'on the corporate LAN' over the internet. Covers AnyConnect client, SSL/TLS vs IKEv2, split tunneling, authentication options, and where it fits alongside ZTNA in 2026.
Next topic →

NTP Authentication & Security

How to harden NTP — authentication keys, peer/client/server roles done right, ACL restrictions, and why a bad clock breaks Kerberos, TLS, logs, and forensics.
Master this on a real network

Want this drilled into reflex?

1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the CCNA® exam blueprint. Free first session. No card on file until you decide.

Claim my free session →

Related topics

Security Fundamentals

AAA · RADIUS & TACACS+

Authentication, Authorization, Accounting — centralize who can log in, what they can do, and what they did. Covers RADIUS vs TACACS+, method lists, and why every network with more than 5 devices uses centralized auth.

 Network Access

Catalyst Boot Process

What happens between powering on a Cisco device and the prompt appearing. Covers POST, ROMMON, IOS image selection, config register, boot variables, and password recovery.

 Device Operations

Cisco IOS Device Management

How you actually log into and configure a Cisco device. Covers console / SSH / Telnet access, command modes (user / privileged / config), saving config, banners, the password types, and modern best practices for line security.

One topic per email, every fortnight

VLANs, OSPF, ACLs, subnetting, automation — written like this. Unsubscribe in one click.

We respect your inbox. One email per week, max. Unsubscribe any time.

Start typing — or browse popular topics below.

↑↓ navigate open Searches topics · labs · programs · pages