cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
233
Views
1
Helpful
5
Replies

Password reset on BGP Routers - Some Q&A before we proceed

mattredz101
Level 1
Level 1

Hi All

I have to do a password reset on two routers currently providing internet access for a large organisation.  The customer access to these devices some time ago and isn't sure of the username/password. I've done some work with them in the lab to reset another device that they did no have the password for and the only hiccup we had was having to go back in and reset the counter value in rommon and set a new user name also as this was overlooked.

I have been told that the routers are configured in a failover mode, I plan to disconnect one of them and perform the password reset along with a new user (backing up the configuration at the same time). Then reconnect the router to the network and failover to it by unplugging the active. Perform the same actions then reconnect. 

Can anyone see an issue with this?
I'm assuming the Active and Standby don't have identical configurations?
In the case of doing a password reset and creating a new user on one I wont put the other out of sync?
Is there anything I should be aware of?

Basic topology is bellow, not much I know but I won't be able to see the running-config until I reset via the 0x2142

Many thanks in advance

Cisco ASR Router BGP.png

5 Replies 5

I dont have exact answer but 

One side is bgp other is hsrp?

If yes you need to disconnect both sides hsrp and bgp otherwise you will make packet drop since l2 SW send packet to active hsrp peer.

MHM

hichamfolk
Level 1
Level 1

If you re using hsrp, try first with 'show hsrp brief' to confirm that hsrp state is ok on ASR.

Also check the advertised route to ISP, it should be the same list of prefixes.

Last thing, check that defaut route of firewall has virtual ip of asr as gateway 

Hope it helps

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @mattredz101 ,

>> In the case of doing a password reset and creating a new user on one I wont put the other out of sync?

No, because Cisco routers do not implement an HA pair like Firewalls as others have suggested likely HSRP or VRRP is used on tjhe LAN side and you need to check this on the internal Firewall.

You should check the arp entry for the next-hop of default static route on the firewall this will tell you if HSRP or VRRP is used the MAC address will be one that can be recognized.

Once you are sure that the FW is using an HSRP or VRRP VIP as next-hop you can perform your proposed procedure.

Hope to help

Giuseppe

 

The OP asks several questions. Here are my responses:

"I'm assuming the Active and Standby don't have identical configurations?" That is a correct assumption. The config of both devices will be similar but there will be some differences. A few things that come to mind are that the IP addressing should be in the same subnet but will have different IP.  It is not clear exactly what the "failover mode" really is. For connection to inside network it is likely to be HSRP (but could be something else) and there might be some differences in HSRP parameters (perhaps different priorities). For connection to ISP failover is likely to be use of BGP (but there might be a different approach) and for BGP there might be differences in config between the routers (things like local-preference or weight to establish a preferred path to the ISP). So save copies of configs from both routers and compare them. But you certainly would not use a single config for both routers.

"In the case of doing a password reset and creating a new user on one I wont put the other out of sync?" Since we do not know how the routers are configured we do not know what kind of sync exists between them. Assuming that sync on the inside is based on HSRP when one peer stops working the surviving peer should take over just fine. When the first router is configured and brought back into service the routers will exchange HSRP packets and should resume their cooperative relationship. Assuming that sync on the outside is based on BGP when one peer stops working the surviving peer should take over just fine. When the first router is configured and brought back into service the routers will resume their BGP roles.

"Is there anything I should be aware of?" I would suggest these things about recovering the routers

- when you do password recovery setting the register to x2142 the router boots and ignores the startup config and runs with essentially an empty config (it is not empty because many parameters are there with their default value). You need to configure new user and password. You might want to configure a new enable password.

- you should make a copy of the existing startup config which would be what had been running. Make sure that the config copy is in a place and in a form that you can access. 

- Look through the copy of the startup config, focusing especially on how the router is configured to interact with its peers (both inside and outside and each other). 

- copy startup config to running config. This will restore the router to its previous state. The router will now have both the username that you just configured and the original user name(s). You probably want to remove the old user name(s). The router will also now have its original enable password. You probably want to update it to the new one you created in recovery. After the router has run for a bit and things are stable you will want to copy running config to startup config.

HTH

Rick

johnlloyd_13
Level 9
Level 9

hi,

if customer's organization is large, they should've a centralized AAA either via RADIUS or TACACS+. 

does their IT know or can SSH using their login account (not local username)?

if the cisco ASR internet edge router is considered a "black" box/device, then it's prudent to perform the password reset in a scheduled maintenance window, "break" to the secondary ASR (if there's a label at least), re-configure ALL passwords, i.e. local username, enable, console and VTY lines. 

then once you're able to login, do the same in the other ASR. 

Review Cisco Networking for a $25 gift card