Enabling ROMmon security to prevent a person without physical access to the router from viewing the configuration file (no service password-recovery command)


Wed, 11/18/2009 - 18:25
Jun 18th, 2009

Core Issue

ROM Monitor (ROMmon) security is designed to prevent a person with physical access to the router from viewing the configuration file. ROMmon security disables access to the ROMmon so that a person cannot set the configuration register to ignore the startup configuration. ROMmon security is enabled when the router is configured with the no service password-recovery command.

Note: Because password recovery using ROMmon security involves destroying the configuration, it is recommended that you save the router configuration somewhere off the router, such as on a TFTP server.

If a router is configured with the no service password-recovery command, this disables all access to the ROMmon. If there is no valid Cisco IOS  Software image in the Flash memory of the router, the user will not be able to use the ROMmon XMODEM command to load a new Flash image. To fix the router, you must get a new Cisco IOS Software image on a Flash SIMM or on a Personal Computer Memory Card Industry Association (PCMCIA) card (for example, on the 3600 series routers).

In order to minimize this risk, a ROMmon security user should also use dual Flash bank memory and put a backup Cisco IOS Software image in a separate partition.


For more information on the no service password-recovery command, refer to "No service password-recovery" command for Secure ROMMON Configuration Example.

Problem Type

Password recovery

elettromeccanica Fri, 10/02/2009 - 06:05

no service password-recovery command has been configured on my router, so the break sequence will no longer work in order to get to ROM Monitor (ROMmon) mode to perform a password recovery. I have followed more Cisco documents that explain the procedure to restore the default factory configuration, but none of them works.



The system doesn't react to the receipt of the command "break".

My router is 877 with IOS 12.4(9)T5, and bootstrap 12.3(8r)Y14.

How can I restore factory configuration?

Thanks in advance.


This Document

Related Content