Guest

Cisco Catalyst 4500 Series Switches

Catalyst 4500 Series Switches with VSS Password Recovery Procedure

Catalyst 4500 Series Switches with VSS Password Recovery Procedure

Document ID: 116436

Updated: Sep 04, 2013

Contributed by Shashank Singh and Mike Pavlovich, Cisco TAC Engineers.

   Print

Introduction

This document describes the password recovery procedure for Cisco Catalyst 4500 Series switches that run in Virtual Switching System (VSS) mode.

Prerequisites

Components Used

The information in this document is based on the Cisco Catalyst 4500 Series switches that run Supervisor Engine 7-E.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

Password recovery on Cisco Catalyst 4500 Series switches that run VSS mode requires that you convert the switches to standalone mode, which must be done in order to bypass the startup configuration. If you do not convert the switches, you receive this error message:

********************* CAUTION ************************
*                                                    *
* Switch is booting up in VSS mode but               *
* startup-config is being ignored. Autoboot is       *
* disabled and now dropping into ROMMON.             *
*                                                    *
* Please configure the switch for not ignoring       *
* startup-config if it is needed to work in VSS Mode *
*                  OR                                *
* clear VS_SWITCH_NUMBER rommon variable to boot     *
* the switch in standalone mode.                     *
******************************************************
*Jul 29 12:25:59.403: %RF-5-RF_RELOAD: Self Reload.
 Reason: Startup-config ignore not allowed in VSS mode
*Jul 29 12:25:59.568: %SYS-5-RELOAD:
 Reload requested by Platform redundancy manager. Reload Reason:
 Startup-config ignore not allowed in VSS mode.Please stand by while

Password Recovery Procedure

After you convert the switches to standalone mode, you must perform the password recovery on both switches individually. The procedure described in this document begins with switch 1 in the VSS mode, and must be repeated for switch 2.

In order to perform a password recovery on Cisco Catalyst 4500 Series switches that run VSS mode, complete these steps:

  1. Save the running-config to a TFTP server or an external file.
  2. Reload the switch, and break it into rommon:
    4k_vss#reload

    System configuration has been modified. Save? [yes/no]: yes
    Building configuration...
    Compressed configuration from 1587 bytes to 1061 bytes[OK]
    Proceed with reload? [confirm]

    *Jul 29 12:20:28.301: %SYS-5-RELOAD:
     Reload requested by console. Reload Reason: Reload command.
     Please stand by while rebooting the system...
           Restarting system.

     Type control-C to prevent autobooting.
     . .
     Autoboot cancelled......... please wait!!!

    rommon 1 > [interrupt]

    rommon 1 >set
     PS1=rommon ! >
     RommonVer=15.0(1r)SG1
     BOOT=bootflash:cat4500e-universalk9.SPA.03.04.00.SG.151-2.SG.bin,12;
     ConfigReg=0x2102
     DiagMonitorAction=Normal
     BootedFileName=bootflash:cat4500e-universalk9.SPA.03.04.00.SG.151-2.SG.bin
     VS_SWITCH_NUMBER=1
     ConsecPostPassedCnt=7
     RET_2_RTS=12:20:28 UTC Mon Jul 29 2013
     RET_2_RCALTS=1375100428
    rommon 2 >
  3. Configure the switch in order to ignore the startup configuration:
    rommon 2 >confreg

     Configuration Summary :
     => load rom after netboot fails
     => console baud: 9600
     => autoboot from: commands specified in 'BOOT' environment variable

     do you wish to change the configuration? y/n  [n]:  y
     enable  "diagnostic mode"? y/n  [n]:  n
     enable  "use net in IP bcast address"? y/n  [n]:   
     disable "load rom after netboot fails"? y/n  [n]:  
     enable  "use all zero broadcast"? y/n  [n]:  
     enable  "break/abort has effect"? y/n  [n]:  
     enable  "ignore system config info"? y/n  [n]:  y

     change console baud rate? y/n  [n]:  

     change the boot characteristics? y/n  [n]:  

     Configuration Summary :
     => load rom after netboot fails
     => ignore system config info
     => console baud: 9600
     => autoboot from: commands specified in 'BOOT' environment variable

     do you wish to save this configuration? y/n  [n]:  y
     You must reset or power cycle for new configuration to take effect
  4. Verify that the config-register is changed:
    rommon 3 >set
     PS1=rommon ! >
     RommonVer=15.0(1r)SG1
     BOOT=bootflash:cat4500e-universalk9.SPA.03.04.00.SG.151-2.SG.bin,12;
     DiagMonitorAction=Normal
     BootedFileName=bootflash:cat4500e-universalk9.SPA.03.04.00.SG.151-2.SG.bin
     VS_SWITCH_NUMBER=1
     ConsecPostPassedCnt=7
     RET_2_RTS=12:20:28 UTC Mon Jul 29 2013
     RET_2_RCALTS=1375100428
     ConfigReg=0x2142
    rommon 4 >
  5. Configure the VS_SWITCH_NUMBER=0, which converts the switch to standalone mode:
    rommon 4 >VS_SWITCH_NUMBER=0
    rommon 5 >
    rommon 5 >set
     PS1=rommon ! >
     RommonVer=15.0(1r)SG1
     BOOT=bootflash:cat4500e-universalk9.SPA.03.04.00.SG.151-2.SG.bin,12;
     DiagMonitorAction=Normal
     BootedFileName=bootflash:cat4500e-universalk9.SPA.03.04.00.SG.151-2.SG.bin
     BootStatus=Failure
     ConsecPostPassedCnt=8
     ConfigReg=0x2142
     RET_2_RTS=12:25:59 UTC Mon Jul 29 2013
     RET_2_RCALTS=1375100759
     VS_SWITCH_NUMBER=0
  6. Boot the switch with the desired image. The switch ignores the startup configuration, and creates a blank configuration:
    >rommon 6 >boot bootflash:cat4500e-universalk9.SPA.03.04.00.SG.151-2.SG.bin
    loading image

    Checking digital signature
    flash1:/USER/cat4500e-universalk9.SPA.03.04.00.SG.151-2.SG.bin:
     Digitally Signed Release Software with key version A

    Rommon reg: 0x00004F80
    Reset2Reg: 0x00000F00

    Image load status: 0x00000000
    #####
    Snowtrooper 220 controller 0x04328B30..0x0450A0DF Size:0x0057B4C5 Program Done!
    ##############
    Linux version 2.6.24.4.96.70.k10 (susingh@build-lnx-036)
     (gcc version 4.2.1 p7 (Cisco c4.2.1-p7)) #1 SMP Wed Dec 5 03:42:58 PST 2012
    Starting System Services

    diagsk10-post version 5.1.4.0

    Press Enter in order to begin.

  7. Configure a new password for the switch and parameters in order to convert the switch into VSS mode. Change the config-register in order to avoid a bypass of the configuration again:
    Switch#conf t
    Enter configuration commands, one per line.  End with CNTL/Z.
    Switch(config)#username xxxx password xxxx
    Switch(config)#enable secret xxxx
    4k_vss(config)#config-register 0x2102
    4k_vss(config)#      
    4k_vss(config)#switch virtual domain 100
    4k_vss(config-vs-domain)#switch 1     
    4k_vss(config-vs-domain)#end  
    4k_vss#wr
    Building configuration...
    Compressed configuration from 2988 bytes to 1385 bytes
  8. Convert the switch to VSS mode again:
    4k_vss#switch convert mode virtual

    ******************* CAUTION ******************
    * No VSL port is configured or all VSL ports *
    * are put in shutdown state.                 *
    * This may cause Dual-Active mode of VSS.    *
    **********************************************
    This command will convert all interface names
    to naming convention "interface-type switch-number/slot/port",
    save the running config to startup-config and
    reload the switch.
    Do you want to proceed? [yes/no]: yes
    Converting interface names
    Building configuration...
    Compressed configuration from 3113 bytes to 1424 bytes[OK]
    Saving converted configuration to bootflash: ...
    Destination filename [startup-config.converted_vs-20130729-130331]?
    Please stand by while rebooting the system...
  9. Repeat this procedure for the other switch, and configure it to join VSS mode as switch 2.

    Note: For additional information about how to configure switches in VSS mode, reference the Configuring VSS section of the Catalyst 4500 Series Switch Software Configuration Guide, Release IOS XE 3.4.0SG and IOS 15.1(2)SG.

  10. Open the original running-config saved in step 1 in a text editor, and delete the old password from the configuration. Now it is safe to load this modified configuration on the switches. This ensures that the old, lost password is not reconfigured again.
Updated: Sep 04, 2013
Document ID: 116436