Guest

Cisco Catalyst 6000 Series Switches

Password Recovery Procedure for Catalyst 6500/6000 Series Switches Running Cisco IOS System Software

Document ID: 14981

Updated: Apr 24, 2009

   Print

Introduction

This document describes how to recover a password on Catalyst 6500/6000 Series Switches and Cisco 7600 Series Routers that run Cisco IOS® System Software.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

This document applies to the Supervisor 1, Supervisor 2, Supervisor 720, and Virtual Switching System (VSS) 1440 based systems. For Supervisor 720 based systems, this document applies when it runs Cisco IOS Software Release12.2(17)SX or later. If your Supervisor 720 runs a version prior to this, refer to Password Recovery Procedure for the Catalyst 6500 with Supervisor 720 Running Cisco IOS System Software Software Prior to 12.2(17)SX.

Note: The supported software for Virtual Switching System (VSS) 1440 based systems is Cisco IOS® Software Release 12.2(33)SXH1 or later.

Background

The boot sequence is different on the Catalyst 6500/6000 and Cisco 7600 that run Cisco IOS System Software than the Cisco 7200 Series Router because the hardware is different. After you power-cycle the box, the switch processor (SP) boots up first. After a short amount of time (approximately 25 to 60 seconds) it transfers console ownership to the route processor (RP (MSFC)). The RP continues to load the bundled software image. It is crucial that you press Ctrl-brk just after the SP gives over control of the console to the RP. If you send the break sequence too soon, you end up in the ROMMON of the SP, which is not where you should be. Send the break sequence after you see this message on the console:

00:00:03: %OIR-6-CONSOLE: Changing console ownership to route processor

After this point, the password recovery is the same as a normal router.

Note: From this point onward, the Catalyst 6000 Series Switch that runs Cisco IOS System Software is referred to as a router.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Step-by-Step Procedure

The switch is configured like a router because of the operating system that runs on the switch. The password recovery procedure follows the same steps as a Cisco 7200 Series Router, except that you have to wait approximately 25 to 60 seconds longer before you start the break sequence.

  1. Attach a terminal or PC with terminal emulation to the console port of the router. Use these terminal settings:

    9600 baud rate 
    No parity 
    8 data bits 
    1 stop bit 
    No flow control 

    The required console cable specifications are described in the Cable Specifications document. Instructions on how to connect to the console port are in the Module Installation Guide. The Connecting to the Console Port—Supervisor Engine Only section provides useful information.

  2. If you still have access to the router, issue the show version command, and record the setting of the configuration register. It is usually 0x2102 or 0x102. Click here to see the output of a show version command.

  3. If you do not have access to the router (because of a lost login or TACACS password), your configuration register is set to 0x2102.

  4. Turn off the router and then turn it back on with the help of the power switch.

  5. caution Caution: The break sequence must be initiated only after the RP gains control of the console port.

    Press Break on the terminal keyboard right after the RP gains control of the console port. On the Catalyst 6000 that runs Cisco IOS Software, the SP boots first. After it has booted, it turns control over to the RP. After the RP gains control, initiate the break sequence. The RP gains control of the console port when you see this message. (Do not initiate the break sequence until you see this message):

    00:00:03: %OIR-6-CONSOLE: Changing console ownership to route processor

    From this point on, the password recovery procedure is the same as for any other router. If the break sequence does not work, refer to the Standard Break Key Sequence Combinations During Password Recovery for other key combinations.

  6. Type confreg 0x2142 at the rommon 1> prompt to boot from Flash without loading the configuration.

  7. Type reset at the rommon 2> prompt.

    The router reboots. However, it ignores the saved configuration.

  8. Type no after each setup question or press Ctrl-C to skip the initial setup procedure.

  9. Type enable at the Router> prompt.

    You are in enable mode and see the Router# prompt.

  10. Important: Issue the configure memory or copy start running commands to copy the Nonvolatile RAM (NVRAM) into memory. Do not issue the configure terminal command.

  11. Issue the write terminal or show running command.

    The show running and write terminal commands show the configuration of the router. In this configuration, you see under all the interfaces the shutdown command. This means that all the interfaces are currently shut down.You see the passwords either in encrypted or unencrypted format.

  12. Issue the configure terminal command to enter global configuration mode and make the changes.

    The prompt is now hostname(config)#.

  13. Issue the enable secret < password > command in global configuration mode to change the enable password.

  14. Issue the config-register 0x2102 command, or the value you recorded in Step 2 in global configuration mode (Router(config)#) to set the configuration value back to its original value.

  15. Change the virtual terminal passwords, if present:

    Router(config)#line vty 0 4
    Router(config-line)#password cisco
    Router(config-line)#^Z
    Router# 
  16. Issue the no shutdown command on every interface that is normally in use. Issue a show ip interface brief command to see a list of interfaces and their current status. You must be in enable mode (Router#) to execute the show ip interface brief command. Here is an example for one interface:

    Router#show ip interface brief
    Interface                  IP-Address      OK? Method Status                Prol
    Vlan1                      172.17.10.10    YES TFTP   administratively down dow 
    Vlan10                     10.1.1.1        YES TFTP   administratively down dow 
    GigabitEthernet1/1         unassigned      YES unset  administratively down dow 
    GigabitEthernet1/2         unassigned      YES TFTP   administratively down dow 
    GigabitEthernet2/1         unassigned      YES TFTP   administratively down dow 
    GigabitEthernet2/2         unassigned      YES TFTP   administratively down dow 
    FastEthernet3/1            172.16.84.110   YES TFTP   administratively down dow 
    <snip>...
    
    Router#configure terminal
    Enter configuration commands, one per line.  End with CNTL/Z.
    Router(config)#interface fastEthernet 3/1
    Router(config-if)#no shutdown 
    Router(config-if)#exit
    Router(config)# <do other interfaces as necessary...>
  17. Press Ctrl-z to leave the configuration mode.

    The prompt is now hostname#.

  18. Issue the write memory or copy running startup commands to commit the changes.

Sample Output

The example here shows an actual password recovery procedure. This example is created with the help of a Catalyst 6000 Series switch. Begin with the show version and show module commands to see what components are used in this example.

Press RETURN to get started.

Router>enable
Password: 

Router#show version
Cisco Internetwork Operating System Software 
IOS (tm) c6sup1_rp Software (c6sup1_rp-JSV-M), Version 12.1(6)E, EARLY DEPLOYME)
TAC Support: http://www.cisco.com/cgi-bin/ibld/view.pl?i=support
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Sat 17-Mar-01 00:14 by eaarmas
Image text-base: 0x60020950, data-base: 0x6165E000

ROM: System Bootstrap, Version 12.0(3)XE, RELEASE SOFTWARE 
BOOTFLASH: MSFC Software (C6MSFC-BOOT-M), Version 12.1(6)E, EARLY DEPLOYMENT RE)

Router uptime is 14 minutes
System returned to ROM by power-on (SP by reload)
System image file is "sup-bootflash:c6sup11-jsv-mz.121-6.E"

Cisco Catalyst 6000 (R5000) processor with 114688K/16384K bytes of memory.
Processor board ID SAD04281AF6
R5000 CPU at 200Mhz, Implementation 35, Rev 2.1, 512KB L2 Cache
Last reset from power-on
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
24 Ethernet/IEEE 802.3 interface(s)
2 Virtual Ethernet/IEEE 802.3  interface(s)
48 FastEthernet/IEEE 802.3 interface(s)
4 Gigabit Ethernet/IEEE 802.3 interface(s)
381K bytes of non-volatile configuration memory.
4096K bytes of packet SRAM memory.

16384K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2102

Router#
Router#show module
Slot Ports Card Type                                 Model                 Serial Number
---- ----- ----------------------------------------- --------------------- -----------
 1     2   Cat 6000 sup 1 Enhanced QoS (active)      WS-X6K-SUP1A-2GE      SAD043301JS   
 2     2   Cat 6000 sup 1 Enhanced QoS (standby)     WS-X6K-SUP1A-2GE      SAD03510114   
 3    48   48 port 10/100 mb RJ45                    WS-X6348-RJ-45        SAD04230FB6   
 6    24   24 port 10baseFL                          WS-X6024-10FL-MT      SAD03413322   

Slot MAC addresses                      Hw    Fw           Sw
---- ---------------------------------- ----- ------------ ----------
 1   00d0.c0d2.5540 to 00d0.c0d2.5541   3.2   unknown      6.1(0.105)OR
 2   00d0.bcf1.9bb8 to 00d0.bcf1.9bb9   3.2   unknown      6.1(0.105)OR
 3   0002.7ef1.36e0 to 0002.7ef1.370f   1.1   5.3(1) 1999- 6.1(0.105)OR
 6   00d0.9738.5338 to 00d0.9738.534f   0.206 5.3(1) 1999- 6.1(0.105)OR

Router#
Router#reload
Proceed with reload? [confirm]


!--- Here you turn off the power and then turn it back on.
!--- Here it is done with a reload instead of a hard power-cycle.


00:15:28: %SYS-SP-3-LOGGER_FLUSHING: System pausing to ensure console debugging.

00:15:27: %C6KPWR-SP-4-DISABLED: power to module in slot 2 set off (admin reque)
00:15:28: %C6KPWR-SP-4-DISABLED: power to module in slot 3 set off (admin reque)
00:15:28: %C6KPWR-SP-4-DISABLED: power to module in slot 6 set off (admin reque)
00:15:28: %OIR-SP-6-CONSOLE: Changing console ownership to switch processor

00:15:28: %SYS-SP-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure co.

00:15:30: %SYS-SP-3-LOGGER_FLUSHING: System pausing to ensure console debugging.

***
*** --- SHUTDOWN NOW ---
***

00:15:30: %SYS-SP-5-RELOAD: Reload requested
00:15:30: %OIR-SP-6-CONSOLE: Changing console ownership to switch processor


00:15:30: %SYS-SP-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure co.

00:15:31: %OIR-SP-6-REMCARD: Card removed from slot 1, interfaces disabled


!--- First, the switch processor comes up.


System Bootstrap, Version 5.3(1)
Copyright (c) 1994-1999 by cisco Systems, Inc.
c6k_sup1 processor with 65536 Kbytes of main memory

Autoboot executing command: "boot bootflash:c6sup11-jsv-mz.121-6.E"

Self decompressing the image : ################################################]

              Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

           Cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706

Cisco Internetwork Operating System Software 
IOS (TM) c6sup1_sp Software (c6sup1_sp-SPV-M), Version 12.1(6)E, EARLY DEPLOYME)
TAC Support: http://www.cisco.com/cgi-bin/ibld/view.pl?i=support
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Sat 17-Mar-01 00:52 by eaarmas
Image text-base: 0x60020950, database: 0x605FC000

Start as Primary processor

00:00:03: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging ou.

00:00:03: %OIR-6-CONSOLE: Changing console ownership to route processor


!--- The RP now has control of the console.
!--- This is when you send the break sequence.


System Bootstrap, Version 12.0(3)XE, RELEASE SOFTWARE 
Copyright (c) 1998 by cisco Systems, Inc.

*** Address Error (Load/Fetch) Exception ***
Access address = 0x5e
PC = 0x5e, Cause = 0x10, Status Reg = 0x3040d003
ROM Monitor Can Not Recover From Exception
A Board Reset Is Issued

*** Software NMI ***
PC = 0xbfc0b6b0, SP = 0x00002a90
Cat6k-MSFC platform with 131072 Kbytes of main memory

Self decompressing the image : ################################################]

*** System received an abort due to Break Key ***
signal= 0x3, code= 0x0, context= 0x6049ed68
PC = 0x601011ac, Cause = 0x20, Status Reg = 0x34008002


!--- You are now in ROMMON mode on the RP. Continue the password
!--- recovery procedure just as on any router. Changing the configuration
!--- register from 0x2102 to 0x2142 causes the router to ignore the existing
!--- configuration. You want it to be ignored because it has passwords that you do not
!--- know.


rommon 1 > confreg 0x2142

You must reset or power cycle for new config to take effect
rommon 2 > reset 

System Bootstrap, Version 12.0(3)XE, RELEASE SOFTWARE 
Copyright (c) 1998 by cisco Systems, Inc.
Cat6k-MSFC platform with 131072 Kbytes of main memory


Self decompressing the image : ################################################]

Attempt to download 'sup-bootflash:c6sup11-jsv-mz.121-6.E' ... okay
Starting download of 'sup-bootflash:c6sup11-jsv-mz.121-6.E': 8722810 bytes!!!!!!
Chksum: Verified!
Self decompressing the image : ################################################]

              Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

           Cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706

Cisco Internetwork Operating System Software 
IOS (TM) c6sup1_RP Software (c6sup1_rp-JSV-M), Version 12.1(6)E, EARLY DEPLOYME)
TAC Support: http://www.cisco.com/cgi-bin/ibld/view.pl?i=support
Copyright (c) 1986-2001 by Cisco Systems, Inc.
Compiled Sat 17-Mar-01 00:14 by eaarmas
Image text-base: 0x60020950, database: 0x6165E000

Cisco Catalyst 6000 (R5000) processor with 114688K/16384K bytes of memory.
Processor board ID SAD04281AF6
R5000 CPU at 200Mhz, Implementation 35, Rev 2.1, 512KB L2 Cache
Last reset from power-on
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
24 Ethernet/IEEE 802.3 interface(s)
1 Virtual Ethernet/IEEE 802.3  interface(s)
48 FastEthernet/IEEE 802.3 interface(s)
4 Gigabit Ethernet/IEEE 802.3 interface(s)
381K bytes of nonvolatile configuration memory.
4096K bytes of packet SRAM memory.

16384K bytes of Flash internal SIMM (Sector size 256K).

         --- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: n


!--- The router ignores the saved configuration and enters   
!--- the initial configuration mode.


Press RETURN to get started!

00:00:03: %SYS-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure conso.

00:00:04: %C6KPWR-4-PSINSERTED: power supply inserted in slot 1.
00:00:04: %C6KPWR-4-PSOK: power supply 1 turned on.
00:02:08: %SYS-SP-5-RESTART: System restarted --
Cisco Internetwork Operating System Software 
IOS (TM) c6sup1_SP Software (c6sup1_sp-SPV-M), Version 12.1(6)E, EARLY DEPLOYME)
TAC Support: http://www.cisco.com/cgi-bin/ibld/view.pl?i=support
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Sat 17-Mar-01 00:52 by eaarmas
00:02:13: L3-MGR: l2 flush entry installed
00:02:13: L3-MGR: l3 flush entry installed
00:02:14: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software 
IOS (TM) c6sup1_RP Software (c6sup1_rp-JSV-M), Version 12.1(6)E, EARLY DEPLOYME)
TAC Support: http://www.cisco.com/cgi-bin/ibld/view.pl?i=support
Copyright (c) 1986-2001 by Cisco Systems, Inc.
Compiled Sat 17-Mar-01 00:14 by eaarmas
00:02:17: %C6KPWR-SP-4-DISABLED: power to module in slot 1 set off (admin reque)
00:02:18: %C6KPWR-SP-4-ENABLED: power to module in slot 3 set on
00:02:18: %C6KPWR-SP-4-ENABLED: power to module in slot 6 set on
00:02:28: sm_set_moduleFwVersion:  nonexistent module (1)
00:02:38: %SNMP-5-MODULETRAP: Module 1 [Up] Trap
00:02:38: %OIR-SP-6-INSCARD: Card inserted in slot 1, interfaces are now online
00:02:56: %SNMP-5-MODULETRAP: Module 6 [Up] Trap
00:02:56: %OIR-SP-6-INSCARD: Card inserted in slot 6, interfaces are now online
00:02:59: SP: SENDING INLINE_POWER_DAUGHTERCARD_MSG SCP MSG

00:02:59: %SNMP-5-MODULETRAP: Module 3 [Up] Trap
00:02:59: %OIR-SP-6-INSCARD: Card inserted in slot 3, interfaces are now online
Router>enable
Router#


!--- You go right into privilege mode without needing a password.
!--- At this point, the configuration running-config is a default configuration
!--- with all the ports administratively down (shutdown).


Router#copy startup-config running-config
Destination filename [running-config]? <press enter>


!--- This pulls in the original configuration. Since you are already in privilege
!--- mode, the passwords in this configuration do not affect you.


4864 bytes copied in 2.48 secs (2432 bytes/sec)
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#enable secret < password > [Choose a strong password with at least one capital letter, one number, and one special character.]


!--- Overwrite the password that you do not know. This is your new enable password.


Router(config)#^Z
Router#
Router#show ip interface brief
Interface                  IP-Address      OK? Method Status                Prol
Vlan1                      172.17.10.10    YES TFTP   administratively down dow 
Vlan10                     10.1.1.1        YES TFTP   administratively down dow 
GigabitEthernet1/1         unassigned      YES unset  administratively down dow 
GigabitEthernet1/2         unassigned      YES TFTP   administratively down dow 
GigabitEthernet2/1         unassigned      YES TFTP   administratively down dow 
GigabitEthernet2/2         unassigned      YES TFTP   administratively down dow 
FastEthernet3/1            172.16.84.110   YES TFTP   administratively down dow 
<snip>...


!--- Issue the no shut command on all interfaces that you want to bring up.


Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface fastEthernet 3/1
Router(config-if)#no shutdown 
Router(config-if)#exit


!--- Overwrite the virtual terminal passwords. 



Router(config)#line vty 0 4
Router(config-line)#password cisco
Router(config-line)#^Z
Router#


!--- Restore the configuration register to its normal state so that it
!--- no longer ignores the stored configuration file.


Router#show version
Cisco Internetwork Operating System Software 
IOS (tm) c6sup1_rp Software (c6sup1_rp-JSV-M), Version 12.1(6)E, EARLY DEPLOYME)
TAC Support: http://www.cisco.com/cgi-bin/ibld/view.pl?i=support
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Sat 17-Mar-01 00:14 by eaarmas
Image text-base: 0x60020950, data-base: 0x6165E000

ROM: System Bootstrap, Version 12.0(3)XE, RELEASE SOFTWARE 
BOOTFLASH: MSFC Software (C6MSFC-BOOT-M), Version 12.1(6)E, EARLY DEPLOYMENT RE)

Router uptime is 7 minutes
System returned to ROM by power-on (SP by reload)
System image file is "sup-bootflash:c6sup11-jsv-mz.121-6.E"

Cisco Catalyst 6000 (R5000) processor with 114688K/16384K bytes of memory.
Processor board ID SAD04281AF6
R5000 CPU at 200Mhz, Implementation 35, Rev 2.1, 512KB L2 Cache
Last reset from power-on
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
24 Ethernet/IEEE 802.3 interface(s)
2 Virtual Ethernet/IEEE 802.3  interface(s)
48 FastEthernet/IEEE 802.3 interface(s)
4 Gigabit Ethernet/IEEE 802.3 interface(s)
381K bytes of non-volatile configuration memory.
4096K bytes of packet SRAM memory.

16384K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2142

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#config-register 0x2102
Router(config)#^Z
Router#


!--- Verify that the configuration register is changed for the next reload.


Router#show version
Cisco Internetwork Operating System Software 
IOS (tm) c6sup1_rp Software (c6sup1_rp-JSV-M), Version 12.1(6)E, EARLY DEPLOYME)
TAC Support: http://www.cisco.com/cgi-bin/ibld/view.pl?i=support
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Sat 17-Mar-01 00:14 by eaarmas
Image text-base: 0x60020950, data-base: 0x6165E000

ROM: System Bootstrap, Version 12.0(3)XE, RELEASE SOFTWARE 
BOOTFLASH: MSFC Software (C6MSFC-BOOT-M), Version 12.1(6)E, EARLY DEPLOYMENT RE)

Router uptime is 8 minutes
System returned to ROM by power-on (SP by reload)
System image file is "sup-bootflash:c6sup11-jsv-mz.121-6.E"

Cisco Catalyst 6000 (R5000) processor with 114688K/16384K bytes of memory.
Processor board ID SAD04281AF6
R5000 CPU at 200Mhz, Implementation 35, Rev 2.1, 512KB L2 Cache
Last reset from power-on
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
24 Ethernet/IEEE 802.3 interface(s)
2 Virtual Ethernet/IEEE 802.3  interface(s)
48 FastEthernet/IEEE 802.3 interface(s)
4 Gigabit Ethernet/IEEE 802.3 interface(s)
381K bytes of non-volatile configuration memory.
4096K bytes of packet SRAM memory.

16384K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2142 (will be 0x2102 at next reload)
Router#
Router#copy running-config startup-config
Destination filename [startup-config]? <press enter>
Building configuration...
[OK]
Router#


!--- Optional: If you want to test that the router 
!--- operates properly and that you have changed 
!--- the passwords, then reload and test.


Router#reload
Proceed with reload? [confirm] <press enter>

Related Information

Updated: Apr 24, 2009
Document ID: 14981