Introduction

This document describes secure data erasure and factory reset operations on Cisco with IOS® XR, including the use of "factory-reset", "zapdisk" and "commit replace commands", known issues, and recommended alternatives.

Requirements

Cisco recommends that you have knowledge of these topics:

• Cisco IOS XR software architecture and operational.
• Platform-specific behaviors of "factory-reset" and "zapdisk" commands in IOS XR environments.
• Procedures for device reimaging and configuration management on Cisco routing platforms.
• Understanding of core dump analysis and troubleshooting in IOS XR.

Components Used

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command, information in this document is based on these software and hardware versions:

Hardware:

• Cisco NCS 5500/5700 Series Routers
• Cisco NCS 540/560
• Cisco ASR9000/9900
• Cisco Router 8000

Software

• IOS XR Software Versions:
• 32 bit
• 64 bit
• XR7

• Lab environment with default configuration

• Recent changes: Execution of
• "factory-reset shutdown location all"            
• "zapdisk start location all" commands
• “commit replace” the most common command.
• “Hderase” (rommon mode)

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Background Information:

The Cisco platforms running IOS XR are often used in environments where secure removal of configuration and sensitive data is required, such as during device decommissioning or lab cleanup.

Three primary commands are available for such operations:

• Commit replace: Used to replace the entire running configuration with a new configuration, effectively wiping the existing configuration. It is a powerful command that must be used with caution as it can be service-affecting. Essentially, it acts like a "write erase" followed by loading a new configuration.

• factory-reset shutdown location all: Intended to reset the device to its factory state by erasing configuration and user data across all locations.

• zapdisk start location all:  Used to securely erase user data from storage devices on all locations.

• hderase: This Wipe Out Disk Memory feature, deletes the data permanently from the disk memory of RSPs and line cards. The erased data is non-recoverable.

Problem. 

There can be a couple of gaps regarding the correct way to perform a configuration cleanup across different flavors of XR. Currently, there are several commands that help us perform the configuration cleanup. 

The primary challenge addressed in this document involves the safe removal of confidential information from a Cisco NCS 5500 Series router running IOS XR 7.8.1 or 7.8.2. The scenario outlines the observed issues and symptoms:

1: Attempting Factory Reset on All Locations

device# factory-reset shutdown location all

Example Output:

LC/0/1/CPU0:May 27 23:55:49.699 UTC: ssd_enc_server[255]: %OS-SSD_ENC-1-FACTORY_RESET : Factory reset CLI is not supported on this platform. Please use 'zapdisk' instead.
device#

Explanation: The "factory-reset shutdown location all" command is not supported on this platform. The system directs the user to use the "zapdisk" command as an alternative.

2: Executing Zapdisk for Data Erasure

device# zapdisk start location all

Observed Symptom: During execution, a process crash was detected and logged by the system. The syslog message was generated:

Sep 15 19:29:14.345 UTC: logger[69445]: %OS-SYSLOG-4-LOG_WARNING : PAM detected crash for zapdisk_client on 0_RP0_CPU0. All necessary files for debug have been collected and saved at 0/RP0/CPU0  : harddisk:/cisco_support/PAM-crash-xr_0_RP0_CPU0-zapdisk_client-2024Sep15-192913.tgz (Please copy tgz file out of the router and send to Cisco support. This tgz file will be removed after 14 days.)

Explanation: The "zapdisk" operation triggered a crash of the "zapdisk_client" process, resulting in a core dump being generated. The router remained accessible via SSH, and no immediate hardware unavailability was reported.

Step 3: Core Dump Details

Core location: 0/RP0/CPU0:/misc/disk1
Core for pid = 61085 (zapdisk_client)
Core for process: zapdisk_client_61085.by.11.20240915-192911.xr-vm_node0_RP0_CPU0.dd2cd.core.gz
Core dump time: 2024-09-15 19:29:11.109818050 +0000

Process:
Core was generated by `zapdisk_client -a'.

Explanation: The router created a core dump file for diagnostic purposes. The file is stored locally and is available for analysis or upload to Cisco support if required.

Solution

Showing the option that is usually the most used within all XR platforms.

1: Commit replace

This command is supported on all Cisco IOS XR platforms and is currently the most widely used and popular. For these reasons, this is the recommended procedure. This command is used to replace or remove the entire running configuration with a new configuration. This operation is considered service-affecting as it can significantly alter the device operational state depending on the new configuration replacing the existing one.

Example:

RP/0/RP0/CPU0:NCS-540-D#conf t
Thu Aug  7 23:30:45.335 UTC
RP/0/RP0/CPU0:NCS-540-D(config)#commit replace
Thu Aug  7 23:30:50.118 UTC

This commit will replace or remove the entire running configuration. This
operation can be service affecting.
Do you wish to proceed? [no]: y

2: Factory-reset shutdown location all

This is only for Cisco 8000 Series Routers.

The factory reset command permanently erases all sensitive data from the router. This is a critical security step to perform before returning the device for an RMA, decommissioning it, or transferring ownership. Data is deleted from these directories:

• /misc/disk1
• /misc/scratch
• /ar/log
• /misc/config

In addition to removing the files, the storage device can be overwritten with random data to make recovery difficult or virtually impossible.

Example:

RP/0/RP1/CPU0:8808-A#factory-reset ?
  reload    Reload the location after performing factory-reset
  shutdown  Shutdown the location after performing factory-reset
RP/0/RP1/CPU0:8808-A#factory-reset reload ?
  location  Specify location
RP/0/RP1/CPU0:8808-A#factory-reset reload location ?
  0/1/CPU0    Fully qualified location specification
  0/2/CPU0    Fully qualified location specification
  0/RP1/CPU0  Fully qualified location specification
  WORD        Fully qualified location specification
  all         Show all locations
RP/0/RP1/CPU0:8808-A#factory-reset reload location

3: Zapdisk start location all

The zapdisk feature is available from eXR release 6.3.1 image. The zapdisk feature is implemented for router factory reset by cleaning up disk logical volumes and resetting rommon parameters on all CPU boards on the router. This feature is primarily needed when you find a card (RSPs/LCs) faulty and it needs to be sent for RMA, requiring the disk/partitions of the card to be cleaned. It is required for ASR9K systems running eXR.

zapdisk operations

• Behavior after enabling: After zapdisk is enabled on a CPU board, rommon variables on the board can be reset to factory settings and disk logical volumes on the board to be cleaned up (including files saved under /harddisk:) if the router/board is reimaged.
• Reloading behavior: After zapdisk is enabled on CPU boards, reloading the boards by doing physical OIR or using CLI commands can not trigger zapdisk functions.
• Important Note: Please do not reload the card (where zapdisk is performed) or the whole chassis until the card is removed from the slot. Reloading can lead to the card booting again, and the disk be refilled with data that was just erased.
• CLI commands:
  • admin zapdisk set: Enable zapdisk on the router.
  • admin zapdisk unset: Disable zapdisk on the router.

• Verification:
  • Execute the Calvados shell command on a CPU board to verify the status of zapdisk: /opt/cisco/calvados/bin/nvram_dump –a
  • The output is showing:
    • ZAPDISK_CARD=1 --- zapdisk is set (after admin zapdisk set)
    • ZAPDISK_CARD=0 --- zapdisk is unset (after admin zapdisk unset)
  • Alternatively, you can use /opt/cisco/calvados/bin/nvram_dump -r ZAPDISK_CARD which shows output data is 1 if set.

• Enhanced Operations (Starting in iOS XR 7.0.1):
  • To show all locations where zapdisk can be performed: show zapdisk locations
  • An EXEC CLI to start the action on a designated location: zapdisk start location <location> (for example, zapdisk start location 0/1, zapdisk start location all)
    • If an incorrect location is specified, the system responds with "INCORRECT LOCATION, zapdisk can not be initiated on this node".
    • When zapdisk start location all is executed, a syslog message is displayed once the action is completed.

4: Hderase

Now is the turn for hderase command. This is how hderase procedure works a iOS XR 64-bits 7.0.x in a Cisco ASR 9000 router:

1. If its a 2 RP router, remove 1 RP. If a single RP is present, then no action is required. Connect console cable to the RP. Once this is done, reload the RP/router:

sysadmin-vm:0_RSP0# hw-module location all reload 
Tue Jun 16 04:27:50.284 UTC
Reload hardware module ? [no,yes] yes
result Card graceful reload request on all acknowledged.
sysadmin-vm:0_RSP0#

2. While booting, press CTRL-C:

##########################################################
System Bootstrap, Version 22.24 [ASR9K x86 ROMMON],
Copyright (c) 1994-2019 by Cisco Systems, Inc.
Compiled on Tue 07/16/2019 15:41:43.70
BOARD_TYPE : 0x101014 
Rommon : 22.24 (Primary) 
Board Revision : 5
PCH EEPROM : 0.0
IPU FPGA(PL) : 0.20.1 (Primary)
IPU INIT(HW_FPD) : 2.5.1
IPU FSBL(BOOT.BIN) : 1.104.0
IPU LINUX(IMAGE.FPD) : 1.104.0
DRAX FPGA : 0.35.1
CBC0 : Part 1=54.10, Part 2=54.8, Act Part=1 
Product Number : ASR-9901-RP
Chassis : ASR-9901
Chassis Serial Number : FOC2216NU0J
Slot Number : 0
Pxe Mac Address LAN 0 : b0:26:80:ac:81:a0
Pxe Mac Address LAN 1 : b0:26:80:ac:81:a1
==========================================================
Got EMT Mode as Disk Boot
Got Boot Mode as Disk Boot
Booting IOS-XR 64 bit Boot previously installed image - Press Ctrl-c to stop >>>>>>>>>>>>>>>>>>>>>>>> At this point, press CTRL-C

3. Once you see this bios menu, select option 1:

Please select the operating system and the boot device:
1) Boot to ROMMON
2) IOS-XR 64 bit Boot previously installed image
3) IOS-XR 64 bit Mgmt Network boot using DHCP server
4) IOS-XR 64 bit Mgmt Network boot using local settings (iPXE)
(Press 'p' for more option)
Selection [1/2/3/4]: 1
Selected Boot to ROMMON, Continue ? Y/N: Y
Set CBC OS type IOS-XR 32 bit, EMT IOS-XR Boot to CBC
<SNIP>
##########################################################
System Bootstrap, Version 22.24 [ASR9K x86 ROMMON],
Copyright (c) 1994-2019 by Cisco Systems, Inc.
Compiled on Tue 07/16/2019 15:41:43.70
BOARD_TYPE : 0x101014 
Rommon : 22.24 (Primary) 
Board Revision : 5
PCH EEPROM : 0.0
IPU FPGA(PL) : 0.20.1 (Primary)
IPU INIT(HW_FPD) : 2.5.1
IPU FSBL(BOOT.BIN) : 1.104.0
IPU LINUX(IMAGE.FPD) : 1.104.0
DRAX FPGA : 0.35.1
CBC0 : Part 1=54.10, Part 2=54.8, Act Part=1 
==========================================================
DRAM Frequency: 2133 MHz
DRAM Frequency: 2133 MHz
Memory Size: 32768 MB
Valid Flash Device returned - 
Device Type 3
Id 1620512, ExtId 0, Size 8, VendorName Micron DeviceName N25Q128A
Memory Size: 32768 MB 
MAC Address from cookie: b0:26:80:ac:81:a0
Board Type: 0x00101014
Chassis Type: 0x00ef1015
Slot Number: 00
Chassis Serial: FOC2216NU0J
Cbc uart base address = 3e8
rommon 1 >
rommon 1 >

4. From here, you can see "hderase" option under the rommon (this was not present prior the XR version 6.6.3):

rommon 1 > priv

You now have access to the full set of monitor commands.
Warning: some commands will allow you to destroy your
configuration and/or system images and could render
the machine unbootable.

rommon 2 > ?
alias set and display aliases command
dumpcounters Dump RX/Tx marvell switch counters
bpcookie display contents of upper backplane cookie
call call a subroutine at address with converted hex args
cbc0_select Select CBC0 for CPU-CBC communication
<SNIP>
aldrin_init aldrin initialization
aldrin_cmd aldrin command execution
bios_usb_en bios usb stack en/dis
mvinit_strld Initialize Marvell 88E6122 Switch for LC use
hderase Erase all hard drive contents permanently >>>>>>>>>>>>>>>>>>>>>>>>>>>>
rommon 3 >
rommon 4 > hderase
SATA HD(0x4,0x0,0x0):
Model : SMART iSATA SHSLM32GEBCITHD02
Serial No : STP190505VU
Secure Erase Supported
Security State : Disable/Not Locked/Not Frozen
All the contents on this Drive will be Erased
Do you wish to continue?(Y/N)y
Erasing SATA HD(0x4,0x0,0x0)...
Erasing SATA HD(0x4,0x0,0x0) Completed

rommon 5 > reset -h
Starting ASR9k initialization ...
<SNIP>
Booting IOS-XR (32 bit Classic XR) - Press Ctrl-c to stop

Summary

This document outlines procedures andbest practices for secure data erasure and factory reset operations on Cisco routers running IOS XR software. It reviews the purpose, use, and limitations of the main commands available for configuration cleanup and data sanitization—specifically commit replace, factory-reset, zapdisk, and hderase.

The document highlights that while commit replace is broadly supported and recommended for clearing configuration across all IOS XR platforms, the factory-reset and zapdisk commands have platform and version-specific behaviors. Notably, on some platforms (for example, NCS 5500 Series with IOS XR 7.8.x), factory-reset is unsupported, and zapdisk can experience process crashes—though these do not impact device availability and are resolved in later software releases.

All commands and procedures were validated in a lab environment, and Cisco recommends careful review before applying them in production. The document provides guidance on command usage, troubleshooting, and references for further technical support and documentation.