Perform Password Recovery on Catalyst 9000 Series Switches

Available Languages

Download Options

  • PDF     (36.8 KB)
    View with Adobe Reader on a variety of devices
Updated:July 14, 2025
Document ID:223262

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to perform a password recovery on Catalyst 9000 series switches.

    Prerequisites

      

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Cisco IOS® XE software and basic CLI navigation
    • Console access and terminal emulator configuration
    • ROM Monitor mode (ROMMON) operations and configuration register functionality

    Components Used

    The information in this document is based on these software and hardware versions:

    • Catalyst 9200, 9200L (Cisco IOS® XE)
    • Catalyst 9300, 9300L (Cisco IOS® XE)
    • Catalyst 9400 (Cisco IOS® XE)
    • Catalyst 9500 (Cisco IOS® XE)
    • Catalyst 9600 (Cisco IOS® XE)

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Password Recovery for Standalone Switches

    Procedure

    1. Power cycle the active switch.
    1. If you see the prompt, press Ctrl-C to enter into ROMMON mode:
    Initializing Hardware...


    Initializing Hardware......


    System Bootstrap, Version 17.12.1r, RELEASE SOFTWARE (P)

    Compiled Mon 04/24/2023 22:21:00.36 by rel


    Current ROMMON image : Primary

    Last reset cause : PowerOn

    C9300-48U platform with 8388608 Kbytes of main memory



    Preparing to autoboot. [Press Ctrl-C to interrupt] 5 (interrupted)
    1. If you do not see this prompt, press the Mode button repeatedly until this prompt appears:
    switch:
    note-icon

    Note: Consult the hardware installation guide for each platform to locate the Mode button.

    1. Use the set  Command to view current ROMMON variables:
    switch:set
    1. Change the SWITCH_IGNORE_STARTUP_CFG  variable to bypass the startup configuration:
    switch:SWITCH_IGNORE_STARTUP_CFG=1
    1. Boot the switch:
    switch:boot
    1. Once the switch finishes booting, access privileged EXEC mode:
    Switch>enable
    1. Copy the startup configuration to the running configuration:
    Switch#copy start run
    1. Set your new password:
    Switch(config)#username admin privilege 15 secret NEWPASSWORD
    1. Reset the variable to ensure the switch retains its configuration on reload:
    Switch#no system ignore startupconfig switch all
    1. Save the configuration:
    Switch#copy run start
    1. Verify that SWITCH_IGNORE_STARTUP_CFG is set to zero:
    Switch#show romvar

    Password Recovery for StackWise Deployments

    Key Notes

    Turn off all the members of the stack and leave only the active switch on. Otherwise, the configuration is transferred to the standby switch, and the password recovery is not successful.

    Procedure

    1. Turn off all switches in the stack.
    2. Power on only the active switch.
    3. Perform the same steps as in the standalone switch recovery:
    • Interrupt the boot process to enter ROMMON (Ctrl-C or use the Mode button).
    • Use set to view the ROMMON variables.
    • Set SWITCH_IGNORE_STARTUP_CFG=1 .
    • Boot the switch.
    • Enter privileged EXEC mode.
    • Copy startup-config to running-config.
    • Set a new password.
    • Reset the ignore variable with no system ignore startupconfig switch all.
    • Save the configuration.
    • Verify the variable is cleared with show romvar.
    1. Once the password recovery process is complete and the configuration is saved, power on the rest of the switches in the stack.

    Password Recovery for StackWise Virtual Deployment

    Key Notes

    • Start by turning off the standby switch.
    • The active switch must be power cycled and accessed via console.
    • StackWise Virtual configuration is retained in ROMMON variables and does not require reconfiguration.

    Procedure

    1. Turn off the standby switch.
    1. Power cycle the active switch.
    1. When prompted during boot, press Ctrl-C to enter ROMMON:
    Initializing Hardware...



    Initializing Hardware......



    System Bootstrap, Version 17.8.1r[FC1], RELEASE SOFTWARE (P)

    Compiled 03-02-2022 12:00:00.09 by rel



    Current ROMMON image : Primary Rommon Image

    Last reset cause: PowerOn

    C9500-32QC platform with 16777216 Kbytes of main memory



    Preparing to autoboot. [Press Ctrl-C to interrupt] 4 (interrupted)

    rommon 1 >
    1. Use the set command to review ROMMON variables:
    rommon 1 > set
    1. Set SWITCH_IGNORE_STARTUP_CFG=1:
    rommon 2 > SWITCH_IGNORE_STARTUP_CFG=1
    1. Boot the switch:
    rommon 3 > boot
    1. Once booted, verify the StackWise Virtual configuration remains:
    Switch# show stackwise-virtual
    1. Copy the startup configuration to the running configuration:
    Switch#copy startup-config running-config
    1. Set a new password:
    Switch(config)#username admin privilege 15 secret NEWPASSWORD
    1. Reset the SWITCH_IGNORE_STARTUP_CFG  variable to zero:
    Switch(config)#no system ignore startupconfig
    1. Save the configuration:
    Switch#copy run start
    1. Verify the ROMMON variable:
    Switch#show romvar
    1. Power on the standby switch.

    Password Recovery on Modular Chassis with Dual Supervisors

    Key Notes

    • Remove the standby Supervisor (SUP) module before proceeding.
    • Console access to the active Supervisor is required.
    • The procedure uses the same steps as for standalone switches.

    Procedure

    1. Power off the chassis and remove the standby SUP.
    1. Power on the chassis with only the active SUP installed.
    1. When prompted during boot, press Ctrl-C to enter ROMMON:
    Initializing Hardware...



    Initializing Hardware......



    System Bootstrap, Version 17.8.1r[FC1], RELEASE SOFTWARE (P)

    Compiled 03-02-2022 12:00:00.09 by rel



    Current ROMMON image : Primary Rommon Image

    Last reset cause: PowerOn

    C9500-32QC platform with 16777216 Kbytes of main memory



    Preparing to autoboot. [Press Ctrl-C to interrupt] 4 (interrupted)

    rommon 1 >
    1. Use the set command to review ROMMON variables:
    rommon 1 > set
    1. Set SWITCH_IGNORE_STARTUP_CFG=1:
    rommon 2 > SWITCH_IGNORE_STARTUP_CFG=1
    1. Boot the active SUP:
    rommon 3 > boot

    7. Once the switch boots, enter EXEC mode:

    Switch>enable
    1. Copy the startup configuration to the running configuration:
    Switch#copy startup-config running-config
    1. Set a new password:
    Switch(config)#username admin privilege 15 secret NEWPASSWORD
    1. Reset the SWITCH_IGNORE_STARTUP_CFG  variable to zero:
    Switch(config)#no system ignore startupconfig
    1. Save the configuration:
    Switch#copy run start
    1. Verify the ROMMON variable:
    Switch#show romvar
    1. Reinsert the standby SUP while the chassis remains powered on.
    2. Verify that redundancy is restored and both supervisors are operational.

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    14-Jul-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Cecilia Guerrero
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products