Introduction
This document describes how to perform a password recovery on Catalyst 9000 series switches.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Cisco IOS® XE software and basic CLI navigation
- Console access and terminal emulator configuration
- ROM Monitor mode (ROMMON) operations and configuration register functionality
Components Used
The information in this document is based on these software and hardware versions:
- Catalyst 9200, 9200L (Cisco IOS® XE)
- Catalyst 9300, 9300L (Cisco IOS® XE)
- Catalyst 9400 (Cisco IOS® XE)
- Catalyst 9500 (Cisco IOS® XE)
- Catalyst 9600 (Cisco IOS® XE)
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Password Recovery for Standalone Switches
Procedure
- Power cycle the active switch.
- If you see the prompt, press Ctrl-C to enter into ROMMON mode:
Initializing Hardware...
Initializing Hardware......
System Bootstrap, Version 17.12.1r, RELEASE SOFTWARE (P)
Compiled Mon 04/24/2023 22:21:00.36 by rel
Current ROMMON image : Primary
Last reset cause : PowerOn
C9300-48U platform with 8388608 Kbytes of main memory
Preparing to autoboot. [Press Ctrl-C to interrupt] 5 (interrupted)
- If you do not see this prompt, press the Mode button repeatedly until this prompt appears:
switch:
Note: Consult the hardware installation guide for each platform to locate the Mode button.
- Use the set Command to view current ROMMON variables:
switch:set
- Change the SWITCH_IGNORE_STARTUP_CFG variable to bypass the startup configuration:
switch:SWITCH_IGNORE_STARTUP_CFG=1
- Boot the switch:
switch:boot
- Once the switch finishes booting, access privileged EXEC mode:
Switch>enable
- Copy the startup configuration to the running configuration:
Switch#copy start run
- Set your new password:
Switch(config)#username admin privilege 15 secret NEWPASSWORD
- Reset the variable to ensure the switch retains its configuration on reload:
Switch#no system ignore startupconfig switch all
- Save the configuration:
Switch#copy run start
- Verify that
SWITCH_IGNORE_STARTUP_CFG
is set to zero:
Switch#show romvar
Password Recovery for StackWise Deployments
Key Notes
Turn off all the members of the stack and leave only the active switch on. Otherwise, the configuration is transferred to the standby switch, and the password recovery is not successful.
Procedure
- Turn off all switches in the stack.
- Power on only the active switch.
- Perform the same steps as in the standalone switch recovery:
- Interrupt the boot process to enter ROMMON (Ctrl-C or use the Mode button).
- Use
set
to view the ROMMON variables.
- Set
SWITCH_IGNORE_STARTUP_CFG=1
.
- Boot the switch.
- Enter privileged EXEC mode.
- Copy startup-config to running-config.
- Set a new password.
- Reset the ignore variable with
no system ignore startupconfig switch all
.
- Save the configuration.
- Verify the variable is cleared with
show romvar
.
- Once the password recovery process is complete and the configuration is saved, power on the rest of the switches in the stack.
Password Recovery for StackWise Virtual Deployment
Key Notes
- Start by turning off the standby switch.
- The active switch must be power cycled and accessed via console.
- StackWise Virtual configuration is retained in ROMMON variables and does not require reconfiguration.
Procedure
- Turn off the standby switch.
- Power cycle the active switch.
- When prompted during boot, press Ctrl-C to enter ROMMON:
Initializing Hardware...
Initializing Hardware......
System Bootstrap, Version 17.8.1r[FC1], RELEASE SOFTWARE (P)
Compiled 03-02-2022 12:00:00.09 by rel
Current ROMMON image : Primary Rommon Image
Last reset cause: PowerOn
C9500-32QC platform with 16777216 Kbytes of main memory
Preparing to autoboot. [Press Ctrl-C to interrupt] 4 (interrupted)
rommon 1 >
- Use the
set
command to review ROMMON variables:
rommon 1 > set
- Set
SWITCH_IGNORE_STARTUP_CFG=1
:
rommon 2 > SWITCH_IGNORE_STARTUP_CFG=1
- Boot the switch:
rommon 3 > boot
- Once booted, verify the StackWise Virtual configuration remains:
Switch# show stackwise-virtual
- Copy the startup configuration to the running configuration:
Switch#copy startup-config running-config
- Set a new password:
Switch(config)#username admin privilege 15 secret NEWPASSWORD
- Reset the
SWITCH_IGNORE_STARTUP_CFG
variable to zero:
Switch(config)#no system ignore startupconfig
- Save the configuration:
Switch#copy run start
- Verify the ROMMON variable:
Switch#show romvar
- Power on the standby switch.
Password Recovery on Modular Chassis with Dual Supervisors
Key Notes
- Remove the standby Supervisor (SUP) module before proceeding.
- Console access to the active Supervisor is required.
- The procedure uses the same steps as for standalone switches.
Procedure
- Power off the chassis and remove the standby SUP.
- Power on the chassis with only the active SUP installed.
- When prompted during boot, press Ctrl-C to enter ROMMON:
Initializing Hardware...
Initializing Hardware......
System Bootstrap, Version 17.8.1r[FC1], RELEASE SOFTWARE (P)
Compiled 03-02-2022 12:00:00.09 by rel
Current ROMMON image : Primary Rommon Image
Last reset cause: PowerOn
C9500-32QC platform with 16777216 Kbytes of main memory
Preparing to autoboot. [Press Ctrl-C to interrupt] 4 (interrupted)
rommon 1 >
- Use the
set
command to review ROMMON variables:
rommon 1 > set
- Set
SWITCH_IGNORE_STARTUP_CFG=1
:
rommon 2 > SWITCH_IGNORE_STARTUP_CFG=1
- Boot the active SUP:
rommon 3 > boot
7. Once the switch boots, enter EXEC mode:
Switch>enable
- Copy the startup configuration to the running configuration:
Switch#copy startup-config running-config
- Set a new password:
Switch(config)#username admin privilege 15 secret NEWPASSWORD
- Reset the
SWITCH_IGNORE_STARTUP_CFG
variable to zero:
Switch(config)#no system ignore startupconfig
- Save the configuration:
Switch#copy run start
- Verify the ROMMON variable:
Switch#show romvar
- Reinsert the standby SUP while the chassis remains powered on.
- Verify that redundancy is restored and both supervisors are operational.
Related Information