Factory reset

This chapter describes Factory Reset feature and how it can be used to protect or restore a router to an earlier, fully functional state.

Information about factory reset

Factory Reset is a process of clearing the current running and start-up configuration information on a device, and resetting the device to an earlier, fully-functional state.

The factory reset process uses the factory-reset all command to take backup of existing configuration and resets the router to an earlier fully functional state. The duration of the factory reset process is dependent on the storage size of the router. It varies from 10 to 30 minutes on Cisco 8100 Series Secure Routers .

From Cisco IOS XE 17.18.x release and later, you can use the factory-reset all secure command to reset the router and securely clear the files stored in the bootflash memory.

There are several memory components in the device(s), as listed for the Cisco 8100 Series Secure Routers as an example in the following table.

Device or Component

Type

Volatility

Purpose

Data Sanitization

DDR5 Memory On-board

RAM

Volatile

Running system software

All data is removed from DRAM when power is turned off.

TPM

NVRAM

Nonvolatile

Secure boot key and board info

See below

Power Sequencer

NVRAM

Nonvolatile

Power sequencer configuration file

N/A

IO MCU

NVRAM

Nonvolatile

IO MCU configuration file

N/A

SPI NOR FLASH

PROM

Nonvolatile

Boot ROM (ROMMON)

See below.

0.85 V VRM

NVRAM

Nonvolatile

VRM configuration file

N/A

eMMC module

NVRAM

Nonvolatile

Boot OS, OS file system, system configuration

See below.

Clock generator

NVRAM

Nonvolatile

Clock generator configuration file

N/A

PoE controller (C8161-G2 only)

NVRAM

Nonvolatile

PoE configuration file

N/A

C8130-G2

C8140-G2

C8151-G2

C8161-G2

DDR5 Memory On-board

4GB

4GB

8GB

8GB

TPM

N/A

N/A

N/A

N/A

Power Sequencer

256K

256K

256K

256K

IO MCU

256K

256K

256K

256K

SPI NOR FLASH

256Mb

256Mb

256Mb

256Mb

0.85 V VRM

N/A

N/A

N/A

N/A

eMMC module

16GB

16GB

16GB

16GB

Clock generator

N/A

N/A

N/A

N/A

PoE controller (C8161-G2 only)

N/A

N/A

N/A

N/A

DDR5 Memory (On-Board)

  • Volatile memory

  • No user data exists on DRAM after power-off.

  • Sanitization measures not required.

SPI NOR Flash

  • Non-volatile memory

  • Holds user data after power-off.

Configuring the factory-reset all command is the most common method used to erase customer data from the router’s memory resources. Factory reset will clear the current running and start-up configuration information.

From Cisco IOS XE 17.18.1a and later, the factory-reset all secure command will also clear the data held in SPI NOR FLASH in the same manner as the factory-reset all command.

From Cisco IOS XE 17.18.1a, the factory-reset all secure command will clear the data held in SPI NOR FLASH including the config-register and ROMMON variables. 


factory-reset keep licensing-info: yes
factory-reset all: yes 
factory-reset all secure 3-pass: yes
factory-reset all secure 7-pass: yes 
factory-reset all secure: yes

eMMC Boot Flash/NVRAM

  • Non-volatile memory

  • Holds user data after power-off.

A factory reset, factory-reset all command, is the most common method used when erasing customer data from the router’s memory resources. Factory reset will clear the current running and startup configuration information, thereby resetting the router to a fully functional state as it was shipped from factory.

As of Cisco IOS XE 17.18.1a and later, the factory-reset all secure command to reset the router and securely clear the files stored in the eMMC Boot Flash /NVRAM.

factory-reset keep licensing-info: yes 
factory-reset all: yes 
factory-reset all secure 3-pass: yes 
factory-reset all secure 7-pass: yes 
factory-reset all secure: yes

TPM

  • Non-volatile memory

  • Holds user data after power-off.

From Cisco IOS XE 17.18.1a, a factory reset command, factory-reset all secure unlinks customer data in the TPM and makes it unreadable by host, including the dev keys installed by consent-token. But you can keep the manufacturing install data like, SUDI, cookies. 


factory-reset keep licensing-info: no
factory-reset all: no
factory-reset all secure 3-pass: no
factory-reset all secure 7-pass: no
factory-reset all secure: yes, but keep the manufacturing installed data

After the factory reset process is complete, the router reboots to ROMMON mode.

Software and hardware support for factory reset

  • Factory Reset process is supported on standalone routers as well as on routers configured for high availability.

Prerequisites for performing factory reset

  • Ensure that all the software images, configurations and personal data are backed up before performing factory reset.

  • Ensure that there is uninterrupted power supply when factory reset is in progress.

  • The factory-reset all secure command erases all files, including the boot image.

Restrictions for performing a factory reset

  • Any software patches that are installed on the router are not restored after the factory reset operation.

  • The CLI command "factory-reset all secure" is only supported in the console, not in the Virtual Teletype (VTY).

When to perform factory reset

  • Return Material Authorization (RMA): If a router is returned back to Cisco for RMA, it is important that all sensitive information is removed.

  • Router is compromised: If the router data is compromised due to a malicious attack, the router must be reset to factory configuration and then reconfigured once again for further use.

  • Repurposing: The router needs to be moved to a new topology or market from the existing site to a different site.

How to perform a factory reset

Before you begin

Procedure

Step 1

Log in to a Cisco 8100 Series Secure Routers.

Step 2

This step is divided into two parts (a and b). If you need to retain the licensing information while performing the factory-reset command, follow step 2. a. If you do not need to retain licensing information and want all the data to be erased, perform step 2. b.

  1. Execute factory-reset keep-licensing-info command to retain the licensing data.

    The system displays the following message when you use the factory-reset keep-licensing-info command: 

    Router#factory-reset keep-licensing-info
The factory reset operation is irreversible for Keeping license usage. Are you sure? [confirm]

This operation may take 20 minutes or more. Please do not power cycle.


*Sep  1 14:40:09.827: %SYS-5-RELOAD: Reload requested by Exec. Reload Reason: Factory Reset.Sep  1 




in the keep_lic_info_loop 2 3 6
Sep 01 14:40:39.835: Factory reset operation completed.


[BootramDDR v7 RELEASE SOFTWARE (P) compiled 2025-07-16T12:06:41-07:00]


Warning: monitor Nvram area is corrupt ... using default values
Warning: MFG Key Enabled !!!

System Bootstrap, Version 17.18(1r), RELEASE SOFTWARE
Copyright (c) 1994-2025 by cisco Systems, Inc.

Current image running: Boot ROM0

Last reset cause: LocalSoft
C8161-G2 platform with 8388608 Kbytes of main memory
Warning: MFG key enabled, bypassing BIOS protection feature
rommon 1 >

  2. Execute the factory-reset all secure command to securely erase all data.

    Enter confirm to proceed with the factory reset.

    The system displays the following message when you use the factory-reset all secure command: 

    Router#factory-reset all secure
*Sep  1 14:48:45.310: %CMRP-5-CHASSIS_MONITOR_BOOT_TIME_PRINT: R0/0: cmand: Card F0 took 63 secs to boot
*Sep  1 14:48:45.310: %CMRP-5-CHASSIS_MONITOR_BOOT_TIME_PRINT: R0/0: cmand: Card 0 took 58 secs to boot
The factory reset operation is irreversible for securely reset all. Are you sure? [confirm]
*Sep  1 14:48:46.262: %IOXN_APP-6-IOX_START_STOP_REQ: Got IOX DOWN COMPLETE event, invoking registered callback(s)


This operation may take hours. Please do not power cycle.


*Sep  1 14:48:49.671: %SYS-5-RELOAD: Reload requested by Exec. Reload Reason: Factory Reset.Sep  1 14

Enabling factory reset for this reload cycle


Enabling factory reset for this reload cycle

Sep 01 14:49:04.433: NIST 800 88r1 compliant factory reset starts.
Sep 01 14:49:04.511: #CISCO DATA SANITIZATION REPORT:# C8161-G2
Sep 01 14:49:04.593: start to purge non-volatile storage.
Executing Data Sanitization...
eMMC Data Sanitization started ...
!!! Please, wait - Reading EXT_CSD !!!
!!! Please, wait - Reading EXT_CSD !!!
!!! Please, wait - Erasing(Secure) /dev/mmcblk0 !!!
!!! Please, wait - Erasing(Secure) /dev/mmcblk0 !!!
!!! Please, wait - Erasing(Secure) /dev/mmcblk0 !!!
!!! Please, wait - Erasing(Secure) /dev/mmcblk0 !!!
!!! Please, wait - Erasing(Secure) /dev/mmcblk0 !!!
!!! Please, wait - Sanitizing /dev/mmcblk0 !!!
!!! Please, wait - Validating Erase for /dev/mmcblk0 !!!
eMMC Data Sanitization completed ...
Data Sanitization Success! Exiting...
Sep 01 14:53:15.065: purge non-volatile storage done.
========================
#CISCO C8100 DATA SANITIZATION REPORT#
START : 01-09-2025, 14:49:07
  END : 01-09-2025, 14:53:12
-eMMC-
MID : SanDisk
PNM : 'DA6064'
SN : 0xa0611433
Status : SUCCESS
NIST : PURGE
========================
Sep 01 14:53:15.406: start to check bootflash.
Sep 01 14:57:32.838: bootflash check done.
Sep 01 14:57:32.894: start to cleanup ROMMON variables.
Sep 01 14:57:33.805: ROMMON cleanup variables done.
Sep 01 14:57:33.869: start to cleanup ACT2/AIKIDO/TPM chip
Sep 01 14:57:35.747: ACT2/AIKIDO/TPM cleanup done.
Sep 01 14:57:38.152: report save done.
Sep 01 14:57:38.198: Factory reset operation completed.


[BootramDDR v7 RELEASE SOFTWARE (P) compiled 2025-07-16T12:06:41-07:00]


Warning: monitor Nvram area is corrupt ... using default values
Warning: MFG Key Enabled !!!

System Bootstrap, Version 17.18(1r), RELEASE SOFTWARE
Copyright (c) 1994-2025 by cisco Systems, Inc.

Current image running: Boot ROM0

Last reset cause: LocalSoft
C8161-G2 platform with 8388608 Kbytes of main memory
Warning: MFG key enabled, bypassing BIOS protection feature
rommon 1 >

What happens after a factory reset

After the factory reset is successfully completed, the router boots up. However, before the factory reset process started, if the configuration register was set to manually boot from ROMMON, the router stops at ROMMON.

After you configure Smart Licensing, execute the #show license status command, to check whether Smart Licensing is enabled for your instance.


Note

If you had Specific License Reservation enabled before you performed the factory reset, use the same license and enter the same license key that you received from the smart agent.