Password Recovery

Recover a password-protected switch

There is a possibility that you may need to reset the password for your Cisco Catalyst IE3x00 series switches. Perform the given process to bypass the stored start-up configuration that contains the forgotten password and set the new password.

There is a possibility that you may be unable to access your Cisco Catalyst IE3x00 switch because of a password. In such cases, you can recover access without erasing your configuration. This process allows you to bypass the saved password, set a new one, and restore normal operation. Follow these steps to reset and secure your switch.

Recover a password

You can recover a pasword with this task.

Perform this procedure to enable password.

You can enable passwords or enable secret passwords. These passwords are used to protect access to privileged EXEC and configuration modes. The enable password can be recovered but the enable secret password is encrypted and can only be replaced with a new password.

Procedure

Step 1

Attach a terminal or PC with terminal emulation to the console port of the switch. Use these terminal settings:

Example:

9600 baud rate
No parity
8 data bits
1 stop bit

Use show version command to check the configuraton setting. It is usually 0x2102 or 0x102.

Step 2

Using the power switch, turn off the router and then turn it back on.

To simulate step 2, pull out and then replace the Node Route Processor (NRP) or Node Switch Processor (NSP) card.

Step 3

Press Break on the terminal keyboard within 60 seconds of the power-up to put the router into ROMMON.

If the break sequence doesn't work, see Possible Key Combinations for Break Sequence During Password Recovery for other key combinations.

Step 4

Enter confreg 0x2142 at the prompt to boot from Flash without loading the configuration.

Router Recovery and Access

  1. Enter reset at the rommon 2> prompt. The router reboots but ignores its saved configuration. 

    System Bootstrap, Version ...
[System boots up, configuration register set to ignore startup-config]

  2. Enter enable at the Router> prompt. You'll be in enable mode and see the Router# prompt. 

    Switch> enable
Switch#

  3. Enter configure memory or copy startup-config running-config to copy the nonvolatile RAM (NVRAM) into memory. 

    Switch# copy startup-config running-config
Destination filename [running-config]? 
Press RETURN to confirm.
[OK]

  4. Enter write terminal or show running-config to view the configuration of the router. In this configuration you see under all the interfaces the shutdown command, which means all interfaces are currently shutdown. Also, you can see the passwords (enable password, enable secret, vty, console passwords, and so on) either in encrypted or unencrypted format.The unencrypted passwords can be re-used, the encrypted ones will have to be changed with a new one. 

    Switch# show running-config
Building configuration...
Current configuration : N bytes
!
version ...
...
interface GigabitEthernet1/1
 shutdown
...
enable secret 5 $1$abcd$Efghijklmnop
...

Configuration restoration and finalization

  1. Enter configure terminal tand make the changes. 

    Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#

  2. Enter enable secret < <password > to change the enable secret password. 

    Switch(config)# enable secret <password>
Switch(config)#

  3. Use the no shutdown command on every interface that is used. If you issue a show ip interface brief command, every interface that you want to use should be up up. 

    Switch(config)# interface GigabitEthernet1/1
Switch(config-if)# no shutdown

  4. Enter config-register 0x2102 , or the value you recorded in step 2. 

    Switch(config)# config-register 0x2102

  5. Press [Ctrl+Z] or End to leave the configuration mode.The prompt is now hostname#.

    Switch#

  6. Enter write memory or copy running-config startup-config to commit the changes. 

    Switch# write memory
Building configuration...
[OK]

Enter no after each setup question or press [Ctrl+C] to skip the initial setup procedure.

Recover forgotten password

You can recover a password-protected switch. Perform these steps to modify a variable in the bootloader prompt to bypass the startup configuration that contains the forgotten password and reset the password.

Before you begin

Procedure

Step 1

Turn on the switch and press and hold the Express Setup button for about 10 seconds.

Step 2

Set this switch variable to boot the switch without any configurations. 

Switch: SWITCH_IGNORE_STARTUP_CFG=1

This bypasses the stored startup configuration.

Step 3

Enter this command to boot your switch.

Switch: boot

After the switch completes the boot process, you can use the current unconfigured switch to recover your startup configuration from the flash file system to retain the previous configuration. After booting, the switch allows you to log in without a password.

Step 4

Once logged in, copy the saved configuration from startup-config to running-config. 

Switch# copy startup-config running-config

Step 5

Set a new password. 

Switch# configure terminal 
Switch(config)# username admin and password admin

Step 6

Remove the previously set switch variable from the bootloader.

Switch(config)# no system ignore startupconfig switch all

Step 7

Execute any one of these commands to save the new configuration. 

Switch# write memory

OR

Switch# copy run start

The switch loads the saved configuration during future bootups.

Note

 

If you do not execute the no system ignore startupconfig switch all and write memory commands, the switch boots with no configuration on future reloads.