A common problem with any type of device that has some form of access control to the management interface is the loss of administrative passwords. If you haven't come across a situation where you need to recover a forgotten or lost password, it is just a matter of time before you will be faced with the situation. The password recovery mechanisms for Cisco Catalyst switches vary depending on the specific switch platform. In this scenario, examples of password recovery on CatOS-based switches and the Cisco IOS-based Catalyst 3550 switch are provided. For password recovery details for other switch platforms, see www.cisco.com/warp/public/474.
Password Recovery on CatOS-based Switches
The techniques described in this section apply to all CatOS-based switches including the Catalyst 2900, 4000, 5000/5500, and 6000/6500 series switches. Password recovery on CatOS-based switches is relatively simple, where CatOS allows you to gain management access to the switch with a blank password and reconfigure passwords for a 30-second period just after switch bootup.
Password recovery on CatOS-based switches requires access to the console port of the switch and also the ability to be able to cycle (power off and then power on again) the switch. The cycle is required, because password recovery on CatOS requires the switch to be rebooted so that the initial blank password period is made available.
The requirement to cycle the switch normally means you require physical access to the switch. Although you can use the reset system command to reboot the switch, this is a privileged mode command that requires enable mode access. If you are attempting to recover a password and have enable mode access, all you need to do is simply reconfigure the password, as you have the right to do so under privileged configuration mode. If you can't gain access to privileged mode because of a lost password, then the only way to cycle the switch is to manually pull the power plug.
Assuming console access has been established to the switch and the switch has been cycled, after the switch boots up, the "Enter password:" prompt is presented. As soon as the prompt is presented, the switch allows access to the switch using a blank password. During this 30-second period, the switch also allows you to modify switch passwords using the set password and set enablepass privileged configuration commands. After the "Enter password:" prompt has been displayed for 30 seconds or more, you can only gain user mode access and enable mode access using the appropriate passwords configured on the switch. It is also important to understand that even though you might have privileged mode access to the switch during the initial 30-second blank password period, you are not able to configure new passwords unless you know the existing passwords once the 30-second period has expired. This is because CatOS prompts you for existing passwords when you configure the set password and set enablepass commands.
Example 10-47 shows an example of the boot up process, accessing enable mode and then reconfiguring the existing passwords on the switch.
Example 10-47. Password Recovery on CatOS-based Switch
WS-X2948G bootrom version 6.1(4), built on 2001.07.30 14:43:26 H/W Revisions: Fin: 2 Head: 11 Board: 1 Supervisor MAC addresses: 00:30:24:48:d4:00 through 00:30:24:48:d7:ff (1024 addresses) Installed memory: 64 MB Testing LEDs.... done! The system will autoboot in 5 seconds. Type control-C to prevent autobooting. rommon 1 > The system will now begin autobooting. Autobooting image: "bootflash:cat4000-k8.7-4-2.bin" CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC######################## ######## Starting Off-line Diagnostics Mapping in TempFs Board type is WS-X2948 DiagBootMode value is "post" Loading diagnostics... Power-on-self-test for Module 1: WS-X2948 Status: (. = Pass, F = Fail) processor: . cpu sdram: . eprom: . nvram: . flash: . enet console port: . switch registers: . switch sram: . Module 1 Passed Exiting Off-line Diagnostics Cisco Systems, Inc. Console Enter password: ! (blank password) Switch-A> enable Enter password: ! (blank password) Switch-A> (enable) set password Enter old password: ! (blank password) Enter new password: ***** Retype new password: ***** Switch-A> (enable) set enablepass Enter old password: ! (blank password) Enter new password: ***** Retype new password: *****
In Example 10-47, notice that blank passwords are accepted to gain access to user mode and enable mode, and then blank passwords are also accepted for the old password prompts when resetting passwords using the set password and set enablepass commands. It is very important that you understand blank passwords for user mode access, enable mode access, the set password command, and the set enablepass command are accepted for only 30 seconds after the initial "Enter password:" prompt is displayed. Example 10-48 demonstrates what happens after 30 seconds have expired when you try to modify the enable password using the set enablepass command using a blank password for the old password.
Example 10-48. Attempting to Reset a Password after 30-second Initial Blank Password Period Expires
Switch-A> (enable) set enablepass Enter old password: ! (blank password entered) Sorry password incorrect.
As you can see in Example 10-48, CatOS rejects the blank password because the 30-second blank password period has expired. At this stage, the only way to reconfigure the password is to enter the correct old password or to cycle the switch and reattempt password recovery.
Password Recovery on Cisco IOS-based Switches
As you saw in the last section, password recovery on CatOS is reasonably simple. Password recovery on Cisco IOS is a little bit more complex because Cisco IOS does not support an initial 30-second blank password period. In this section, you learn how to recover a password on the Catalyst 3550 switch, with the same recovery procedure also applying to the Catalyst 2900XL/3500XL and Catalyst 2950 switch families.
To recover lost passwords, the following configuration tasks are required:
Configuring the Switch to Bypass the Startup File
The first configuration task in password recovery is to configure the switch to bypass the startup configuration file, forcing the switch to load with a default configuration, allowing privileged mode access to be accessed using blank passwords. Because you normally don't have privileged mode access to the switch when you have lost a password, you must configure to bypass the startup configuration by interrupting the boot process, which can be performed only if you have physical access to the switch and have a console connection to the switch.
To interrupt the boot process, you must first power down the switch (by disconnecting the power cord) and then hold down the MODE button on the front of the switch, which is on the left hand side of the switch directly below the Cisco Systems emblem and just to the left of the main switch LEDs. Keeping the MODE button held down, you must then power on the switch by reconnecting the power cord. When the switch initializes, all port LEDs are lit green; the MODE button must continue to be held down until the port LED above interface fastEthernet 0/1 turns off. Once this LED turns off, you can let go of the MODE button and on the console connection to the switch, you should notice that the boot process has been interrupted. Example 10-49 demonstrates how the boot process is interrupted.
Example 10-49. Interrupting the Boot Process on the Catalyst 3550
The system has been interrupted prior to initializing the flash file system. The following commands will initialize the flash file system, and finish loading the operating system software: flash_init boot switch:
In Example 10-49, the shaded output is a prompt, which provides recovery access to the Flash file system of the switch.
On the Catalyst 3550 switch, the startup configuration file is actually stored in the Flash file system in a file called config.text. This is unlike other Cisco IOS devices, which store the startup configuration file in nonvolatile random-access memory (NVRAM). The Catalyst 3550 represents the config.text file as virtual NVRAM, allowing Cisco IOS to think it stores its startup configuration in NVRAM. To bypass the startup configuration file, you must rename the file from config.text to something else; if no config.text file exists on bootup, Cisco IOS creates a config.text file that contains a default startup configuration (i.e., blank passwords). To rename the config.text file in Flash, you must first mount the Flash file system by using the flash_init command, followed by the load_helper commands. Once mounted, you should be able to use the dir command to view the contents of the Flash file system. Example 10-50 demonstrates mounting the Flash file system.
Example 10-50. Mounting the Flash File System
switch: flash_init switch: load_helper switch: dir flash: Directory of flash: 2 -rwx 0 Jan 01 1970 00:01:18 env_vars 3 -rwx 342 Jan 01 1970 00:01:18 system_env_vars 4 -rwx 676 Jul 01 2002 12:47:23 vlan.dat 5 -rwx 1460 Mar 01 1993 06:45:10 config.text 9 drwx 192 Mar 01 1993 00:03:18 c3550-i5q3l2-mz.121-8.EA1c66 -rwx 15998976 bytes total (10891264 bytes free)
In Example 10-50, the dir flash: command, where flash: represents the Flash file system (the colon is important and must be specified) displays the contents of Flash. Notice that the config.text file is present on the Flash file system. To rename this file, you must use the rename command. Once the config.text file has been renamed, the switch can be booted normally using the boot command. Example 10-51 demonstrates renaming the config.text file and then booting the switch.
Example 10-51. Renaming the Startup Configuration File
[View full width]
switch: rename flash:config.text flash:config.old switch: boot Loading "flash:c3550-i5k2l2q3-mz.121-13.EA1a/c3550-i5k2l2q3-mz.121-13.EA1a.bin".. .################################################################# ################################################################################ ################## ... (Output Truncated) ...
Notice the syntax for renaming the config.text file. The full path to the original file must be specified first (i.e., flash:config.text), after which the new filename, which can be anything other than config.text, must be specified (i.e., config.old). After renaming the file, the switch is booted using the boot command.
Gaining Privileged Mode Access and Restoring the Original Configuration
After issuing the boot command in Example 10-51, the switch boots as normal. Once the boot process is complete, because the startup configuration file (config.text) is not present, the switch generates a new blank configuration file and starts the configuration setup wizard. At this point, you should exit the configuration setup wizard, after which you are provided user mode access via the console. You can now access privileged mode without any password, because only a blank configuration currently exists on the switch. Example 10-52 demonstrates exiting the configuration wizard and then gaining privileged mode access.
Example 10-52. Gaining Privileged Mode access
Continue with the configuration dialog? [yes/no]: no Switch> enable Switch#
In Example 10-52, notice that the enable password is not prompted for because the enable password is blank.
Resetting Passwords and Saving the New Configuration
At this stage, you have gained privileged mode access to the switch. The old switch configuration file now needs to be applied to the current configuration to ensure that the switch is still configured as previously. Of course restoring the old configuration also means restoring the old passwords; however, because you now have privileged mode access to the switch (which is not lost when you restore the configuration), you can reset the passwords after the configuration is restored. Example 10-53 demonstrates restoring the old switch configuration file.
Example 10-53. Restoring the Old Switch Configuration File and Resetting Passwords
Switch# copy flash:config.old system:running-config Source filename [config.text]? Destination filename [running-config]? Switch-A#
In Example 10-53, the copy flash:config.old system:running-config command ensures the renamed configuration file (renamed in Example 10-51) is restored to the current running configuration of the switch. Notice that the switch name changes from Switch to Switch-A in Example 10-53, giving an indication that the previous switch configuration has been restored.
The switch is now configured identically to how it was before you began the password recovery procedure, with the only difference being that you now have privileged mode access to the switch. This allows the enable secret global configuration command to be executed, resetting the enable secret password to "cisco123." After passwords have been reset, the new configuration must be saved to the startup configuration file, to ensure the switch boots with the new passwords next time.
After resetting passwords, if the VLAN 1 interface is enabled in the normal switch configuration, you must ensure you issue the no shutdown interface configuration command because the default Catalyst configuration is to place the VLAN 1 interface in a shutdown state using the shutdown command. Because configuration files do not store the command no shutdown, when you overwrite the default configuration with the startup configuration (Step 2), the default shutdown command is not overwritten, leaving VLAN 1 down.
Example 10-54 demonstrates configuring a new enable password, ensuring interface VLAN 1 is enabled and then saving the configuration.
Example 10-54. Configuring a New Password
Switch-A# configure terminal Switch-A(config)# enable secret abc123 Switch-A(config)# interface vlan 1 Switch-A(config-if)# no shutdown 00:19:06: %LINK-3-UPDOWN: Interface Vlan1, changed state to up 00:19:07: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up Switch-A(config)# end Switch-A# copy running-config startup-config Building configuration... [OK]
At this stage, if you exit the management interface of the switch and attempt to reconnect or reboot the switch, the new enable secret configured in Example 10-54 should be in use.