Cisco

Cisco Catalyst 9300 Password Recovery

Cisco Catalyst 9300 Password Recovery
In: Cisco

So, you forgot the password, I know that sinking feeling in your stomach when you realize you can't access your switch. Panic sets in as you try every password you've ever used, but nothing seems to work.

Well, fear not my friend, because I'm here to help! As a wise person once said, "It's not about forgetting the password, it's about how you reset it." Okay, maybe no one has ever said that, but it's still true.

Resetting the password on a Cisco switch may seem daunting, but with a little guidance, it's not so bad. And let's be real, if you forget the password again, we may need to have a chat about your memory skills. Maybe try some brain teasers or something?

But for now, let's focus on the task at hand. Here's how to reset the password on your Cisco Catalyst 9000 series switches and get your network back up and running.

Member Plans

Subscribe

Overview

I must have been living under a rock not to realise the password recovery procedure is different for the Catalyst 9000 series switches (or IOS-XE). I was trying the old method of sending the break command and then changing the config-register for some time and not having any success. I then realised the procedure is different so, I decided to write a post on it to help fellow Network Engineers. In this example, we will go through the steps required to successfully recover/change the password on the C9300 switch.

By default, the startup-config files are stored in the NVRAM and the running-config (actual device configuration) is stored in the DRAM. The main purpose of the password recovery process is to boot the device with factory-default configuration and once there is access to the device, load the current configuration and change the password.

đź’ˇ
Even though this particular example is based on the C9300 switch, the process is exactly the same for other switches and IOS-XE devices.

The following are the higher levels of steps to reset the password.

  • Connect the console cable and reload the switch
  • Press the mode button to force the switch to boot into the boot loader.
  • Ignore the startup-config
  • Reset the password
  • Reload the switch

Connect the console cable and reload the switch

The first step is to connect the console cable to the switch and then perform a reload by pulling the power code from the switch.

The 'Mode' button

As soon as you reload the switch, press the modebutton multiple times until the switch goes into bootloader mode. Please ensure the following message is displayed on the console. boot from [flash:packages.conf] is interrupted

Initializing Hardware......

System Bootstrap, Version 17.6.1r[FC2], RELEASE SOFTWARE (P)
Compiled Wed 05/12/2021 15:39:34.01 by rel

Current ROMMON image : Primary
Last reset cause     : PowerOn
C9300-24P platform with 8388608 Kbytes of main memory

boot: attempting to boot from [flash:packages.conf] (interrupted)

Ignore the startup-config

Please remember the password you configured is stored in the startup-config so, to bypass the password requirements, we need to instruct the switch to ignore the startup-config and boot from the factory default config.

Please enter SWITCH_IGNORE_STARTUP_CFG=1 and boot on the switch: prompt. The switch will then boot into its default factory setting.

switch: SWITCH_IGNORE_STARTUP_CFG=1
switch: boot
boot: attempting to boot from [flash:packages.conf]
boot: reading file packages.conf
########################################################

*********
TRUNCATED
*********

Switch>
Switch>
Switch>en
Switch#

Reset the password

The next step is to load the startup-config (actual device configuration) into the running-config and reset the password.

Once you configured the new password, copy the running-config (which has the new password) into the startup-config.

Switch#copy startup-config running-config
Destination filename [running-config]? 
8787 bytes copied in 0.373 secs (23558 bytes/sec)
HQ-SWITCH#
HQ-SWITCH(config)#username cisco privilege 15 secret 0 Pa55word123
HQ-SWITCH(config)#enable secret 0 Pa55word123
HQ-SWITCH(config)exit

HQ-SWITCH#copy running-config startup-config

Please remember we instructed the switch to ignore the startup-config on the previous step, we need to revert that change, otherwise, the switch will keep ignoring the startup-config on the subsequent reloads.

HQ-SWITCH(config)#no system ignore startupconfig switch all
HQ-SWITCH#copy running-config startup-config

Reload the Switch

This is optional but I wanted to make sure there are no surprises on the next reload so, decided to perform a reload and make sure everything is working as expected.

HQ-SWITCH#reload 
Reload command is being issued on Active unit, this will reload the whole stack
Proceed with reload? [confirm]
*Oct  7 10:49:27.961: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command.
11:46:56.377 §Chassis 1 reloading, reason - Reload command

A few things to consider

After reloading the switch, I was getting connection refused message when trying to SSH. I had to regenerate the SSH keys on the switch using the crypto key generate rsa modulus 2048 command. So, please keep this in mind if you come across any issues.

Written by
Suresh Vina
Tech enthusiast sharing Networking, Cloud & Automation insights. Join me in a welcoming space to learn & grow with simplicity and practicality.
Comments
More from Packetswitch
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Packetswitch.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.