Cisco Catalyst 9300 Password Recovery

So, you forgot the password, I know that sinking feeling in your stomach when you realize you can't access your switch. Panic sets in as you try every password you've ever used, but nothing seems to work. Yes, I've been there, many times 😭

Well, fear not my friend, because I'm here to help. As a wise person once said, "It's not about forgetting the password, it's about how you reset it." Okay, maybe no one has ever said that, but it's still true.

But for now, let's focus on the task at hand. Here's how to reset the password on your Cisco Catalyst 9000 series switches and get your network back up and running.

Overview

I must have been living under a rock not to realise the password recovery procedure is different for the Catalyst 9000 series switches (or IOS-XE). I was trying the old method of sending the break command and then changing the config-register for some time and not having any success. I then realised the procedure is different so, I decided to write a post on it to help fellow Network Engineers. In this example, we will go through the steps required to successfully recover/change the password on the C9300 switch.

By default, the startup-config files are stored in the NVRAM and the running-config (actual device configuration) is stored in the DRAM. The main purpose of the password recovery process is to boot the device with factory-default configuration and once there is access to the device, load the current configuration and change the password.

BGP Training Course for Beginners

Hi everyone, welcome to our course on BGP, also known as the Border Gateway Protocol. My goal is to make BGP easy to understand by using simple examples that everyone can understand and follow.

PacketswitchSuresh Vina

The following are the higher levels of steps to reset the password.

• Connect the console cable and reload the switch
• Press the mode button to force the switch to boot into the boot loader.
• Ignore the startup-config
• Reset the password
• Reload the switch

Connect the console cable and reload the switch

The first step is to connect the console cable to the switch and then perform a reload by pulling the power code from the switch.

The 'Mode' button

As soon as you reload the switch, press the modebutton multiple times until the switch goes into bootloader mode. Please ensure the following message is displayed on the console. boot from [flash:packages.conf] is interrupted

Initializing Hardware......

System Bootstrap, Version 17.6.1r[FC2], RELEASE SOFTWARE (P)
Compiled Wed 05/12/2021 15:39:34.01 by rel

Current ROMMON image : Primary
Last reset cause     : PowerOn
C9300-24P platform with 8388608 Kbytes of main memory

boot: attempting to boot from [flash:packages.conf] (interrupted)

Ignore the startup-config

Please remember the password you configured is stored in the startup-config so, to bypass the password requirements, we need to instruct the switch to ignore the startup-config and boot from the factory default config.

Please enter SWITCH_IGNORE_STARTUP_CFG=1 and boot on the switch: prompt. The switch will then boot into its default factory setting.

switch: SWITCH_IGNORE_STARTUP_CFG=1
switch: boot
boot: attempting to boot from [flash:packages.conf]
boot: reading file packages.conf
########################################################

*********
TRUNCATED
*********

Switch>
Switch>
Switch>en
Switch#

Network CI/CD Pipeline - What’s the Point?

Hi all, welcome to the ‘Network CI/CD’ blog series. To kick things off, let’s ask the question, “Why do we even need a CI/CD pipeline for networks?” Instead of diving straight into technical definitions

PacketswitchSuresh Vina

Reset the password

The next step is to load the startup-config (actual device configuration) into the running-config and reset the password.

Once you configured the new password, copy the running-config (which has the new password) into the startup-config.

Switch#copy startup-config running-config
Destination filename [running-config]? 
8787 bytes copied in 0.373 secs (23558 bytes/sec)
HQ-SWITCH#
HQ-SWITCH(config)#username cisco privilege 15 secret 0 Pa55word123
HQ-SWITCH(config)#enable secret 0 Pa55word123
HQ-SWITCH(config)exit

HQ-SWITCH#copy running-config startup-config

Please remember we instructed the switch to ignore the startup-config on the previous step, we need to revert that change, otherwise, the switch will keep ignoring the startup-config on the subsequent reloads.

HQ-SWITCH(config)#no system ignore startupconfig switch all
HQ-SWITCH#copy running-config startup-config

Reload the Switch

This is optional but I wanted to make sure there are no surprises on the next reload so, decided to perform a reload and make sure everything is working as expected.

HQ-SWITCH#reload 
Reload command is being issued on Active unit, this will reload the whole stack
Proceed with reload? [confirm]
*Oct  7 10:49:27.961: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command.
11:46:56.377 §Chassis 1 reloading, reason - Reload command

Cisco Private VLAN (PVLAN) Configuration Example

But there are times when you might want to keep the devices in the same VLAN while preventing them from talking to each other. This is where Private VLANs come into play, offering control over who can talk to each other within the ‘same VLAN’.

PacketswitchSuresh Vina

A few things to consider

After reloading the switch, I was getting connection refused message when trying to SSH. I had to regenerate the SSH keys on the switch using the crypto key generate rsa modulus 2048 command. So, please keep this in mind if you come across any issues.