Cisco Catalyst 9300 Password Recovery
So, you forgot the password, I know that sinking feeling in your stomach when you realize you can't access your switch. Panic sets in as you try every password you've ever used, but nothing seems to work. Yes, I've been there, many times 😭
Well, fear not my friend, because I'm here to help. As a wise person once said, "It's not about forgetting the password, it's about how you reset it." Okay, maybe no one has ever said that, but it's still true.
But for now, let's focus on the task at hand. Here's how to reset the password on your Cisco Catalyst 9000 series switches and get your network back up and running.
Overview
I must have been living under a rock not to realise the password recovery procedure is different for the Catalyst 9000 series switches (or IOS-XE). I was trying the old method of sending the break command and then changing the config-register for some time and not having any success. I then realised the procedure is different so, I decided to write a post on it to help fellow Network Engineers. In this example, we will go through the steps required to successfully recover/change the password on the C9300 switch.
By default, the startup-config files are stored in the NVRAM and the running-config (actual device configuration) is stored in the DRAM. The main purpose of the password recovery process is to boot the device with factory-default configuration and once there is access to the device, load the current configuration and change the password.
The following are the higher levels of steps to reset the password.
- Connect the console cable and reload the switch
- Press the
mode
button to force the switch to boot into the boot loader. - Ignore the startup-config
- Reset the password
- Reload the switch
Connect the console cable and reload the switch
The first step is to connect the console cable to the switch and then perform a reload by pulling the power code from the switch.
The 'Mode' button
As soon as you reload the switch, press the mode
button multiple times until the switch goes into bootloader mode. Please ensure the following message is displayed on the console. boot from [flash:packages.conf] is interrupted
Initializing Hardware......
System Bootstrap, Version 17.6.1r[FC2], RELEASE SOFTWARE (P)
Compiled Wed 05/12/2021 15:39:34.01 by rel
Current ROMMON image : Primary
Last reset cause : PowerOn
C9300-24P platform with 8388608 Kbytes of main memory
boot: attempting to boot from [flash:packages.conf] (interrupted)
Ignore the startup-config
Please remember the password you configured is stored in the startup-config so, to bypass the password requirements, we need to instruct the switch to ignore the startup-config and boot from the factory default config.
Please enter SWITCH_IGNORE_STARTUP_CFG=1
and boot
on the switch:
prompt. The switch will then boot into its default factory setting.
switch: SWITCH_IGNORE_STARTUP_CFG=1
switch: boot
boot: attempting to boot from [flash:packages.conf]
boot: reading file packages.conf
########################################################
*********
TRUNCATED
*********
Switch>
Switch>
Switch>en
Switch#
Reset the password
The next step is to load the startup-config (actual device configuration) into the running-config and reset the password.
Once you configured the new password, copy the running-config (which has the new password) into the startup-config.
Switch#copy startup-config running-config
Destination filename [running-config]?
8787 bytes copied in 0.373 secs (23558 bytes/sec)
HQ-SWITCH#
HQ-SWITCH(config)#username cisco privilege 15 secret 0 Pa55word123
HQ-SWITCH(config)#enable secret 0 Pa55word123
HQ-SWITCH(config)exit
HQ-SWITCH#copy running-config startup-config
Please remember we instructed the switch to ignore the startup-config on the previous step, we need to revert that change, otherwise, the switch will keep ignoring the startup-config on the subsequent reloads.
HQ-SWITCH(config)#no system ignore startupconfig switch all
HQ-SWITCH#copy running-config startup-config
Reload the Switch
This is optional but I wanted to make sure there are no surprises on the next reload so, decided to perform a reload and make sure everything is working as expected.
HQ-SWITCH#reload
Reload command is being issued on Active unit, this will reload the whole stack
Proceed with reload? [confirm]
*Oct 7 10:49:27.961: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command.
11:46:56.377 §Chassis 1 reloading, reason - Reload command
A few things to consider
After reloading the switch, I was getting connection refused
message when trying to SSH. I had to regenerate the SSH keys on the switch using the crypto key generate rsa modulus 2048
command. So, please keep this in mind if you come across any issues.