“PASSWORD RECOVERY ON A CISCO DEVICE”

Recently I was working on some devices to be delivered to a client. After configuring the switches, I saved my configurations and powered off the switch. On getting to the customer’s site, I powered on the switch and upon trying to log in, I realized I had forgotten the password on one of the switches – a 3550 switch. I was very worried because I was about to start implementation on the network that day. So I had to do password recovery on the switch. Password recovery is a skill every cisco engineer should possess because you never know when it might come in handy. I am going to show you the method that worked for me. This recovery method should work on Cisco Catalyst 2900, 3500XL, 2940, 2950, 2955, and 3550 switches.

Step-by-Step Procedure

To recover a switch, follow the procedure below,

  • Attach a terminal or PC with terminal emulation (for example, Putty) to the console port of the switch.
  • To recover a password on a Cisco switch, you will have to be connected to the console port of the Cisco switch. On the settings for the terminal emulation client, set the speed to 9600 baud, 8 bits, no parity, 1 stop bit, and xon/xoff flow control.
  • Unplug the power cable.
  • Power the switch and bring it to the (change font) switch: prompt:

    For 2900XL, 3500XL, 2940, 2950, 2960, 2970, 3550, 3560, and 3750 series switches, do this:

    Hold down the mode button located on the left side of the front panel while you reconnect the power cable to the switch.

Catalyst Switch Series

LED Behavior and Mode Button Release Action

2900XL, 3500XL, 3550 Release the Mode button when the LED above Port1x goes out.
2940, 2950 Release the Mode button after approximately 5 seconds when the Status (STAT) LED goes out. When you release the Mode button, the SYST LED blinks amber.
2960, 2970 Release the Mode button when the SYST LED blinks amber and then turns solid green. When you release the Mode button, the SYST LED blinks green.
3560, 3750 Release the Mode button after approximately 15 seconds when the SYST LED turns solid green. When you release the Mode button, the SYST LED blinks green.

Note: LED positions may vary slightly depending on the model.

(unbold)On a 3560-c switch, the mode button is on the lower left hand corner of the switch.


On a Catalyst 3524XL


Catalyst 2950-24


On a 2950 switch


On a 3550 switch


SO MOVING ON TO MY C3550 SWITCH RECOVERY

Once you are connected and see something on the terminal window when you press enter, unplug the power cable. Next, hold down the mode button on the front, as seen in the photo below, and connect the power cable.

On a 2900, 3500XL or 3550 (like the one shown) release the mode button after the 1x port LED goes out. On a 2940 or 2950 switch release the mode button after the stat light goes out. On a 2955, press the break key (ctrl-break on Windows) when you see the message that the switch will auto boot.

You should now see something like this (taken from a 3550 switch):

Notice it says the password-recovery mechanism is enabled.

At the switch: prompt, type flash_init and press enter. You should see something like this (at least on a 3550):

Now type load_helper and press enter. You should see something like this:

Now type dir. flash: and press enter. You should see something like this:

The config.text file is what stores the administrative password keeping you from logging into the router. To get rid of this file, use this command:

rename flash: config.text flash:config.backup

WARNING!!! Do not delete the config file as it has all the configurations stored on it.

Next, boot the switch using the boot command, like this:

Once the system is booted, you will be asked if you want to enter the initial configuration dialog. Say no and press enter.

Next, enter enable mode with the en or enable command. Then, type the following commands:

rename flash: config.backup config.text

copy flash: config.text system: running-config

After each command, you will be prompted to confirm the name of the destination file. Do this by pressing enter each time.

Go into global configuration mode by typing “config terminal.” Next type “no enable secret.”

Now you can reset your enable password to whatever password you want. In the example below, we used the enable password C1sc08 to set the password to C1sc08.

Exit out of global configuration using the exit command and save your configuration with the “copy running-config startup-config” command. You will be prompted to confirm the name of the destination file. Press enter.

You have successfully reconfigured your switch’s enable password using the password recovery procedure. Even better, you were able to do this while preserving the entire switch configuration.

It is not too difficult but it took me about 30 minutes the first time. The Cisco documentation says you should press the mode button for about 15 seconds. But in my experience, I had to press it for more than 20 seconds. This skill will definitely prove valuable in real life and I would advise you have at least the documentation with you (if you do not know how to do it by heart).

References

http://www.cisco.com/en/US/products/hw/routers/ps233/products_tech_note09186a008009464c.shtml

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960c_3560c/software/release/12.2_55_ex/release/notes/ol24071.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.1_19_ea1/configuration/guide/swtrbl.html#1021182