Password Recovery on Cisco Catalyst Switch - Part 2

Password Recovery on Catalyst Switches Running CatOS

Although there hasn't been any new Cisco Catalyst Switch platforms that are running CatOS, there's still a large customer base for the existing models. Just to note some of those that are still around:

• Cisco Catalyst 2948G
  
• Cisco Catalyst 2980G
  
• Cisco Catalyst 4000 (Supervisors 1 and 2)
• Cisco Catalyst 5000 (the whole line is already or nearing EOL)
• Cisco Catalyst 6500 - Hybrid Mode (CatOS on Supervisor and IOS on MSFC). Applies to all Supervisor models

In CatOS Password Recovery, it is best that you know the whole picture, or all of the steps, first before you even try it. Why? Well, there's only a 30-second window to perform the CatOS Password Recovery upon boot up of a Catalyst Switch running CatOS.

1. Do a cold boot.
   
2. Wait for the Catalyst Switch to fully boot up.
   
3. Press Enter key at least once.
   
4. Type enable, and then press Enter key.
   
5. Type set ena, and press Enter for 4 times.
   
6. Type set pass, and press Enter for 4 times.
   
7. Configure new passwords, or leave them as NULL (or none).

Now to discuss it further, the first thing that you want to do is to do a cold boot (power off and then on) the Catalyst Switch. This is needed for the Cat OS Password Recovery to work (it won't work on a reloaded, or warm boot, Catalyst Switch. Afterwards, you just need to wait for it to fully boot up again (which will take around 2-3 minutes).

After the boot up, take note that you will only have 30-second window to perform the rest of the steps. The reason behind this is that there's no password configuration applied to the Catalyst Switch running CatOS within the first 30 seconds after boot up. With that, we can go beyond the console login, and the enable (Privileged EXEC) mode, without a need to type any password. Furthermore, the password is actually set to NULL within this timeframe, or similar to typing nothing. 

So, as soon as you see the prompt for the console password, press Enter once and you'll see the Switch prompt. Just type enable and press Enter again, and you'll be inside the Privileged EXEC mode. Afterwards, you can now change the console and enable passwords to what ever you want. But in order to save time, you can set it to NULL for the meantime.

Note: In case these steps didn't work as expected, it may only mean that you're already outside the 30-second window, and needs to start from scratch again.

To change the enable password, type set pass and press Enter. You'll then be asked for the old password (which will be NULL for now) so you just need to press Enter again. The next two prompts will ask you to type a new password and to retype/confirm the new passwords. Just press Enter for these since we just want it to be set to NULL in order to make the 30-second window.

To change the console password, just do the same steps for changing the enable password, but this time, use set ena command instead.

After this part, you're done with the CatOS Password Recovery. You just need to do the set pass and set ena commands again in order to change the console and enable passwords to whatever you want. This time, you can leisurely do it with out any time limit to consider. Easy eh? =)

Password Recovery on Cisco Catalyst Switch - Part 1

Password Recovery on Fixed Switches (Small Boxes)

For starters, here's a list of what I consider as Fixed Catalyst Switches or Small Boxes:

• Cisco Catalyst 2900XL / 3500XL
• Cisco Catalyst 2950
• Cisco Catalyst 3500
• Cisco Catalyst 2940
• Cisco Catalyst 2960
• Cisco Catalyst 2970
• Cisco Catalyst 3560
• Cisco Catalyst 3750

Now, here's simplified view of the procedures of Password Recovery on Small Boxes:

1. Power off the Catalyst Switch.
2. Hold down the MODE button before powering up again.
3. Go to switch: prompt.
4. Initialize the flash memory.
5. Rename the configuration file.
6. Manually boot up the IOS image.
7. Skip initial configuration dialog.
8. Go to Privileged EXEC (or enable) mode.
9. Restore the old configuration file name.
10. Restore the configuration to the Catalyst Switch.
11. Change or remove configured passwords.
12. Save configuration changes.

Note: It is assumed that you are already connected to the switch thru console cable, and seeing console output from a terminal emulator application like HyperTerminal in Windows.

On a more detailed manner, the Catalyst switch can be powered off by unplugging the power cable. Then, hold down the MODE button before reconnecting the power cable to the Catalyst Switch again. You can release MODE button only when the STAT LED or the first port LED stops blinking or goes out. From the CLI (thru HyperTerminal), you shoud see switch: prompt.

In switch: prompt, initialize the internal flash memory of the by issuing flash_init command. Afterwards, issue load_helper command. You can then check the content of the flash memory by issuing dir flash: command, and look for the configuration file - config.text. Just type rename flash:config.text flash:config.old to change the name of the configuration file. This step is to ensure that the Catalyst Switch won't recognize any saved or startup configuration upon boot up.

In Fixed Switches, although there's still a start-up configuration file on the NVRAM, the actual configuration is saved on the flash memory with the default name, config.text. You can actually change the default name to something else thru the global configuration mode when the Catalyst Switch is properly booted up.

After the renaming, issue boot command to boot the first image in the flash memory. Or specify an image name by using boot flash:(image name) command instead. After boot up, the System Configuration Dialog will show up. Just type No when asked if you want to continue with the initial configuration dialog. Then, issue enable command. This is the actual point of bypassing the password. Wherein if the configuration is loaded (and there's a password applied), you cannot actually go to the Privileged EXEC or enabled mode.

You can then restore the original name of the configuration file by typing rename flash:config.old flash:config.text. Then, type copy flash:config.text system:running-config to restore the configuration to the running configuration of the Catalyst Switch. You can actually use a shortcut to do both steps with a singe command. You can use copy flash:config.old system:running-config instead.

Note: Be sure that you use copy flash:config.text system:running-config command (or copy startup-config running-config) and not the reverse, which is copy system:running-config flash:config.text (or copy running-config startup-config). If you do the reverse, you'll be overwriting the original configuration that leads to a bigger problem.

To change or remove the password configurations, issue configure terminal command to go to the global configuration mode, and then type enable secret to change the secret password, or no enable secret to remove secret password. Also type enable password to change the regular password, or no enable password to remove regular password. You can also change or remove telnet (line vty) and console (line console) passwords by using the following commands:

For telnet:

Switch(config)#line vty 0 15
Switch(config-line)#password
Switch(config-line)#login

For console:

Switch(config-line)#line con 0
Switch(config-line)#password
Switch(config-line)#login

Lastly, issue write memory or copy run start to save the configuration with new passwords. And we’re done! =)

Next time, we’ll do Password Recovery on Modular Switches Running CatOS.

Password Recovery on Cisco Catalyst Switch - Introduction

If you are a LAN Switching engineer and mostly working on Cisco Catalyst Switches, one of the tasks that you should know is Password Recovery. This is something that is very easy to do, but very risky as well.

Easy? Well, Password Recovery is all procedural, and has the same concept in all Cisco Catalyst Switches. Yes, it is very risky too. Especially, if you get too confident, and forgot to do some verifications... or in my own words - "checkpoints". The worst case scenario on doing password recovery is if you overwrite the saved or start-up configuration file and there's no backup. Nice huh?! =)

For this topic, I've divided it into 3 parts:

• Password Recovery on Fixed Switches (Small Boxes)
• Password Recovery on Modular Switches Running CatOS
• Password Recovery on Modular Switches Running IOS
  

The last part can actually be divided further into another 3 parts:

• Password Recovery on 4500 running IOS
• Password Recovery on Catalyst 6500 with Hybrid IOS (MSFC IOS)
• Password Recovery on Catalyst 6500 with Native IOS
  

The reason these 3 are on a single category is that they have a lot of similarities, and we just need to take note of the minor differences.


Concept of Password Recovery

First of all, why do we need to do Password Recovery? Well, it's either you are too old to remember simple passwords, or you've used to many passwords in a short span of time. =P Kidding aside, there's a lot of situations wherein Password Recovery is needed. The best example is when a new network administrator took over a new network with poor documentation. Password Recovery also enables us to resume management of the Catalyst Switch without resetting to factory default (we don't want to lose the current configuration).

Now, as I said earlier, Password Recovery has the same concept in all Cisco Catalyst Switches (and even with Cisco Routers). In Password Recovery, you actually want to bypass the password set on a Catalyst Switch. Most of the time, we want to bypass both the console and enable-mode (Privilege EXEC) passwords. In order for us to bypass the password, we need to bypass the saved or start-up configuration. Why? Well, the console and enable-mode passwords are actually part of the start-up configuration.

Bypassing the start-up configuration is similar to resetting the Catalyst Switch back to factory default, BUT without losing or overwriting the current configuration. We will actually restore the start-up configuration before we can change or remove the passwords.

The steps on how to bypass the passwords or the start-up configurations are actually the main differences in doing Password Recovery on Fixed Switches, Modular Switch Running CatOS, and Modular Switches Running IOS.


Limitations / Considerations

The main limitation on doing Password Recovery on Cisco Catalyst Switches is that you cannot do it remotely (i.e. telnet). Meaning, you should be physically onsite where the Catalyst Switch is, in order to accomplish the Password Recovery procedures. You need to be directly connected to the Catalyst Switch thru console, and to do some manual work, like doing cold reboot.

I guess that's all for now, and wait for the next part. =)