Password Recovery on Modular Catalyst Switches (Big Boxes) Running IOS
For this last part, we will then go to the Password Recovery on modular type Catalyst Switches running IOS. This typically applies to the Supervisors of the Catalyst Switches.
These are:
- Cisco Catalyst 4000 (Route Switch Module)
- Cisco Catalyst 4500 (Supervisors 2+, 3, 4, 5, and 6)
- Cisco Catalyst 6500
- Hybrid Mode (IOS on MSFC) or commonly known as Hybrid IOS or MSFC IOS
- Native Mode (IOS on both Supervisor and MSFC) or commonly known as Native IOS
- Applies to all Supervisor models
We can actually further divide this topic into different parts as follows:
- Password Recovery on 4500 running IOS
- Password Recovery on Catalyst 6500 with Hybrid IOS (MSFC IOS)
- Password Recovery on Catalyst 6500 with Native IOS
The main reason these 3 are on a single category is that they have a lot of similarities, and we just need to take note of the minor differences.
Password Recovery on Catalyst Switches running IOS is very similar on how you do Password Recovery on Cisco Routers. The same concept of bypassing the start-up configuration (by setting the Configuration Register to 0x2142 value) applies to Catalyst Switches running IOS.
- Do a cold boot.
- During boot-up, do a break sequence to go to ROMMON mode.
- While in ROMMON, change confreg value to 0x2142.
- Do a reset command, or manually boot a desired image.
- Say NO to initial configuration dialog.
- Type enable to enter Privilege EXEC mode.
- Restore the start-up configuration to the running configuration.
- Change or remove the old passwords.
- Save the changes.
To discuss it in details, the first thing that we need to accomplish is to break into the ROMMON of the Catalyst Switch. Break sequence differs between platforms and the Terminal Emulator being used. From my experience, it is usually either Ctrl+Break for HyperTerminal or Alt+B for TeraTerm.
In Catalyst 4500 Switch, you just need to power cycle it from the power supply unit (PSU). Once it starts its boot sequence, you'll be notified on when you can do a break sequence. Furthermore, the break sequence for Cat4500 IOS Switch is Ctrl+C.
For Catalyst 6500's MSFC IOS, you need go back to the Supervisor side (type Ctrl+C,C,C), and issue the reset 15 or reset 16 command. The command to be used depends on where the Supervisor module is inserted. If Supervisor module is in slot 1, slot 5, or slot7, then use reset 15 (it means that the Supervisor is on the first slot). Otherwise, if Supervisor module is in slot 2, slot 6, or slot8, then use reset 16 (it means that the Supervisor is on the first slot). This command will make the MSFC side (which is referenced as either in slot 15 or 16) to reboot or power cycle.
Afterwards, go back to the MSFC side immediately with a switch console command. Press Enter once in order to see the boot sequence. As soon as you're on the MSFC side again, do the break sequence in order to enter the ROMMON mode.
For Catalyst 6500 running Native IOS, power cycle it just like Cat4500 IOS. But you need to wait for the Supervisor side to boot up properly. Wait for it to change console ownership from Supervisor/Switch Processor (SP) to MSFC/Router Processor (RP). This is usually indicated by a noticeable informational console message. Just wait for it to show the version of the ROMMON, before doing the break sequence.
Once in ROMMON mode, it will be then the same for the 3 different platforms. Just type confreg 0x2142, and press enter. This command will change the configuration register value to 0x2142, which simply means that we're going to bypass any saved configuration once the Catalyst Switch boots up properly.
Note: If you're using one of the latest IOS version for the Cat4500 IOS, you may need to just enter the confreg command, and you'll be asked a few questions that in the end will result to the same configuration register value of 0x2142.
After this, just type reset in order to reload the Catalyst Switch once more. Do not interrupt the boot up sequence with any break sequence. Just let it boot up normally.
Once booted up, just type No when asked if you want to enter the Initial Configuration Dialog. To verify, you can do a show run command to see if it is on default configuration. Compare it with the output of the show start command to see that the saved configuration wasn't really applied to the Catalyst Switch.
You can then proceed in typing enable to enter the Privileged EXEC mode, without any need to enter any passwords. Afterwards, restore the saved configuration to the running configuration by typing copy startup-config running-config command.
To change or remove the password configurations, issue config terminal command to go to the global configuration mode, and then type enable secret to change the secret password, or no enable secret to remove secret password. Also type enable password to change the regular password, or no enable password to remove regular password. You may also want to change or remove telnet (line vty) and console (line console) passwords just like in the Password Recovery for small boxes.
While still in global configuration mode, we need to revert the configuration register value back to 0x2102. This is in order for the Catalyst Switch to automatically load any saved configuration upon boot up on succeeding reloads. To do this, type config-register 0x2102.
Lastly, issue write memory or copy run start to save the configuration with new passwords. This will also save the new configuration register value. And once again, we're done!
I hope this series helps you with all your Password Recovery needs in Catalyst Switches. Free to leave comments for any feedback! =)