Saturday, October 4, 2008

Password Recovery on Cisco Catalyst Switch - Part 3

Password Recovery on Modular Catalyst Switches (Big Boxes) Running IOS

For this last part, we will then go to the Password Recovery on modular type Catalyst Switches running IOS. This typically applies to the Supervisors of the Catalyst Switches.

These are:
  • Cisco Catalyst 4000 (Route Switch Module)
  • Cisco Catalyst 4500 (Supervisors 2+, 3, 4, 5, and 6)
  • Cisco Catalyst 6500
- Hybrid Mode (IOS on MSFC) or commonly known as Hybrid IOS or MSFC IOS
- Native Mode (IOS on both Supervisor and MSFC) or commonly known as Native IOS
- Applies to all Supervisor models
We can actually further divide this topic into different parts as follows:
  • Password Recovery on 4500 running IOS
  • Password Recovery on Catalyst 6500 with Hybrid IOS (MSFC IOS)
  • Password Recovery on Catalyst 6500 with Native IOS
The main reason these 3 are on a single category is that they have a lot of similarities, and we just need to take note of the minor differences.

Password Recovery on Catalyst Switches running IOS is very similar on how you do Password Recovery on Cisco Routers. The same concept of bypassing the start-up configuration (by setting the Configuration Register to 0x2142 value) applies to Catalyst Switches running IOS.
  1. Do a cold boot.
  2. During boot-up, do a break sequence to go to ROMMON mode.
  3. While in ROMMON, change confreg value to 0x2142.
  4. Do a reset command, or manually boot a desired image.
  5. Say NO to initial configuration dialog.
  6. Type enable to enter Privilege EXEC mode.
  7. Restore the start-up configuration to the running configuration.
  8. Change or remove the old passwords.
  9. Save the changes.
To discuss it in details, the first thing that we need to accomplish is to break into the ROMMON of the Catalyst Switch. Break sequence differs between platforms and the Terminal Emulator being used. From my experience, it is usually either Ctrl+Break for HyperTerminal or Alt+B for TeraTerm.

In Catalyst 4500 Switch, you just need to power cycle it from the power supply unit (PSU). Once it starts its boot sequence, you'll be notified on when you can do a break sequence. Furthermore, the break sequence for Cat4500 IOS Switch is Ctrl+C.

For Catalyst 6500's MSFC IOS, you need go back to the Supervisor side (type Ctrl+C,C,C), and issue the reset 15 or reset 16 command. The command to be used depends on where the Supervisor module is inserted. If Supervisor module is in slot 1, slot 5, or slot7, then use reset 15 (it means that the Supervisor is on the first slot). Otherwise, if Supervisor module is in slot 2, slot 6, or slot8, then use reset 16 (it means that the Supervisor is on the first slot).  This command will make the MSFC side (which is referenced as either in slot 15 or 16) to reboot or power cycle.

Afterwards, go back to the MSFC side immediately with a switch console command. Press Enter once in order to see the boot sequence. As soon as you're on the MSFC side again, do the break sequence in order to enter the ROMMON mode.

For Catalyst 6500 running Native IOS, power cycle it just like Cat4500 IOS. But you need to wait for the Supervisor side to boot up properly. Wait for it to change console ownership from Supervisor/Switch Processor (SP) to MSFC/Router Processor (RP). This is usually indicated by a noticeable informational console message. Just wait for it to show the version of the ROMMON, before doing the break sequence.

Once in ROMMON mode, it will be then the same for the 3 different platforms. Just type confreg 0x2142, and press enter. This command will change the configuration register value to 0x2142, which simply means that we're going to bypass any saved configuration once the Catalyst Switch boots up properly.
Note: If you're using one of the latest IOS version for the Cat4500 IOS, you may need to just enter the confreg command, and you'll be asked a few questions that in the end will result to the same configuration register value of 0x2142.
After this, just type reset in order to reload the Catalyst Switch once more. Do not interrupt the boot up sequence with any break sequence. Just let it boot up normally.

Once booted up, just type No when asked if you want to enter the Initial Configuration Dialog. To verify, you can do a show run command to see if it is on default configuration. Compare it with the output of the show start command to see that the saved configuration wasn't really applied to the Catalyst Switch.

You can then proceed in typing enable to enter the Privileged EXEC mode, without any need to enter any passwords. Afterwards, restore the saved configuration to the running configuration by typing  copy startup-config running-config command.

To change or remove the password configurations, issue config terminal command to go to the global configuration mode, and then type enable secret to change the secret password, or no enable secret to remove secret password. Also type enable password to change the regular password, or no enable password to remove regular password. You may also want to change or remove telnet (line vty) and console (line console) passwords just like in the Password Recovery for small boxes.

While still in global configuration mode, we need to revert the configuration register value back to 0x2102. This is in order for the Catalyst Switch to automatically load any saved configuration upon boot up on succeeding reloads. To do this, type config-register 0x2102.

Lastly, issue write memory or copy run start to save the configuration with new passwords. This will also save the new configuration register value. And once again, we're done!

I hope this series helps you with all your Password Recovery needs in Catalyst Switches. Free to leave comments for any feedback! =)

Saturday, September 27, 2008

Password Recovery on Cisco Catalyst Switch - Part 2

Password Recovery on Catalyst Switches Running CatOS

Although there hasn't been any new Cisco Catalyst Switch platforms that are running CatOS, there's still a large customer base for the existing models. Just to note some of those that are still around:
  • Cisco Catalyst 2948G
  • Cisco Catalyst 2980G
  • Cisco Catalyst 4000 (Supervisors 1 and 2)
  • Cisco Catalyst 5000 (the whole line is already or nearing EOL)
  • Cisco Catalyst 6500 - Hybrid Mode (CatOS on Supervisor and IOS on MSFC). Applies to all Supervisor models
In CatOS Password Recovery, it is best that you know the whole picture, or all of the steps, first before you even try it. Why? Well, there's only a 30-second window to perform the CatOS Password Recovery upon boot up of a Catalyst Switch running CatOS.
  1. Do a cold boot.
  2. Wait for the Catalyst Switch to fully boot up.
  3. Press Enter key at least once.
  4. Type enable, and then press Enter key.
  5. Type set ena, and press Enter for 4 times.
  6. Type set pass, and press Enter for 4 times.
  7. Configure new passwords, or leave them as NULL (or none).
Now to discuss it further, the first thing that you want to do is to do a cold boot (power off and then on) the Catalyst Switch. This is needed for the Cat OS Password Recovery to work (it won't work on a reloaded, or warm boot, Catalyst Switch. Afterwards, you just need to wait for it to fully boot up again (which will take around 2-3 minutes).

After the boot up, take note that you will only have 30-second window to perform the rest of the steps. The reason behind this is that there's no password configuration applied to the Catalyst Switch running CatOS within the first 30 seconds after boot up. With that, we can go beyond the console login, and the enable (Privileged EXEC) mode, without a need to type any password. Furthermore, the password is actually set to NULL within this timeframe, or similar to typing nothing. 

So, as soon as you see the prompt for the console password, press Enter once and you'll see the Switch prompt. Just type enable and press Enter again, and you'll be inside the Privileged EXEC mode. Afterwards, you can now change the console and enable passwords to what ever you want. But in order to save time, you can set it to NULL for the meantime.
Note: In case these steps didn't work as expected, it may only mean that you're already outside the 30-second window, and needs to start from scratch again.
To change the enable password, type set pass and press Enter. You'll then be asked for the old password (which will be NULL for now) so you just need to press Enter again. The next two prompts will ask you to type a new password and to retype/confirm the new passwords. Just press Enter for these since we just want it to be set to NULL in order to make the 30-second window.

To change the console password, just do the same steps for changing the enable password, but this time, use set ena command instead.

After this part, you're done with the CatOS Password Recovery. You just need to do the set pass and set ena commands again in order to change the console and enable passwords to whatever you want. This time, you can leisurely do it with out any time limit to consider. Easy eh? =)

Saturday, September 6, 2008

Password Recovery on Cisco Catalyst Switch - Part 1

Password Recovery on Fixed Switches (Small Boxes)

For starters, here's a list of what I consider as Fixed Catalyst Switches or Small Boxes:
  • Cisco Catalyst 2900XL / 3500XL
  • Cisco Catalyst 2950
  • Cisco Catalyst 3500
  • Cisco Catalyst 2940
  • Cisco Catalyst 2960
  • Cisco Catalyst 2970
  • Cisco Catalyst 3560
  • Cisco Catalyst 3750
Now, here's simplified view of the procedures of Password Recovery on Small Boxes:
  1. Power off the Catalyst Switch.
  2. Hold down the MODE button before powering up again.
  3. Go to switch: prompt.
  4. Initialize the flash memory.
  5. Rename the configuration file.
  6. Manually boot up the IOS image.
  7. Skip initial configuration dialog.
  8. Go to Privileged EXEC (or enable) mode.
  9. Restore the old configuration file name.
  10. Restore the configuration to the Catalyst Switch.
  11. Change or remove configured passwords.
  12. Save configuration changes.
Note: It is assumed that you are already connected to the switch thru console cable, and seeing console output from a terminal emulator application like HyperTerminal in Windows.
On a more detailed manner, the Catalyst switch can be powered off by unplugging the power cable. Then, hold down the MODE button before reconnecting the power cable to the Catalyst Switch again. You can release MODE button only when the STAT LED or the first port LED stops blinking or goes out. From the CLI (thru HyperTerminal), you shoud see switch: prompt.

In switch: prompt, initialize the internal flash memory of the by issuing flash_init command. Afterwards, issue load_helper command. You can then check the content of the flash memory by issuing dir flash: command, and look for the configuration file - config.text. Just type rename flash:config.text flash:config.old to change the name of the configuration file. This step is to ensure that the Catalyst Switch won't recognize any saved or startup configuration upon boot up.

In Fixed Switches, although there's still a start-up configuration file on the NVRAM, the actual configuration is saved on the flash memory with the default name, config.text. You can actually change the default name to something else thru the global configuration mode when the Catalyst Switch is properly booted up.

After the renaming, issue boot command to boot the first image in the flash memory. Or specify an image name by using boot flash:(image name) command instead. After boot up, the System Configuration Dialog will show up. Just type No when asked if you want to continue with the initial configuration dialog. Then, issue enable command. This is the actual point of bypassing the password. Wherein if the configuration is loaded (and there's a password applied), you cannot actually go to the Privileged EXEC or enabled mode.

You can then restore the original name of the configuration file by typing rename flash:config.old flash:config.text. Then, type copy flash:config.text system:running-config to restore the configuration to the running configuration of the Catalyst Switch. You can actually use a shortcut to do both steps with a singe command. You can use copy flash:config.old system:running-config instead.
Note: Be sure that you use copy flash:config.text system:running-config command (or copy startup-config running-config) and not the reverse, which is copy system:running-config flash:config.text (or copy running-config startup-config). If you do the reverse, you'll be overwriting the original configuration that leads to a bigger problem.
To change or remove the password configurations, issue configure terminal command to go to the global configuration mode, and then type enable secret to change the secret password, or no enable secret to remove secret password. Also type enable password to change the regular password, or no enable password to remove regular password. You can also change or remove telnet (line vty) and console (line console) passwords by using the following commands:

For telnet:

Switch(config)#line vty 0 15
Switch(config-line)#password
Switch(config-line)#login

For console:

Switch(config-line)#line con 0
Switch(config-line)#password
Switch(config-line)#login

Lastly, issue write memory or copy run start to save the configuration with new passwords. And we’re done! =)

Next time, we’ll do Password Recovery on Modular Switches Running CatOS.