Password Recovery for Catalyst 6000 Series Switches Running Native IOS

Contents

Introduction

This document describes the password recovery procedure for the Catalyst 6000 series switches running Native IOS. Because of the operating system being run on the switch, the switch is actually configured like a router. The password recovery procedure follows the same steps as a Cisco 7200, except that you have to wait about 25 seconds longer before starting the break sequence.

The boot sequence is different on the Catalyst 6000 running Native IOS because the hardware is different. After you power cycle the box, the switch processor (SP) boots up first, then after a short amount of time (around 25 seconds) it transfers console ownership to the route processor (RP (MSFC)), which then continues loading the bundled software image. It is crucial that you press Ctrl-brk just after the SP has given over control of the console to the RP. If you send the break sequence too early, you will end up in the ROMMON of the SP, which is not where you should be. Send the break sequence after you see the following message on the console:

00:00:03: %OIR-6-CONSOLE: Changing console ownership to route processor

After this point, the password recovery is the same as a normal router.

Note: From this point on in the document, we will refer to the Catalyst 6000 series switch running IOS software as a router.

Step-by-Step Procedure

  1. Attach a terminal or PC with terminal emulation to the console port of the router. Use the following terminal settings:
    • 9600 baud rate
    • No parity
    • 8 data bits
    • 1 stop bit
    • No flow control

  2. If you still have access to the router, issue the show version command, and record the setting of the configuration register. It is usually 0x2102 or 0x102. Click here to see the output of a show version command.
  3. If you don't have access to the router (because of a lost login or TACACS password), you can safely consider that your configuration register is set to 0x2102.
  4. Using the power switch, turn off the router and then turn it back on.
  5. Press Break on the terminal keyboard right after the RP is given control of the console port. Remember, on the Catalys 6000 running Native IOS first the SP boots, and then after it has booted it turns control over to the RP. After the RP gains control, you want to initiate the break sequence. You can tell that the RP has gained control of the console port when you see the following message. Do not initiate the break sequence until you see this message: 
    00:00:03: %OIR-6-CONSOLE: Changing console ownership to route processor

    From this point on, the password recovery procedure is the same as for any other router. If the break sequence doesn't work, refer to the Possible Key Combinations for Break Sequence During Password Recovery for other key combinations.

  6. Type confreg 0x2142 at the rommon 1> prompt to boot from Flash without loading the configuration.
  7. Type reset at the rommon 2> prompt.

    The router reboots, but ignores its saved configuration.

  8. Type no after each setup question or press Ctrl-C to skip the initial setup procedure.
  9. Type enable at the Router> prompt.

    You'll be in enable mode and see the Router# prompt.

  10. Important: Issue the config mem or copy start running commands to copy the Nonvolatile RAM (NVRAM) into memory. Do not issue the config term command.
  11. Issue the wr term or show running commands.

    The show running and wr term commands show the configuration of the router. In this configuration, you see under all the interfaces the shutdown command, which means that all the interfaces are currently shutdown. Also, you can see the passwords either in encrypted or unencrypted format.

  12. Issue the config term command to enter global configuration mode and make the changes.

    The prompt is now hostname(config)#.

  13. Issue the enable secret <password> in global configuration mode to change the enable password.
  14. Issue the config-register 0x2102 command, or the value you recorded in Step 2 in global configuration mode ( Router(config)# ) in order to set the configuration value back to its original value.
  15. You may also want to change the virtual terminal passwords, if present: 
    Router(config)#line vty 0 4
Router(config-line)#password cisco
Router(config-line)#^Z
Router#
  16. Issue the no shutdown command on every interface that is normally in use.You can issue a show ip interface brief command to see a list of interfaces and their current status. You must be in enable mode (Router#) to execute the show ip interface brief command. Here is an example for one interface: 
    Router#show ip interface brief
Interface                  IP-Address      OK? Method Status                Prol
Vlan1                      172.17.10.10    YES TFTP   administratively down dow 
Vlan10                     10.1.1.1        YES TFTP   administratively down dow 
GigabitEthernet1/1         unassigned      YES unset  administratively down dow 
GigabitEthernet1/2         unassigned      YES TFTP   administratively down dow 
GigabitEthernet2/1         unassigned      YES TFTP   administratively down dow 
GigabitEthernet2/2         unassigned      YES TFTP   administratively down dow 
FastEthernet3/1            172.16.84.110   YES TFTP   administratively down dow 
<snip>...

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface fastEthernet 3/1
Router(config-if)#no shutdown 
Router(config-if)#exit
Router(config)# <do other interfaces as necessary...>
  17. Press Ctrl-z to leave the configuration mode.

    The prompt is now hostname#.

  18. Issue the write mem or copy running startup commands to commit the changes.

Example of Password Recovery Procedure

The example below shows an actual password recovery procedure. We created this example using a Catalyst 6000 series switch. We begin with the show version and show module commands to let you see what components we are using in this example. 

Press RETURN to get started.

Router>enable
Password: 

Router#show version
Cisco Internetwork Operating System Software 
IOS (tm) c6sup1_rp Software (c6sup1_rp-JSV-M), Version 12.1(6)E, EARLY DEPLOYME)
TAC Support: http://www.cisco.com/pcgi-bin/ibld/view.pl?i=support
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Sat 17-Mar-01 00:14 by eaarmas
Image text-base: 0x60020950, data-base: 0x6165E000

ROM: System Bootstrap, Version 12.0(3)XE, RELEASE SOFTWARE 
BOOTFLASH: MSFC Software (C6MSFC-BOOT-M), Version 12.1(6)E, EARLY DEPLOYMENT RE)

Router uptime is 14 minutes
System returned to ROM by power-on (SP by reload)
System image file is "sup-bootflash:c6sup11-jsv-mz.121-6.E"

Cisco Catalyst 6000 (R5000) processor with 114688K/16384K bytes of memory.
Processor board ID SAD04281AF6
R5000 CPU at 200Mhz, Implementation 35, Rev 2.1, 512KB L2 Cache
Last reset from power-on
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
24 Ethernet/IEEE 802.3 interface(s)
2 Virtual Ethernet/IEEE 802.3  interface(s)
48 FastEthernet/IEEE 802.3 interface(s)
4 Gigabit Ethernet/IEEE 802.3 interface(s)
381K bytes of non-volatile configuration memory.
4096K bytes of packet SRAM memory.

16384K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2102

Router#
Router#show module
Slot Ports Card Type                                 Model                 Serial Number
---- ----- ----------------------------------------- --------------------- -----------
 1     2   Cat 6000 sup 1 Enhanced QoS (active)      WS-X6K-SUP1A-2GE      SAD043301JS   
 2     2   Cat 6000 sup 1 Enhanced QoS (standby)     WS-X6K-SUP1A-2GE      SAD03510114   
 3    48   48 port 10/100 mb RJ45                    WS-X6348-RJ-45        SAD04230FB6   
 6    24   24 port 10baseFL                          WS-X6024-10FL-MT      SAD03413322   

Slot MAC addresses                      Hw    Fw           Sw
---- ---------------------------------- ----- ------------ ----------
 1   00d0.c0d2.5540 to 00d0.c0d2.5541   3.2   unknown      6.1(0.105)OR
 2   00d0.bcf1.9bb8 to 00d0.bcf1.9bb9   3.2   unknown      6.1(0.105)OR
 3   0002.7ef1.36e0 to 0002.7ef1.370f   1.1   5.3(1) 1999- 6.1(0.105)OR
 6   00d0.9738.5338 to 00d0.9738.534f   0.206 5.3(1) 1999- 6.1(0.105)OR

Router#
Router#reload
Proceed with reload? [confirm]

!--- Here is where you would turn off the power and then turn it back on.
!--- We were able to get by with a reload here instead of a hard power-cycle.

00:15:28: %SYS-SP-3-LOGGER_FLUSHING: System pausing to ensure console debugging.

00:15:27: %C6KPWR-SP-4-DISABLED: power to module in slot 2 set off (admin reque)
00:15:28: %C6KPWR-SP-4-DISABLED: power to module in slot 3 set off (admin reque)
00:15:28: %C6KPWR-SP-4-DISABLED: power to module in slot 6 set off (admin reque)
00:15:28: %OIR-SP-6-CONSOLE: Changing console ownership to switch processor

00:15:28: %SYS-SP-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure co.

00:15:30: %SYS-SP-3-LOGGER_FLUSHING: System pausing to ensure console debugging.


***
*** --- SHUTDOWN NOW ---
***

00:15:30: %SYS-SP-5-RELOAD: Reload requested
00:15:30: %OIR-SP-6-CONSOLE: Changing console ownership to switch processor



00:15:30: %SYS-SP-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure co.

00:15:31: %OIR-SP-6-REMCARD: Card removed from slot 1, interfaces disabled

!--- First, the switch processor is coming up.

System Bootstrap, Version 5.3(1)
Copyright (c) 1994-1999 by cisco Systems, Inc.
c6k_sup1 processor with 65536 Kbytes of main memory

Autoboot executing command: "boot bootflash:c6sup11-jsv-mz.121-6.E"

Self decompressing the image : ################################################]

              Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

           Cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706

Cisco Internetwork Operating System Software 
IOS (TM) c6sup1_sp Software (c6sup1_sp-SPV-M), Version 12.1(6)E, EARLY DEPLOYME)
TAC Support: http://www.cisco.com/pcgi-bin/ibld/view.pl?i=support
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Sat 17-Mar-01 00:52 by eaarmas
Image text-base: 0x60020950, database: 0x605FC000

Start as Primary processor

00:00:03: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging ou.

00:00:03: %OIR-6-CONSOLE: Changing console ownership to route processor

!--- The RP now has control of the console.
!--- This is when we send the break sequence.

System Bootstrap, Version 12.0(3)XE, RELEASE SOFTWARE 
Copyright (c) 1998 by cisco Systems, Inc.

*** Address Error (Load/Fetch) Exception ***
Access address = 0x5e
PC = 0x5e, Cause = 0x10, Status Reg = 0x3040d003
ROM Monitor Can Not Recover From Exception
A Board Reset Is Issued

*** Software NMI ***
PC = 0xbfc0b6b0, SP = 0x00002a90
Cat6k-MSFC platform with 131072 Kbytes of main memory


Self decompressing the image : ################################################]

*** System received an abort due to Break Key ***
signal= 0x3, code= 0x0, context= 0x6049ed68
PC = 0x601011ac, Cause = 0x20, Status Reg = 0x34008002

!--- We are now in ROMMON mode on the RP, and can continue the password
!--- recovery procedure just as on any router. Changing the configuration
!--- register from 0x2102 to 0x2142 will cause the router to ignore the existing
!--- configuration. We want it to be ignored because it has passwords that we do not
!--- know.

rommon 1 > confreg 0x2142

You must reset or power cycle for new config to take effect
rommon 2 > reset 

System Bootstrap, Version 12.0(3)XE, RELEASE SOFTWARE 
Copyright (c) 1998 by cisco Systems, Inc.
Cat6k-MSFC platform with 131072 Kbytes of main memory


Self decompressing the image : ################################################]

Attempt to download 'sup-bootflash:c6sup11-jsv-mz.121-6.E' ... okay
Starting download of 'sup-bootflash:c6sup11-jsv-mz.121-6.E': 8722810 bytes!!!!!!
Chksum: Verified!
Self decompressing the image : ################################################]

              Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

           Cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706

Cisco Internetwork Operating System Software 
IOS (TM) c6sup1_RP Software (c6sup1_rp-JSV-M), Version 12.1(6)E, EARLY DEPLOYME)
TAC Support: http://www.cisco.com/pcgi-bin/ibld/view.pl?i=support
Copyright (c) 1986-2001 by Cisco Systems, Inc.
Compiled Sat 17-Mar-01 00:14 by eaarmas
Image text-base: 0x60020950, database: 0x6165E000

Cisco Catalyst 6000 (R5000) processor with 114688K/16384K bytes of memory.
Processor board ID SAD04281AF6
R5000 CPU at 200Mhz, Implementation 35, Rev 2.1, 512KB L2 Cache
Last reset from power-on
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
24 Ethernet/IEEE 802.3 interface(s)
1 Virtual Ethernet/IEEE 802.3  interface(s)
48 FastEthernet/IEEE 802.3 interface(s)
4 Gigabit Ethernet/IEEE 802.3 interface(s)
381K bytes of nonvolatile configuration memory.
4096K bytes of packet SRAM memory.

16384K bytes of Flash internal SIMM (Sector size 256K).

         --- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: n

!--- The router ignored our saved configuration and entered 
!--- the initial configuration mode.

Press RETURN to get started!


00:00:03: %SYS-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure conso.

00:00:04: %C6KPWR-4-PSINSERTED: power supply inserted in slot 1.
00:00:04: %C6KPWR-4-PSOK: power supply 1 turned on.
00:02:08: %SYS-SP-5-RESTART: System restarted --
Cisco Internetwork Operating System Software 
IOS (TM) c6sup1_SP Software (c6sup1_sp-SPV-M), Version 12.1(6)E, EARLY DEPLOYME)
TAC Support: http://www.cisco.com/pcgi-bin/ibld/view.pl?i=support
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Sat 17-Mar-01 00:52 by eaarmas
00:02:13: L3-MGR: l2 flush entry installed
00:02:13: L3-MGR: l3 flush entry installed
00:02:14: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software 
IOS (TM) c6sup1_RP Software (c6sup1_rp-JSV-M), Version 12.1(6)E, EARLY DEPLOYME)
TAC Support: http://www.cisco.com/pcgi-bin/ibld/view.pl?i=support
Copyright (c) 1986-2001 by Cisco Systems, Inc.
Compiled Sat 17-Mar-01 00:14 by eaarmas
00:02:17: %C6KPWR-SP-4-DISABLED: power to module in slot 1 set off (admin reque)
00:02:18: %C6KPWR-SP-4-ENABLED: power to module in slot 3 set on
00:02:18: %C6KPWR-SP-4-ENABLED: power to module in slot 6 set on
00:02:28: sm_set_moduleFwVersion:  nonexistent module (1)
00:02:38: %SNMP-5-MODULETRAP: Module 1 [Up] Trap
00:02:38: %OIR-SP-6-INSCARD: Card inserted in slot 1, interfaces are now online
00:02:56: %SNMP-5-MODULETRAP: Module 6 [Up] Trap
00:02:56: %OIR-SP-6-INSCARD: Card inserted in slot 6, interfaces are now online
00:02:59: SP: SENDING INLINE_POWER_DAUGHTERCARD_MSG SCP MSG

00:02:59: %SNMP-5-MODULETRAP: Module 3 [Up] Trap
00:02:59: %OIR-SP-6-INSCARD: Card inserted in slot 3, interfaces are now online
Router>enable
Router#

!--- Notice that we go right into privilege mode without needing a password!
!--- At this point, the configuration is running-config is a default configuration
!--- with all the ports administratively down (shutdown).

Router#copy startup-config running-config
Destination filename [running-config]? <press enter>

!--- This pulls in our original configuration. Since we are already in privilege
!--- mode, the passwords in this configuration (that we don't know) will not affect us.

4864 bytes copied in 2.48 secs (2432 bytes/sec)
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#enable secret cisco

!--- Overwrite the password that we don't know. This will be our new enable password.

Router(config)#^Z
Router#
Router#show ip interface brief
Interface                  IP-Address      OK? Method Status                Prol
Vlan1                      172.17.10.10    YES TFTP   administratively down dow 
Vlan10                     10.1.1.1        YES TFTP   administratively down dow 
GigabitEthernet1/1         unassigned      YES unset  administratively down dow 
GigabitEthernet1/2         unassigned      YES TFTP   administratively down dow 
GigabitEthernet2/1         unassigned      YES TFTP   administratively down dow 
GigabitEthernet2/2         unassigned      YES TFTP   administratively down dow 
FastEthernet3/1            172.16.84.110   YES TFTP   administratively down dow 
<snip>...

!--- Issue the no shut command on all interfaces that you want to bring up.

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface fastEthernet 3/1
Router(config-if)#no shutdown 
Router(config-if)#exit

!--- You may want to overwrite the virtual terminal passwords as well. 
!--- Use a something that you know.

Router(config)#line vty 0 4
Router(config-line)#password cisco
Router(config-line)#^Z
Router#

!--- Now, let's restore the configuration register to its normal state so that it
!--- will no longer ignore the stored configuration file.

Router#show version
Cisco Internetwork Operating System Software 
IOS (tm) c6sup1_rp Software (c6sup1_rp-JSV-M), Version 12.1(6)E, EARLY DEPLOYME)
TAC Support: http://www.cisco.com/pcgi-bin/ibld/view.pl?i=support
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Sat 17-Mar-01 00:14 by eaarmas
Image text-base: 0x60020950, data-base: 0x6165E000

ROM: System Bootstrap, Version 12.0(3)XE, RELEASE SOFTWARE 
BOOTFLASH: MSFC Software (C6MSFC-BOOT-M), Version 12.1(6)E, EARLY DEPLOYMENT RE)

Router uptime is 7 minutes
System returned to ROM by power-on (SP by reload)
System image file is "sup-bootflash:c6sup11-jsv-mz.121-6.E"

Cisco Catalyst 6000 (R5000) processor with 114688K/16384K bytes of memory.
Processor board ID SAD04281AF6
R5000 CPU at 200Mhz, Implementation 35, Rev 2.1, 512KB L2 Cache
Last reset from power-on
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
24 Ethernet/IEEE 802.3 interface(s)
2 Virtual Ethernet/IEEE 802.3  interface(s)
48 FastEthernet/IEEE 802.3 interface(s)
4 Gigabit Ethernet/IEEE 802.3 interface(s)
381K bytes of non-volatile configuration memory.
4096K bytes of packet SRAM memory.

16384K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2142

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#config-register 0x2102
Router(config)#^Z
Router#

!--- Verify that the configuration register was changed for the next reload,

Router#show version
Cisco Internetwork Operating System Software 
IOS (tm) c6sup1_rp Software (c6sup1_rp-JSV-M), Version 12.1(6)E, EARLY DEPLOYME)
TAC Support: http://www.cisco.com/pcgi-bin/ibld/view.pl?i=support
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Sat 17-Mar-01 00:14 by eaarmas
Image text-base: 0x60020950, data-base: 0x6165E000

ROM: System Bootstrap, Version 12.0(3)XE, RELEASE SOFTWARE 
BOOTFLASH: MSFC Software (C6MSFC-BOOT-M), Version 12.1(6)E, EARLY DEPLOYMENT RE)

Router uptime is 8 minutes
System returned to ROM by power-on (SP by reload)
System image file is "sup-bootflash:c6sup11-jsv-mz.121-6.E"

Cisco Catalyst 6000 (R5000) processor with 114688K/16384K bytes of memory.
Processor board ID SAD04281AF6
R5000 CPU at 200Mhz, Implementation 35, Rev 2.1, 512KB L2 Cache
Last reset from power-on
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
24 Ethernet/IEEE 802.3 interface(s)
2 Virtual Ethernet/IEEE 802.3  interface(s)
48 FastEthernet/IEEE 802.3 interface(s)
4 Gigabit Ethernet/IEEE 802.3 interface(s)
381K bytes of non-volatile configuration memory.
4096K bytes of packet SRAM memory.

16384K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2142 (will be 0x2102 at next reload)
Router#
Router#copy running-config startup-config
Destination filename [startup-config]? <press enter>
Building configuration...
[OK]
Router#

!--- Optional: If you want to test that the router will still come up
!--- correctly and that you have changed the passwords, then you can
!--- reload and test.

Router#reload

Proceed with reload? [confirm] <press enter>

 All contents are Copyright © 1992–2009 Cisco Systems, Inc. All rights reserved.