Password Recovery / Password Reset Procedure for Catalyst 3750-X & 3560-X Switches - Single or Stack Member Configuration

Article Reads:200782

This article shows how to reset a password on a Cisco Catalyst 3750-X (stacked or single unit) and Cisco Catalyst 3560-x switch without losing its startup configuration. The Cisco password recovery procedure involves interrupting the switch’s normal boot procedure, renaming the flash:config.text (that’s the startup-config file for switches) to something else e.g flash:config.text.old so that the configuration file is skipped during bootup.

Once the switch has loaded its operating system we can enter privileged-exec mode, rename back the flash:config.text.old to flash:config.text (startup-config), copy the startup-config file to memory (DRAM), make the necessary password changes and save the configuration.

Password Recovery – Reset Procedure

The procedure described below assumes the password recovery mechanism is enabled (by default, it is) and there is physical access to the switch or stack (3750-X only).

Note: If this procedure is being performed on a 3750-X stack, it is important to understand that all switches participating in the stack should be powered off and only the Master switch is powered on when initiating the password recovery procedure. The Master switch can be easily identified by searching for the switch with the green “Master” LED on.

Step 1

On a 3750-X switch, Power off the entire stack or standalone switch. On a Catalyst 3560-X switch, power off the switch. Connect your console cable to the switch – 3750-X Master or the standalone switch.

Step 2

Reconnect the power to the switch (standalone 3750-X or 3750-X) or stack master (3750-X stack only). Within 10 seconds, press and hold the Mode button while the System LED is flashing green. After the System LED turns amber and then solid green, release the Mode button.

If the process has been followed correctly, the following message should be displayed:

The system has been interrupted prior to initializing the flash file system. The following commands will initialize the flash file system and finish loading the operating system software:

flash_init

load_helper

boot

Step 3

Now initialize the flash file system, rename the startup configuration file (config.text) and boot the IOS:

switch: flash_init

Initializing Flash...

mifs[2]: 12 files, 1 directories

mifs[2]: Total bytes : 2097152

mifs[2]: Bytes used : 755200

mifs[2]: Bytes available : 1341952

mifs[2]: mifs fsck took 2 seconds.

mifs[3]: 0 files, 1 directories

.......

mifs[6]: 455 files, 8 directories

mifs[6]: Total bytes : 57671680

mifs[6]: Bytes used : 42235904

mifs[6]: Bytes available : 15435776

mifs[6]: mifs fsck took 48 seconds.

...done Initializing Flash.

Now search for the startup configuration file (config.text) and rename it:

switch: dir flash:

Directory of flash:/

2 -rwx 118939 <date> config.text

3 -rwx 5656 <date> vlan.dat

4 drwx 512 <date> c3750e-universalk9-mz.122-58.SE1

459 -rwx 3833 <date> private-config.text

460 -rwx 117555 <date> config.text.backup

461 -rwx 3833 <date> private-config.text.backup

462 -rwx 20437248 <date> c3750e-universalk9-mz.150-2.SE8.bin

463 -rwx 15384 <date> multiple-fs

15435776 bytes available (42235904 bytes used)

switch: rename flash:config.text flash:config.text.old

We can now boot the switch IOS:

switch: boot

"flash:/c3750e-universalk9-mz.1502.SE8.bin" ...@@@@@@@@@@@@@@@@@@@@@@@@@@ <output omitted>

POST: PortASIC RingLoopback Tests : Begin

POST: PortASIC RingLoopback Tests : End, Status Passed

extracting front_end/front_end_ucode_info (309 bytes)

SM: Detected stack cables at PORT1 PORT2

Waiting for Stack Master Election...

SM: Waiting for other switches in stack to boot...

######################################################

Election Complete

Switch 1 booting as Master

Waiting for Port download...Complete

Step 4

At this point, the switch has booted bypassing its configuration file. At the prompt, type enable to enter privileged exec mode and rename back the config.text.old file:

Switch> enable
Switch# rename flash:config.text.old flash:config.text

3750-X Note: At this point, power on any 3750-X stack members and wait until they are loaded. This is a very important step to ensure no configuration is lost.

Step 5

Finally, load the startup configuration of the master or standalone switch to memory and make the necessary changes to the enable secret / password or user account in question:

Switch# copy flash:config.text system:running-config

Source filename [config.text]? (hit enter)

Destination filename [running-config]? (hit enter)

Wait a moment as the switch copies the configuration file to its DRAM memory.

3750-X-Stack1# configure terminal

3750-X-Stack1 (config) # enable secret Firewall.cx!

If you require to change the password to an account e.g admin, use the following command:

3750-X-Stack1 (config) # username admin privilege 15 secret Firewall.cx4831!
3750-X-Stack1 (config) # exit

Step 6

Depending on the switch model and configuration, it is possible that after executing the password recovery procedure VLAN interfaces might be in a shutdown state. Issue the show running-config command and search for any shutdown command under the vlan interfaces. If found, enter the interface and issue the no shutdown command to ensure the interface is enabled.

When done, save your configuration and reload the switch or stack:

3750-X-Stack1 (config) # copy running-config startup-config

3750-X-Stack1 (config) # exit

3750-X-Stack1 # reload

Summary

This article showed in detailed steps the password recovery process for Cisco Catalyst 3560-X and 3750-X switches including standalone or stacked 3750-Xs. We explained how to safely gain access to the switch configuration and change the enable/secret password and/or administrator user accounts passwords. More technical and security articles on Catalyst switch can be found at our Cisco Catalyst Switches Section.