This article shows how to reset a password on a Cisco Catalyst 3750-X (stacked or single unit) and Cisco Catalyst 3560-x switch without losing its startup configuration. The Cisco password recovery procedure involves interrupting the switch’s normal boot procedure, renaming the flash:config.text (that’s the startup-config file for switches) to something else e.g flash:config.text.old so that the configuration file is skipped during bootup.
Once the switch has loaded its operating system we can enter privileged-exec mode, rename back the flash:config.text.old to flash:config.text (startup-config), copy the startup-config file to memory (DRAM), make the necessary password changes and save the configuration.
Password Recovery – Reset Procedure
The procedure described below assumes the password recovery mechanism is enabled (by default, it is) and there is physical access to the switch or stack (3750-X only).
Note: If this procedure is being performed on a 3750-X stack, it is important to understand that all switches participating in the stack should be powered off and only the Master switch is powered on when initiating the password recovery procedure. The Master switch can be easily identified by searching for the switch with the green “Master” LED on.
On a 3750-X switch, Power off the entire stack or standalone switch. On a Catalyst 3560-X switch, power off the switch. Connect your console cable to the switch – 3750-X Master or the standalone switch.
Reconnect the power to the switch (standalone 3750-X or 3750-X) or stack master (3750-X stack only). Within 10 seconds, press and hold the Mode button while the System LED is flashing green. After the System LED turns amber and then solid green, release the Mode button.
If the process has been followed correctly, the following message should be displayed:
The system has been interrupted prior to initializing the flash file system. The following commands will initialize the flash file system and finish loading the operating system software:
Now initialize the flash file system, rename the startup configuration file (config.text) and boot the IOS:
mifs: 12 files, 1 directories
mifs: Total bytes : 2097152
mifs: Bytes used : 755200
mifs: Bytes available : 1341952
mifs: mifs fsck took 2 seconds.
mifs: 0 files, 1 directories
mifs: 455 files, 8 directories
mifs: Total bytes : 57671680
mifs: Bytes used : 42235904
mifs: Bytes available : 15435776
mifs: mifs fsck took 48 seconds.
...done Initializing Flash.
Now search for the startup configuration file (config.text) and rename it:
switch: dir flash:
Directory of flash:/
2 -rwx 118939 <date> config.text
3 -rwx 5656 <date> vlan.dat
4 drwx 512 <date> c3750e-universalk9-mz.122-58.SE1
459 -rwx 3833 <date> private-config.text
460 -rwx 117555 <date> config.text.backup
461 -rwx 3833 <date> private-config.text.backup
462 -rwx 20437248 <date> c3750e-universalk9-mz.150-2.SE8.bin
463 -rwx 15384 <date> multiple-fs
15435776 bytes available (42235904 bytes used)
switch: rename flash:config.text flash:config.text.old
We can now boot the switch IOS:
"flash:/c3750e-universalk9-mz.1502.SE8.bin" ...@@@@@@@@@@@@@@@@@@@@@@@@@@ <output omitted>
POST: PortASIC RingLoopback Tests : Begin
POST: PortASIC RingLoopback Tests : End, Status Passed
extracting front_end/front_end_ucode_info (309 bytes)
SM: Detected stack cables at PORT1 PORT2
Waiting for Stack Master Election...
SM: Waiting for other switches in stack to boot...
Switch 1 booting as Master
Waiting for Port download...Complete
At this point, the switch has booted bypassing its configuration file. At the prompt, type enable to enter privileged exec mode and rename back the config.text.old file:
Switch# rename flash:config.text.old flash:config.text
3750-X Note: At this point, power on any 3750-X stack members and wait until they are loaded. This is a very important step to ensure no configuration is lost.
Finally, load the startup configuration of the master or standalone switch to memory and make the necessary changes to the enable secret / password or user account in question:
Switch# copy flash:config.text system:running-config
Source filename [config.text]? (hit enter)
Destination filename [running-config]? (hit enter)
Wait a moment as the switch copies the configuration file to its DRAM memory.
3750-X-Stack1# configure terminal
3750-X-Stack1 (config) # enable secret Firewall.cx!
If you require to change the password to an account e.g admin, use the following command:
3750-X-Stack1 (config) # username admin privilege 15 secret Firewall.cx4831!
3750-X-Stack1 (config) # exit
Depending on the switch model and configuration, it is possible that after executing the password recovery procedure VLAN interfaces might be in a shutdown state. Issue the show running-config command and search for any shutdown command under the vlan interfaces. If found, enter the interface and issue the no shutdown command to ensure the interface is enabled.
When done, save your configuration and reload the switch or stack:
3750-X-Stack1 (config) # copy running-config startup-config
3750-X-Stack1 (config) # exit
3750-X-Stack1 # reload
This article showed in detailed steps the password recovery process for Cisco Catalyst 3560-X and 3750-X switches including standalone or stacked 3750-Xs. We explained how to safely gain access to the switch configuration and change the enable/secret password and/or administrator user accounts passwords. More technical and security articles on Catalyst switch can be found at our Cisco Catalyst Switches Section.