Cisco: Password Recovery and Factory Reset of Cisco Catalyst 2960/2900-series

Password Recovery Procedure

Not surprisingly, the instructions for Cisco Password Recovery Procedure are found readily on the internet via any search engine. On this page, one merely needs to scroll down to the particular product series and click the respective link. We are interesting in the documentation for Password Recovery of the Cisco Catalyst Layer 2 fixed configuration switches 2900XL/3500XL, 2940, 2950/2955, 2960, and 2970 Series, as well as the Cisco Catalyst Layer 3 fixed configuration switches 3550, 3560, and 3750 Series.

To start the password recovery procedure for the Catalyst 2950, just follow the instructions in the link above. Or the abbreviated version here:

  1. Unplug the switch
  2. Press and hold the “Mode” button while plugging in the switch
  3. Release the “Mode” button once the “Stat” stops blinking green (~5 sec)
  4. At this point the terminal display should yield the following prompt:
  5. Enter the command:
  6. The switch will say “Initializing Flash…” and run for a bit. At the prompt, type:
  7. The command prompt will return immediately, then type:
    (yes, you need to enter the colon (:) after the word “flash”)
  8. This will give you a directory listing of the flash storage. Type:
  9. The “config.text” file in the “flash:” storage contains the password information. By renaming the “config.text” file to “config.old”, we are effectively removing the switch configuration file and making a backup of it. (In case we need it for later.)
  10. Once this is done, Restart the switch. Type:
  11. The switch will reboot and a bunch of start-up text will scroll by and eventually show:
  12. Enter “n” at the prompt to abort the initial configuration dialog.
  13. Then press the Enter or Return key on your keyboard to get started.
  14. Your system now has NO password protecting it.

Reset a switch running Cisco IOS Software to factory defaults

Now that we have unfettered access to the switch console, we can reset the switch to factory defaults. There is a document for this on Cisco’s website called Resetting Catalyst Switches to Factory Defaults. The short version of this is as follows:

  1. Enter “enable” mode by typing:
  2. The console prompt should change from “switch>” to “switch#” to signify this.
  3. To reset the switch to factory default, issue the erase startup-config or write erase command. The document’s example shows it using the following command:
  4. The switch may prompt for confirmation, type “y” (no Enter key needed, oddly)
  5. After erasing the NVRAM file system, reload the system:
  6. Again, the system may prompt for confirmation, type “y” (Enter key needed this time)
  7. The system will reload and prompt to “enter the initial configuration dialog?” again. type “n” (Enter key needed)
  8. Back at the command prompt, enter “enable” mode again.
  9. Show the VLAN config, by typing:
  10. After showing the VLAN configuration, we can delete the “vlan.dat” file from flash:

    Alternatively, you can backup the vlan.dat file by renaming it to vlan.old, like we did with the config.text file.

  11. Once the deletion of the “vlan.dat” file has been confirmed, “reload” the system.

And that’s it!

Your Cisco Catalyst 2950 switch is now restored to factory defaults.

Next problem! Now access to SSH or Web Management of this switch does not work.

Access to Console does not require credentials, but SSH and Web Management does.

So first you need to create an account: (example: Username: cisco, Password: cisco), ofcourse you are gonna do this on console

(config)#username cisco password 0 cisco

Enable AAA local authentication

(config)#aaa new-model

(config)#aaa authentication login default local

Create a dummy domain-name, and generate an RSA key for it.

(config)#ip domain-name test.test

(config)#cry key generate rsa
The name for the keys will be: SPAN_SWITCH.test.test
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: (press enter)
% Generating 512 bit RSA keys, keys will be non-exportable…
[OK] (elapsed time was 1 seconds)

(config)#ip ssh time-out 60

(config)#ip ssh authentication-retries 5

(config)#line vty 5 15

(config-line)#transport input ssh

To enable Web Management, you must have a privileged account and http authentication local enabled

(config)#ip http authentication local

(config)#ip http server

And that’s it! Really.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s