Recovering a Cisco secret password.
In the beginning, god created monkey…
Recovering secret passwords on Cisco Catalyst 2900, 3500XL, 2940, 2950, 2955, and 3550 switches.
So you read the article about creating longer more secure passwords and then ran out to all your catalyst switches and promptly changed all the enable passwords to make them more secure. But fat fingers meant that you mistyped that wonder password on three of eight of your switches and now you can’t get back in to make changes.
Ah, to be young and stupid… or in my case, old and stupid 🙂
There is a light at the end of the tunnel and it comes in the form of an abridged version of Cisco’s own doumentation on how to recover secret passwords. If you want the original document you have get it off my server. To recover the password you will have to be connected to the console port of the Cisco switch using the following port settings:
9600 baud, 8 bits, no parity, 1 stop bit, and xon/xoff flow controlPower OFF the unit, then hold down the MODE button and power UP the unit again (keep MODE held down!!)
- On a 2900, 3500XL or 3550 release the MODE button after the 1x port LED goes out.
- On a 2940 or 2950 switch, release the MODE button after the STAT light goes out.
- On a 2955, press the break key (ctrl-break on Windows) when you see the message that the switch will autoboot.
Notice that the switch reports:
password-recovery mechanism is enabledOnce booted, you should see the following prompt:
switch:Initialise the flash storage.
flash_initLoad any boot helper images.
load_helperDisplay the contents of the switch flash.
dir flash:Rename the config.text file.
rename flash:config.text flash:config.backupBoot the switch.
bootOnce the system image is booted, you will be asked if you want to enter the initial configuration dialog. Answer NO and press Enter.
Enable privileged commands.
en or enableRename the config.backup file.
rename flash:config.backup config.textCopy config.text to the running configuration.
copy flash:config.text system:running-configEnter global configuration mode.
config terminal or config tRemove the existing secret password.
no enable secretCreate a new secret password.
enable secret 0 newpasswordExit out of global configuration.
exitCheck the new settings.
show runningIf everything is OK, copy running configuration to the startup configuration.
copy running-config startup-configIf you’ve done everything right you should have changed the enable secret password. Test it by logging out then back in.