I found this post on the excellent Cisco Blog:
Completely Clearing a Cisco Switch…The Easy Way!
Clearing out a Cisco switch configuration is always a pain because VLANs are kept in a seperate file from the startup-config (NVRAM). There’s two ways to clear a switch back to the factory defaults – the easy way and the REALLY easy way:
The easy way –Switch# write erase
Switch# delete flash:vlan.dat
Switch# reloadThe REALLY easy way –
Hold the “mode” button on the front of the switch for 10 seconds. The lights will blink then go solid – the switch completely wipes all configuration and then reboots. Obviously, this method only works on stackable switches as the chassis based switches do not have mode buttons.
Comments
Umm, is it me or is this not a terribly great feature. I know physical security is part of maintaining a secure environment, but this kind of kicks that higher up the requirements chain.
Any know of a way of disabling this ‘feature’?
Posted by: Scared at May 20, 2007 7:21 PM
In my experience this does not wipe the switch at all, it just renames the configfiles and reboots.
“no setup express” disables the button.
Posted by: ior at May 25, 2007 3:08 PM
Let’s attempt to replicate this on a 3560 and see what happens.
Let’s go ahead and add some vlans, vtp config, and some descriptions on the first 5 interfaces:
Switch(config)#vtp domain CISCO
Changing VTP domain name from NULL to CISCO
Switch(config)#vtp mode server
Device mode already VTP SERVER.
Switch(config)#vtp password PASSWORD
Setting device VLAN database password to PASSWORD
Switch(config)#int range fa0/1 – 5
Switch(config-if-range)#desc -> I like beer!!!
Switch(config-if-range)#vlan 2-10,13,69
Switch(config-vlan)#^Z
Switch#sh vtp
00:07:19: %SYS-5-CONFIG_I: Configured from console by consolestatus
VTP Version : 2
Configuration Revision : 1
Maximum VLANs supported locally : 1005
Number of existing VLANs : 16
VTP Operating Mode : Server
VTP Domain Name : CISCO
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x9C 0x62 0xCB 0xFE 0xB7 0x89 0x4A 0xB8
Configuration last modified by 0.0.0.0 at 3-1-93 00:07:19
Local updater ID is 0.0.0.0 (no valid interface found)
Switch#sh vlan sum
Number of existing VLANs : 16
Number of existing VTP VLANs : 16
Number of existing extended VLANs : 0Switch#sh int desc
Interface Status Protocol Description
Vl1 admin down down
Fa0/1 down down -> I like beer!!!
Fa0/2 down down -> I like beer!!!
Fa0/3 down down -> I like beer!!!
Fa0/4 down down -> I like beer!!!
Fa0/5 down down -> I like beer!!!and the hostname 🙂
Switch(config)#hostname sw1
sw1(config)#^Z
sw1#
00:08:10: %SYS-5-CONFIG_I: Configured from console by console
sw1#write
Building configuration…
[OK]Now let’s take a look at the flash:
sw1#sh flashDirectory of flash:/
2 -rwx 1216 Mar 01 1993 00:07:19 vlan.dat
3 -rwx 5 Mar 01 1993 00:08:26 private-config.text
5 drwx 192 Mar 01 1993 00:05:28 c3560-i9-mz.121-19.EA1d
85 -rwx 3485 Mar 01 1993 00:08:26 config.text15998976 bytes total (9540608 bytes free)
Let’s go ahead and hold the mode button for 10 seconds:
As I hold the mode button – STAT, DUPLX, SPEED, and PoE lights blink together and then go solid. I stop pushing the mode button at that point.
Notice this message after I release the mode button:
sw1#
00:09:18: %SYS-7-NV_BLOCK_INIT: Initalized the geometry of nvram
00:09:18: %EXPRESS_SETUP-6-CONFIG_IS_RESET: The configuration is reset and the system will now reboot
00:09:19: %SYS-5-RELOAD: Reload requested
The switch comes back up:
Switch uptime is 2 minutes
System returned to ROM by power-onSwitch#sh start
startup-config is not present
Switch#sh flashDirectory of flash:/
2 -rwx 1216 Mar 01 1993 00:07:19 vlan.dat
3 -rwx 5 Mar 01 1993 00:08:26 private-config.text.renamed
5 drwx 192 Mar 01 1993 00:05:28 c3560-i9-mz.121-19.EA1d
85 -rwx 3485 Mar 01 1993 00:08:26 config.text.renamed15998976 bytes total (9540608 bytes free)
The VTP configuration is still intact (due to vlan.dat not being deleted):
Switch#sh vtp statu
VTP Version : 2
Configuration Revision : 1
Maximum VLANs supported locally : 1005
Number of existing VLANs : 16
VTP Operating Mode : Server
VTP Domain Name : CISCO
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x9C 0x62 0xCB 0xFE 0xB7 0x89 0x4A 0xB8
Configuration last modified by 0.0.0.0 at 3-1-93 00:07:19
Local updater ID is 0.0.0.0 (no valid interface found)
Switch#sh vlan sum
Number of existing VLANs : 16
Number of existing VTP VLANs : 16
Number of existing extended VLANs : 0
Interesting. The startup-configuration is blown away but still appears in flash, albeit with “renamed” tacked on the end. The vlan.dat file is still present, so we retain our VTP settings. The private-config.text* file has also been retained, but with “renamed” appended to it as well.
* According to this page, the private-config.text file is used by Cisco devices to store things like crypto private keys.
Let’s remove the “renamed” portion of the config.text file and restore our startup-configuration:
Switch#rename flash:config.text.renamed flash:config.text
Destination filename [config.text]?Switch#sh start
Using 3485 out of 524288 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname sw1
!
!
ip subnet-zero
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
interface FastEthernet0/1
description -> I like beer!!!
no ip address
no mdix auto
!
interface FastEthernet0/2
description -> I like beer!!!
no ip address
no mdix auto
…..
So the config.text.renamed is the startup config. It’s good to know that this is still around. We can just rename it and then do “copy start run”
Switch#copy start run
%% Non-volatile configuration memory invalid or not present
Zoiks!!! Maybe not! 🙂
Let’s rename the private-config file and see if that helps.
Switch#$h:private-config.text.renamed flash:private-config.text
Destination filename [private-config.text]?
Switch#sh flashDirectory of flash:/
2 -rwx 1216 Mar 01 1993 00:07:19 vlan.dat
3 -rwx 5 Mar 01 1993 00:08:26 private-config.text
5 drwx 192 Mar 01 1993 00:05:28 c3560-i9-mz.121-19.EA1d
85 -rwx 3485 Mar 01 1993 00:08:26 config.text15998976 bytes total (9540608 bytes free)
Switch#copy start run
%% Non-volatile configuration memory invalid or not present
Nope. Interesting. Well a reload ought to do the trick
Switch#reload
Proceed with reload? [confirm]00:27:04: %SYS-5-RELOAD: Reload requested
And it works:sw1>en
sw1#sh run
Building configuration…Current configuration : 3512 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname sw1
!
!
ip subnet-zero
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
interface FastEthernet0/1
description -> I like beer!!!
no ip address
……
Okay. Let’s see if we can turn this behavior off by configuring “no express setup”:
sw1(config)#no setup ?
express Configure whether express setup mode is enabledsw1(config)#no setup express
Let’s see what’s in flash and then write the config:
sw1#sh flashDirectory of flash:/
2 -rwx 3378 Mar 01 1993 00:06:38 config.text
3 -rwx 5 Mar 01 1993 00:06:38 private-config.text
4 -rwx 976 Mar 01 1993 00:10:31 vlan.dat
5 drwx 192 Mar 01 1993 00:05:28 c3560-i9-mz.121-19.EA1d15998976 bytes total (9541120 bytes free)
sw1#write
Building configuration…
[OK]
sw1#
Now let’s hold the mode button and see what happens.
Not a damned thing!!! 🙂 I held the mode button down and all it ever did was move the light from STAT to DUPLX.
I would say that “no express setup” is a great command to throw into your base configuration for all of your switches. While holding down the mode button until the lights are solid will default your configuration, that configuration will not be lost and your vlan.dat file will not be deleted (your vtp configuration will persist). At least on the 3560, this is not a method that will acheive the same results as write erase, delete flash:vlan.dat, reload.
For comparison, here’s what happens with when we do these steps:
sw1#sh flash
Directory of flash:/
2 -rwx 5 Mar 01 1993 00:11:59 private-config.text
4 -rwx 976 Mar 01 1993 00:10:31 vlan.dat
5 drwx 192 Mar 01 1993 00:05:28 c3560-i9-mz.121-19.EA1d
85 -rwx 3555 Mar 01 1993 00:11:59 config.text15998976 bytes total (9541120 bytes free)
sw1#write erase
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete
sw1#sh fla
00:16:59: %SYS-7-NV_BLOCK_INIT: Initalized the geometry of nvramWrite erase deletes “private-config.text” and “config.txt” from flash:
sw1#sh flashDirectory of flash:/
4 -rwx 976 Mar 01 1993 00:10:31 vlan.dat
5 drwx 192 Mar 01 1993 00:05:28 c3560-i9-mz.121-19.EA1d15998976 bytes total (9545216 bytes free)
sw1#delete flash:vlan.dat
Delete filename [vlan.dat]?
Delete flash:vlan.dat? [confirm]
sw1#sh flashDirectory of flash:/
5 drwx 192 Mar 01 1993 00:05:28 c3560-i9-mz.121-19.EA1d
15998976 bytes total (9546240 bytes free)
sw1#sh start
startup-config is not present
sw1#reloadSystem configuration has been modified. Save? [yes/no]: no
Proceed with reload? [confirm]00:18:44: %SYS-5-RELOAD: Reload requested
….
After the reload:
Switch>en
Switch#sh flashDirectory of flash:/
5 drwx 192 Mar 01 1993 00:05:28 c3560-i9-mz.121-19.EA1d
15998976 bytes total (9546240 bytes free)
To summarize: Resetting the switch will not acheive the same result as deleting the vlan.dat, doing a “write erase”, and then reloading the switch. It will blow away your startup-configuration, but the good news is that you can easily recover that file (along with the private-config.text file) and restore your configuration by just renaming a couple of files and reloading. I would strongly recommend disabling this “feature” by using the “no express setup” command in your switch’s configuration. There is no reason to allow someone to blow away your switch’s configuration by simply pressing a button. 🙂
CCIE Pursuit Blog 
Thsi was great! I was always scared of this feature, now, iknow what to do with it. good job! – Masood, another CCIE wannabe!
Comment by Masood — July 20, 2007 @ 8:53 pm |
WOW it is a great feature i loved it
Comment by kamlesh sharma — August 20, 2007 @ 3:24 am |
On many of my switches, 3750, 3500XL, etc, pressing and holding the mode button down is simply how to get into the config to reset it, recover password, etc. It does nothing to erase the files, at least with a console cable attached. It gets you in so you can modify the files without it loading them.
Comment by fred — August 20, 2007 @ 1:22 pm |
One question – what if the switch/router malfunction (cannot load firmware), and i need to wipe my config data (sensitive IPs, hostnames, etc) before doing a 1-to-1 exchange w/ the vendor?
Comment by jon — August 28, 2007 @ 3:30 am |
Good question Jon. Unfortunately I don’t know the anwser. If the IOS were corrupt, then it is possible that the config.txt file could still be unaffected. If someone were able to repair the IOS, then they could access the config.txt file (after performing password recovery) and see your configuration. If you are unable to fix the IOS and you are worried about this scenario, then I would suggest opening up your box and removing/replacing the flash memory before shipping it off to your vendor.
Comment by cciepursuit — August 28, 2007 @ 9:11 am |
Do the mode button thing. The light will blink 8 times and go solid.
Then do this:
flash_init
load_helper
del flash:config.text
y
del flash:vlan.dat
y
boot
Comment by MC Escher — October 18, 2007 @ 7:51 am |
cciepursuit –
You said: “There is no reason to allow someone to blow away your switch’s configuration by simply pressing a button.”
Respectfully, if you are in a very large production environment that uses a switched network with thousands of individual switches physically spread throughout the network; you will spend a surprising amount of time needing to do manual IOS upgrades and config “blowaways” before RMA. (sending the switch back for R&R)
It is a useful feature to have. Also, in spite of the fact that probably 90% of the switches were physically accessible by pretty much anybody, including thousands of students; we never had a problem with people using that feature. Even though many of the high schools had Cisco programs and, presumably; kids who therefore knew about the trick.
Finally, if I have physical access to your equipment and I want to harm it, all I really need is a 9 volt battery. If I want to get really high teach, I can attach an RJ-45 connector to a 9-volt battery post set.
Which, BTW… is a good trick if you have something you want to RMA because it has a “ghost” problem that you can never pin down.
Comment by MC Escher — October 18, 2007 @ 8:00 am |
“Respectfully, if you are in a very large production environment that uses a switched network with thousands of individual switches physically spread throughout the network; you will spend a surprising amount of time needing to do manual IOS upgrades and config “blowaways” before RMA. (sending the switch back for R&R)”
I do work in a very large enterprise with thousands of switches. We very rarely do manual IOS upgrades because we have life cycle management systems (like CiscoWorks) to push upgrades. If we had to do manual upgrades, that job by itself would require a dedicated engineer(or more).
I don’t understand your point about doing manual IOS upgrades and config “blowaways” before RMAing a switch. If a switch is down hard and TAC tells me to muck with the IOS, I would tell them to get bent. If there’s a recurring error and they suggest an IOS change, I would first ask for a bug code and then I would only entertain the IOS change if I had more than one of the same switch model (we run a common IOS version per device type) exhibiting the same behavior (in a similar production environment). “Upgrade the IOS” is a favorite method of TAC to blow you off when they don’t know (or don’t want to know) what the real problem is. I can only remember one recent bug that was fixed by an IOS upgrade. We had a number of devices that would only show 2 lines of config (5 bytes total) when issuing a “show run”. This occurred across a number of the same type of switches. Upgrading the IOS code did fix this.
You state that it’s a useful feature to have, but don’t provide an example. I guess that if a switch is completely locked up and you can get a body on site to hold the button, it might be useful. You’d have a defaulted switch with a copy of the old startup config (config.text.renamed). You’re still going to need to get someone with a rollover cable and a laptop (or use a dial up device connected to the console port) to troubleshoot because your IP address is going to be blown away. We keep hot spares on site so that we can just replace a flaky switch and troubleshoot it later.
I still think that enabling this feature on switches without physical security is just asking for trouble. If you’re running default settings on your ports then it’s probably not a big issue. If you’re running NAC and QoS and disabling VLAN 1 (our common config) then this feature is basically a point of failure waiting to be exposed.
I do like the idea of melting a switch port (does it kill the ASIC as well?) with a 9 volt battery though. I have a couple of 2950s that I might try this on this weekend. 🙂
Comment by cciepursuit — October 18, 2007 @ 10:05 am |
Hello-
I apologize if this is question has an obvious answer, but I’m curious if there is any information on instances of configuration information being recovered from the flash (or anywhere else) in a returned unit even after the process you describe in the “Easy Way”? I’m developing disposal procedures from a high security environment where every HDD that leaves the facility is degaussed and I want to make sure I’m not missing anything with our network equipment. Thanks
jcd
Comment by jcd — February 20, 2008 @ 11:34 am |
Does this disable the button all together? Or just from doing that funky reload?
I’m wondering if you’d still be able to perform a password recovery?
Comment by Paul — February 24, 2008 @ 10:34 pm |
Let’s see…
Env_Vars
I did not see you mention how to clear env_vars in your very written and thought out paper.
It’s simple and it is often overlooked. But if you change your MTU of the switch, and in doing labs we do this sometimes, it is a useful thing to know how to clear.
Just delete the file from your flash will work but just in case.
Comment by Darby Weaver — August 16, 2008 @ 5:03 am |
[…] Reference: https://cciepursuit.wordpress.com/2007/06/29/completely-clearing-a-cisco-switchkinda/ […]
Pingback by Cisco “Setup Express” - ZZTopping — December 19, 2008 @ 3:38 pm |
Disabling this does NOT disable the password recovery.
For security’s sake, you need yo disable password recovery AND setup express, but for idiot-proofing’s sake, just disabling setup express will prevent you from running around with your laptop after some janitor decides to play with your switches.
Comment by zztopping — December 19, 2008 @ 3:49 pm |
Thanks Mate
I learned something today
cheers
Comment by veday — April 1, 2009 @ 6:59 pm |
One question – what if the switch/router malfunction (cannot load firmware), and i need to wipe my config data (sensitive IPs, hostnames, etc) before doing a 1-to-1 exchange w/ the vendor?
Comment by world cities — June 9, 2009 @ 3:28 pm |
The command is ‘no setup express’ NOT ‘no express setup’
http://supportwiki.cisco.com/ViewWiki/index.php/Catalyst_3550_switch_reloads_and_gives_the_%22EXPRESS_SETUP-6-CONFIG_IS_RESET%22_error_message_when_the_mode_button_is_pressed_for_a_longer_time_during_a_password_recovery
Comment by James — August 28, 2009 @ 1:48 pm |