CCIE Pursuit Blog

June 29, 2007

Completely Clearing a Cisco Switch…Kinda

Filed under: Home Lab,IOS,Switching,Work — cciepursuit @ 5:10 pm

I found this post on the excellent Cisco Blog:

Completely Clearing a Cisco Switch…The Easy Way!

Clearing out a Cisco switch configuration is always a pain because VLANs are kept in a seperate file from the startup-config (NVRAM). There’s two ways to clear a switch back to the factory defaults – the easy way and the REALLY easy way:

The easy way
-

Switch# write erase
Switch# delete flash:vlan.dat
Switch# reload

The REALLY easy way -

Hold the “mode” button on the front of the switch for 10 seconds. The lights will blink then go solid – the switch completely wipes all configuration and then reboots. Obviously, this method only works on stackable switches as the chassis based switches do not have mode buttons.

Comments

Umm, is it me or is this not a terribly great feature. I know physical security is part of maintaining a secure environment, but this kind of kicks that higher up the requirements chain.

Any know of a way of disabling this ‘feature’?

Posted by: Scared at May 20, 2007 7:21 PM

In my experience this does not wipe the switch at all, it just renames the configfiles and reboots.

“no setup express” disables the button.

Posted by: ior at May 25, 2007 3:08 PM 

Let’s attempt to replicate this on a 3560 and see what happens.

Let’s go ahead and add some vlans, vtp config, and some descriptions on the first 5 interfaces:
Switch(config)#vtp domain CISCO
Changing VTP domain name from NULL to CISCO
Switch(config)#vtp mode server
Device mode already VTP SERVER.
Switch(config)#vtp password PASSWORD
Setting device VLAN database password to PASSWORD
Switch(config)#int range fa0/1 – 5
Switch(config-if-range)#desc -> I like beer!!!
Switch(config-if-range)#vlan 2-10,13,69
Switch(config-vlan)#^Z
Switch#sh vtp
00:07:19: %SYS-5-CONFIG_I: Configured from console by consolestatus
VTP Version                     : 2
Configuration Revision          : 1
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 16
VTP Operating Mode              : Server
VTP Domain Name                 : CISCO
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x9C 0x62 0xCB 0xFE 0xB7 0x89 0x4A 0xB8
Configuration last modified by 0.0.0.0 at 3-1-93 00:07:19
Local updater ID is 0.0.0.0 (no valid interface found)
Switch#sh vlan sum
Number of existing VLANs           : 16
 Number of existing VTP VLANs      : 16
 Number of existing extended VLANs : 0

Switch#sh int desc
Interface                      Status         Protocol Description
Vl1                            admin down     down
Fa0/1                          down           down     -> I like beer!!!
Fa0/2                          down           down     -> I like beer!!!
Fa0/3                          down           down     -> I like beer!!!
Fa0/4                          down           down     -> I like beer!!!
Fa0/5                          down           down     -> I like beer!!!

and the hostname :)

Switch(config)#hostname sw1
sw1(config)#^Z
sw1#
00:08:10: %SYS-5-CONFIG_I: Configured from console by console
sw1#write
Building configuration…
[OK]

Now let’s take a look at the flash:
sw1#sh flash

Directory of flash:/

    2  -rwx        1216   Mar 01 1993 00:07:19  vlan.dat
    3  -rwx           5   Mar 01 1993 00:08:26  private-config.text
    5  drwx         192   Mar 01 1993 00:05:28  c3560-i9-mz.121-19.EA1d
   85  -rwx        3485   Mar 01 1993 00:08:26  config.text

15998976 bytes total (9540608 bytes free)

Let’s go ahead and hold the mode button for 10 seconds:

As I hold the mode button – STAT, DUPLX, SPEED, and PoE lights blink together and then go solid.  I stop pushing the mode button at that point.

Notice this message after I release the mode button:
sw1#
00:09:18: %SYS-7-NV_BLOCK_INIT: Initalized the geometry of nvram
00:09:18: %EXPRESS_SETUP-6-CONFIG_IS_RESET: The configuration is reset and the system will now reboot
00:09:19: %SYS-5-RELOAD: Reload requested

The switch comes back up:
Switch uptime is 2 minutes
System returned to ROM by power-on

Switch#sh start
startup-config is not present
Switch#sh flash

Directory of flash:/

    2  -rwx        1216   Mar 01 1993 00:07:19  vlan.dat
    3  -rwx           5   Mar 01 1993 00:08:26  private-config.text.renamed
    5  drwx         192   Mar 01 1993 00:05:28  c3560-i9-mz.121-19.EA1d
   85  -rwx        3485   Mar 01 1993 00:08:26  config.text.renamed

15998976 bytes total (9540608 bytes free)

The VTP configuration is still intact (due to vlan.dat not being deleted):
Switch#sh vtp statu
VTP Version                     : 2
Configuration Revision          : 1
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 16
VTP Operating Mode              : Server
VTP Domain Name                 : CISCO
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x9C 0x62 0xCB 0xFE 0xB7 0x89 0x4A 0xB8
Configuration last modified by 0.0.0.0 at 3-1-93 00:07:19
Local updater ID is 0.0.0.0 (no valid interface found)
Switch#sh vlan sum
Number of existing VLANs           : 16
 Number of existing VTP VLANs      : 16
 Number of existing extended VLANs : 0

Interesting.  The startup-configuration is blown away but still appears in flash, albeit with “renamed” tacked on the end.  The vlan.dat file is still present, so we retain our VTP settings.  The private-config.text* file has also been retained, but with “renamed” appended to it as well. 

* According to this page, the private-config.text file is used by Cisco devices to store things like crypto private keys.

Let’s remove the “renamed” portion of the config.text file and restore our startup-configuration:

Switch#rename flash:config.text.renamed flash:config.text
Destination filename [config.text]?

Switch#sh start
Using 3485 out of 524288 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname sw1
!
!
ip subnet-zero
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
interface FastEthernet0/1
 description -> I like beer!!!
 no ip address
 no mdix auto
!
interface FastEthernet0/2
 description -> I like beer!!!
 no ip address
 no mdix auto
…..

So the config.text.renamed is the startup config.  It’s good to know that this is still around.  We can just rename it and then do “copy start run”

Switch#copy start run
%% Non-volatile configuration memory invalid or not present

Zoiks!!!  Maybe not! :-)

Let’s rename the private-config file and see if that helps.

Switch#$h:private-config.text.renamed flash:private-config.text
Destination filename [private-config.text]?
Switch#sh flash

Directory of flash:/

    2  -rwx        1216   Mar 01 1993 00:07:19  vlan.dat
    3  -rwx           5   Mar 01 1993 00:08:26  private-config.text
    5  drwx         192   Mar 01 1993 00:05:28  c3560-i9-mz.121-19.EA1d
   85  -rwx        3485   Mar 01 1993 00:08:26  config.text

15998976 bytes total (9540608 bytes free)

Switch#copy start run
%% Non-volatile configuration memory invalid or not present

Nope.  Interesting.  Well a reload ought to do the trick

Switch#reload
Proceed with reload? [confirm]

00:27:04: %SYS-5-RELOAD: Reload requested
And it works:

sw1>en
sw1#sh run
Building configuration…

Current configuration : 3512 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname sw1
!
!
ip subnet-zero
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
interface FastEthernet0/1
 description -> I like beer!!!
 no ip address
……

Okay.  Let’s see if we can turn this behavior off by configuring “no express setup”:

sw1(config)#no setup ?
  express  Configure whether express setup mode is enabled

sw1(config)#no setup express

Let’s see what’s in flash and then write the config:
sw1#sh flash

Directory of flash:/

    2  -rwx        3378   Mar 01 1993 00:06:38  config.text
    3  -rwx           5   Mar 01 1993 00:06:38  private-config.text
    4  -rwx         976   Mar 01 1993 00:10:31  vlan.dat
    5  drwx         192   Mar 01 1993 00:05:28  c3560-i9-mz.121-19.EA1d

15998976 bytes total (9541120 bytes free)
sw1#write
Building configuration…
[OK]
sw1#

Now let’s hold the mode button and see what happens.

Not a damned thing!!! :-)  I held the mode button down and all it ever did was move the light from STAT to DUPLX.

I would say that “no express setup” is a great command to throw into your base configuration for all of your switches.  While holding down the mode button until the lights are solid will default your configuration, that configuration will not be lost and your vlan.dat file will not be deleted (your vtp configuration will persist).  At least on the 3560, this is not a method that will acheive the same results as write erase, delete flash:vlan.dat, reload.

For comparison, here’s what happens with when we do these steps:

sw1#sh flash

Directory of flash:/

    2  -rwx           5   Mar 01 1993 00:11:59  private-config.text
    4  -rwx         976   Mar 01 1993 00:10:31  vlan.dat
    5  drwx         192   Mar 01 1993 00:05:28  c3560-i9-mz.121-19.EA1d
   85  -rwx        3555   Mar 01 1993 00:11:59  config.text

15998976 bytes total (9541120 bytes free)
sw1#write erase
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete
sw1#sh fla
00:16:59: %SYS-7-NV_BLOCK_INIT: Initalized the geometry of nvram

Write erase deletes “private-config.text” and “config.txt” from flash:
sw1#sh flash

Directory of flash:/

    4  -rwx         976   Mar 01 1993 00:10:31  vlan.dat
    5  drwx         192   Mar 01 1993 00:05:28  c3560-i9-mz.121-19.EA1d

15998976 bytes total (9545216 bytes free)
sw1#delete flash:vlan.dat
Delete filename [vlan.dat]?
Delete flash:vlan.dat? [confirm]
sw1#sh flash

Directory of flash:/

    5  drwx         192   Mar 01 1993 00:05:28  c3560-i9-mz.121-19.EA1d

15998976 bytes total (9546240 bytes free)
sw1#sh start
startup-config is not present
sw1#reload

System configuration has been modified. Save? [yes/no]: no
Proceed with reload? [confirm]

00:18:44: %SYS-5-RELOAD: Reload requested
….

After the reload:
Switch>en
Switch#sh flash

Directory of flash:/

    5  drwx         192   Mar 01 1993 00:05:28  c3560-i9-mz.121-19.EA1d

15998976 bytes total (9546240 bytes free)


To summarize: Resetting the switch will not acheive the same result as deleting the vlan.dat, doing a “write erase”, and then reloading the switch.  It will blow away your startup-configuration, but the good news is that you can easily recover that file (along with the private-config.text file) and restore your configuration by just renaming a couple of files and reloading.  I would strongly recommend disabling this “feature” by using the “no express setup” command in your switch’s configuration.  There is no reason to allow someone to blow away your switch’s configuration by simply pressing a button. :-)

About these ads

16 Comments »

  1. Thsi was great! I was always scared of this feature, now, iknow what to do with it. good job! – Masood, another CCIE wannabe!

    Comment by Masood — July 20, 2007 @ 8:53 pm | Reply

  2. WOW it is a great feature i loved it

    Comment by kamlesh sharma — August 20, 2007 @ 3:24 am | Reply

  3. On many of my switches, 3750, 3500XL, etc, pressing and holding the mode button down is simply how to get into the config to reset it, recover password, etc. It does nothing to erase the files, at least with a console cable attached. It gets you in so you can modify the files without it loading them.

    Comment by fred — August 20, 2007 @ 1:22 pm | Reply

  4. One question – what if the switch/router malfunction (cannot load firmware), and i need to wipe my config data (sensitive IPs, hostnames, etc) before doing a 1-to-1 exchange w/ the vendor?

    Comment by jon — August 28, 2007 @ 3:30 am | Reply

  5. Good question Jon. Unfortunately I don’t know the anwser. If the IOS were corrupt, then it is possible that the config.txt file could still be unaffected. If someone were able to repair the IOS, then they could access the config.txt file (after performing password recovery) and see your configuration. If you are unable to fix the IOS and you are worried about this scenario, then I would suggest opening up your box and removing/replacing the flash memory before shipping it off to your vendor.

    Comment by cciepursuit — August 28, 2007 @ 9:11 am | Reply

  6. Do the mode button thing. The light will blink 8 times and go solid.
    Then do this:
    flash_init
    load_helper
    del flash:config.text
    y
    del flash:vlan.dat
    y
    boot

    Comment by MC Escher — October 18, 2007 @ 7:51 am | Reply

  7. cciepursuit –

    You said: “There is no reason to allow someone to blow away your switch’s configuration by simply pressing a button.”

    Respectfully, if you are in a very large production environment that uses a switched network with thousands of individual switches physically spread throughout the network; you will spend a surprising amount of time needing to do manual IOS upgrades and config “blowaways” before RMA. (sending the switch back for R&R)
    It is a useful feature to have. Also, in spite of the fact that probably 90% of the switches were physically accessible by pretty much anybody, including thousands of students; we never had a problem with people using that feature. Even though many of the high schools had Cisco programs and, presumably; kids who therefore knew about the trick.
    Finally, if I have physical access to your equipment and I want to harm it, all I really need is a 9 volt battery. If I want to get really high teach, I can attach an RJ-45 connector to a 9-volt battery post set.
    Which, BTW… is a good trick if you have something you want to RMA because it has a “ghost” problem that you can never pin down.

    Comment by MC Escher — October 18, 2007 @ 8:00 am | Reply

  8. “Respectfully, if you are in a very large production environment that uses a switched network with thousands of individual switches physically spread throughout the network; you will spend a surprising amount of time needing to do manual IOS upgrades and config “blowaways” before RMA. (sending the switch back for R&R)”

    I do work in a very large enterprise with thousands of switches. We very rarely do manual IOS upgrades because we have life cycle management systems (like CiscoWorks) to push upgrades. If we had to do manual upgrades, that job by itself would require a dedicated engineer(or more).

    I don’t understand your point about doing manual IOS upgrades and config “blowaways” before RMAing a switch. If a switch is down hard and TAC tells me to muck with the IOS, I would tell them to get bent. If there’s a recurring error and they suggest an IOS change, I would first ask for a bug code and then I would only entertain the IOS change if I had more than one of the same switch model (we run a common IOS version per device type) exhibiting the same behavior (in a similar production environment). “Upgrade the IOS” is a favorite method of TAC to blow you off when they don’t know (or don’t want to know) what the real problem is. I can only remember one recent bug that was fixed by an IOS upgrade. We had a number of devices that would only show 2 lines of config (5 bytes total) when issuing a “show run”. This occurred across a number of the same type of switches. Upgrading the IOS code did fix this.

    You state that it’s a useful feature to have, but don’t provide an example. I guess that if a switch is completely locked up and you can get a body on site to hold the button, it might be useful. You’d have a defaulted switch with a copy of the old startup config (config.text.renamed). You’re still going to need to get someone with a rollover cable and a laptop (or use a dial up device connected to the console port) to troubleshoot because your IP address is going to be blown away. We keep hot spares on site so that we can just replace a flaky switch and troubleshoot it later.

    I still think that enabling this feature on switches without physical security is just asking for trouble. If you’re running default settings on your ports then it’s probably not a big issue. If you’re running NAC and QoS and disabling VLAN 1 (our common config) then this feature is basically a point of failure waiting to be exposed.

    I do like the idea of melting a switch port (does it kill the ASIC as well?) with a 9 volt battery though. I have a couple of 2950s that I might try this on this weekend. :-)

    Comment by cciepursuit — October 18, 2007 @ 10:05 am | Reply

  9. Hello-

    I apologize if this is question has an obvious answer, but I’m curious if there is any information on instances of configuration information being recovered from the flash (or anywhere else) in a returned unit even after the process you describe in the “Easy Way”? I’m developing disposal procedures from a high security environment where every HDD that leaves the facility is degaussed and I want to make sure I’m not missing anything with our network equipment. Thanks

    jcd

    Comment by jcd — February 20, 2008 @ 11:34 am | Reply

  10. Does this disable the button all together? Or just from doing that funky reload?

    I’m wondering if you’d still be able to perform a password recovery?

    Comment by Paul — February 24, 2008 @ 10:34 pm | Reply

  11. Let’s see…

    Env_Vars

    I did not see you mention how to clear env_vars in your very written and thought out paper.

    It’s simple and it is often overlooked. But if you change your MTU of the switch, and in doing labs we do this sometimes, it is a useful thing to know how to clear.

    Just delete the file from your flash will work but just in case.

    Comment by Darby Weaver — August 16, 2008 @ 5:03 am | Reply

  12. Disabling this does NOT disable the password recovery.

    For security’s sake, you need yo disable password recovery AND setup express, but for idiot-proofing’s sake, just disabling setup express will prevent you from running around with your laptop after some janitor decides to play with your switches.

    Comment by zztopping — December 19, 2008 @ 3:49 pm | Reply

  13. Thanks Mate

    I learned something today

    cheers

    Comment by veday — April 1, 2009 @ 6:59 pm | Reply

  14. One question – what if the switch/router malfunction (cannot load firmware), and i need to wipe my config data (sensitive IPs, hostnames, etc) before doing a 1-to-1 exchange w/ the vendor?

    Comment by world cities — June 9, 2009 @ 3:28 pm | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 113 other followers

%d bloggers like this: