I found this post on the excellent Cisco Blog:
Completely Clearing a Cisco Switch…The Easy Way!
Clearing out a Cisco switch configuration is always a pain because VLANs are kept in a seperate file from the startup-config (NVRAM). There’s two ways to clear a switch back to the factory defaults – the easy way and the REALLY easy way:
The easy way –
Switch# write erase
Switch# delete flash:vlan.dat
Switch# reload
The REALLY easy way –
Hold the “mode” button on the front of the switch for 10 seconds. The lights will blink then go solid – the switch completely wipes all configuration and then reboots. Obviously, this method only works on stackable switches as the chassis based switches do not have mode buttons.
Comments
Umm, is it me or is this not a terribly great feature. I know physical security is part of maintaining a secure environment, but this kind of kicks that higher up the requirements chain.
Any know of a way of disabling this ‘feature’?
Posted by: Scared at May 20, 2007 7:21 PM
In my experience this does not wipe the switch at all, it just renames the configfiles and reboots.
“no setup express” disables the button.
Posted by: ior at May 25, 2007 3:08 PM
Let’s attempt to replicate this on a 3560 and see what happens.
Let’s go ahead and add some vlans, vtp config, and some descriptions on the first 5 interfaces:
Switch(config)#vtp domain CISCO
Changing VTP domain name from NULL to CISCO
Switch(config)#vtp mode server
Device mode already VTP SERVER.
Switch(config)#vtp password PASSWORD
Setting device VLAN database password to PASSWORD
Switch(config)#int range fa0/1 – 5
Switch(config-if-range)#desc -> I like beer!!!
Switch(config-if-range)#vlan 2-10,13,69
Switch(config-vlan)#^Z
Switch#sh vtp
00:07:19: %SYS-5-CONFIG_I: Configured from console by consolestatus
VTP Version : 2
Configuration Revision : 1
Maximum VLANs supported locally : 1005
Number of existing VLANs : 16
VTP Operating Mode : Server
VTP Domain Name : CISCO
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x9C 0x62 0xCB 0xFE 0xB7 0x89 0x4A 0xB8
Configuration last modified by 0.0.0.0 at 3-1-93 00:07:19
Local updater ID is 0.0.0.0 (no valid interface found)
Switch#sh vlan sum
Number of existing VLANs : 16
Number of existing VTP VLANs : 16
Number of existing extended VLANs : 0
Switch#sh int desc
Interface Status Protocol Description
Vl1 admin down down
Fa0/1 down down -> I like beer!!!
Fa0/2 down down -> I like beer!!!
Fa0/3 down down -> I like beer!!!
Fa0/4 down down -> I like beer!!!
Fa0/5 down down -> I like beer!!!
and the hostname 🙂
Switch(config)#hostname sw1
sw1(config)#^Z
sw1#
00:08:10: %SYS-5-CONFIG_I: Configured from console by console
sw1#write
Building configuration…
[OK]
Now let’s take a look at the flash:
sw1#sh flash
Directory of flash:/
2 -rwx 1216 Mar 01 1993 00:07:19 vlan.dat
3 -rwx 5 Mar 01 1993 00:08:26 private-config.text
5 drwx 192 Mar 01 1993 00:05:28 c3560-i9-mz.121-19.EA1d
85 -rwx 3485 Mar 01 1993 00:08:26 config.text
15998976 bytes total (9540608 bytes free)
Let’s go ahead and hold the mode button for 10 seconds:
As I hold the mode button – STAT, DUPLX, SPEED, and PoE lights blink together and then go solid. I stop pushing the mode button at that point.
Notice this message after I release the mode button:
sw1#
00:09:18: %SYS-7-NV_BLOCK_INIT: Initalized the geometry of nvram
00:09:18: %EXPRESS_SETUP-6-CONFIG_IS_RESET: The configuration is reset and the system will now reboot
00:09:19: %SYS-5-RELOAD: Reload requested
The switch comes back up:
Switch uptime is 2 minutes
System returned to ROM by power-on
Switch#sh start
startup-config is not present
Switch#sh flash
Directory of flash:/
2 -rwx 1216 Mar 01 1993 00:07:19 vlan.dat
3 -rwx 5 Mar 01 1993 00:08:26 private-config.text.renamed
5 drwx 192 Mar 01 1993 00:05:28 c3560-i9-mz.121-19.EA1d
85 -rwx 3485 Mar 01 1993 00:08:26 config.text.renamed
15998976 bytes total (9540608 bytes free)
The VTP configuration is still intact (due to vlan.dat not being deleted):
Switch#sh vtp statu
VTP Version : 2
Configuration Revision : 1
Maximum VLANs supported locally : 1005
Number of existing VLANs : 16
VTP Operating Mode : Server
VTP Domain Name : CISCO
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x9C 0x62 0xCB 0xFE 0xB7 0x89 0x4A 0xB8
Configuration last modified by 0.0.0.0 at 3-1-93 00:07:19
Local updater ID is 0.0.0.0 (no valid interface found)
Switch#sh vlan sum
Number of existing VLANs : 16
Number of existing VTP VLANs : 16
Number of existing extended VLANs : 0
Interesting. The startup-configuration is blown away but still appears in flash, albeit with “renamed” tacked on the end. The vlan.dat file is still present, so we retain our VTP settings. The private-config.text* file has also been retained, but with “renamed” appended to it as well.
* According to this page, the private-config.text file is used by Cisco devices to store things like crypto private keys.
Let’s remove the “renamed” portion of the config.text file and restore our startup-configuration:
Switch#rename flash:config.text.renamed flash:config.text
Destination filename [config.text]?
Switch#sh start
Using 3485 out of 524288 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname sw1
!
!
ip subnet-zero
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
interface FastEthernet0/1
description -> I like beer!!!
no ip address
no mdix auto
!
interface FastEthernet0/2
description -> I like beer!!!
no ip address
no mdix auto
…..
So the config.text.renamed is the startup config. It’s good to know that this is still around. We can just rename it and then do “copy start run”
Switch#copy start run
%% Non-volatile configuration memory invalid or not present
Zoiks!!! Maybe not! 🙂
Let’s rename the private-config file and see if that helps.
Switch#$h:private-config.text.renamed flash:private-config.text
Destination filename [private-config.text]?
Switch#sh flash
Directory of flash:/
2 -rwx 1216 Mar 01 1993 00:07:19 vlan.dat
3 -rwx 5 Mar 01 1993 00:08:26 private-config.text
5 drwx 192 Mar 01 1993 00:05:28 c3560-i9-mz.121-19.EA1d
85 -rwx 3485 Mar 01 1993 00:08:26 config.text
15998976 bytes total (9540608 bytes free)
Switch#copy start run
%% Non-volatile configuration memory invalid or not present
Nope. Interesting. Well a reload ought to do the trick
Switch#reload
Proceed with reload? [confirm]
00:27:04: %SYS-5-RELOAD: Reload requested
And it works:
sw1>en
sw1#sh run
Building configuration…
Current configuration : 3512 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname sw1
!
!
ip subnet-zero
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
interface FastEthernet0/1
description -> I like beer!!!
no ip address
……
Okay. Let’s see if we can turn this behavior off by configuring “no express setup”:
sw1(config)#no setup ?
express Configure whether express setup mode is enabled
sw1(config)#no setup express
Let’s see what’s in flash and then write the config:
sw1#sh flash
Directory of flash:/
2 -rwx 3378 Mar 01 1993 00:06:38 config.text
3 -rwx 5 Mar 01 1993 00:06:38 private-config.text
4 -rwx 976 Mar 01 1993 00:10:31 vlan.dat
5 drwx 192 Mar 01 1993 00:05:28 c3560-i9-mz.121-19.EA1d
15998976 bytes total (9541120 bytes free)
sw1#write
Building configuration…
[OK]
sw1#
Now let’s hold the mode button and see what happens.
Not a damned thing!!! 🙂 I held the mode button down and all it ever did was move the light from STAT to DUPLX.
I would say that “no express setup” is a great command to throw into your base configuration for all of your switches. While holding down the mode button until the lights are solid will default your configuration, that configuration will not be lost and your vlan.dat file will not be deleted (your vtp configuration will persist). At least on the 3560, this is not a method that will acheive the same results as write erase, delete flash:vlan.dat, reload.
For comparison, here’s what happens with when we do these steps:
sw1#sh flash
Directory of flash:/
2 -rwx 5 Mar 01 1993 00:11:59 private-config.text
4 -rwx 976 Mar 01 1993 00:10:31 vlan.dat
5 drwx 192 Mar 01 1993 00:05:28 c3560-i9-mz.121-19.EA1d
85 -rwx 3555 Mar 01 1993 00:11:59 config.text
15998976 bytes total (9541120 bytes free)
sw1#write erase
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete
sw1#sh fla
00:16:59: %SYS-7-NV_BLOCK_INIT: Initalized the geometry of nvram
Write erase deletes “private-config.text” and “config.txt” from flash:
sw1#sh flash
Directory of flash:/
4 -rwx 976 Mar 01 1993 00:10:31 vlan.dat
5 drwx 192 Mar 01 1993 00:05:28 c3560-i9-mz.121-19.EA1d
15998976 bytes total (9545216 bytes free)
sw1#delete flash:vlan.dat
Delete filename [vlan.dat]?
Delete flash:vlan.dat? [confirm]
sw1#sh flash
Directory of flash:/
5 drwx 192 Mar 01 1993 00:05:28 c3560-i9-mz.121-19.EA1d
15998976 bytes total (9546240 bytes free)
sw1#sh start
startup-config is not present
sw1#reload
System configuration has been modified. Save? [yes/no]: no
Proceed with reload? [confirm]
00:18:44: %SYS-5-RELOAD: Reload requested
….
After the reload:
Switch>en
Switch#sh flash
Directory of flash:/
5 drwx 192 Mar 01 1993 00:05:28 c3560-i9-mz.121-19.EA1d
15998976 bytes total (9546240 bytes free)
To summarize: Resetting the switch will not acheive the same result as deleting the vlan.dat, doing a “write erase”, and then reloading the switch. It will blow away your startup-configuration, but the good news is that you can easily recover that file (along with the private-config.text file) and restore your configuration by just renaming a couple of files and reloading. I would strongly recommend disabling this “feature” by using the “no express setup” command in your switch’s configuration. There is no reason to allow someone to blow away your switch’s configuration by simply pressing a button. 🙂
CCIE Pursuit Blog 