ROMMON & Password Recovery — Cisco Routers & Switches

Every network engineer eventually faces the same situation: a device inherited from a departed colleague, a lab router whose enable password nobody recorded, or a production switch that was locked down and the credentials were never properly documented. Cisco IOS includes a deliberate recovery mechanism — ROMMON (ROM Monitor) mode — that allows physical console access to bypass the startup configuration entirely and regain control of the device. Understanding this process is not just an exam topic; it is a practical skill that saves organisations from having to return devices to Cisco or perform factory resets that erase all configuration.

The recovery process works because IOS stores the enable secret in NVRAM as part of the startup-config — and the configuration register, a 16-bit value also stored in NVRAM, controls whether IOS loads the startup-config on boot. By changing one bit in the config-register via ROMMON, you instruct IOS to ignore the startup-config and boot to a clean state. You then copy the startup-config into running-config manually, change the password, restore the config-register, and save — all configuration is preserved except the password you just reset.

This guide covers the full procedure for both Cisco ISR routers and Catalyst switches, the meaning of every config-register bit, how to prevent unauthorised password recovery with service password-recovery disable, and the distinction between enable password, enable secret, and what each protects. For device security hardening that reduces the risk of needing password recovery see AAA Configuration and 802.1X Port Authentication. For recovering a switch that requires a full image reload see IOS Upgrade via TFTP.

1. Core Concepts — ROMMON, Config-Register, and Password Types

The Cisco IOS Boot Sequence

Understanding password recovery requires understanding the normal boot sequence. Recovery works by interrupting this sequence at the earliest possible point:

  ┌─────────────────────────────────────────────────────────────────┐
  │              CISCO IOS BOOT SEQUENCE                            │
  ├─────────────────────────────────────────────────────────────────┤
  │                                                                 │
  │  Power On                                                       │
  │      │                                                          │
  │      ▼                                                          │
  │  POST (Power-On Self Test)                                      │
  │  Hardware diagnostics — RAM, flash, interfaces                  │
  │      │                                                          │
  │      ▼                                                          │
  │  ROMMON loads ◄─── INTERRUPT HERE (Break key within 60s)       │
  │  Low-level firmware in ROM — always present                     │
  │  rommon 1 > prompt                                              │
  │      │  (normal boot continues past this point)                 │
  │      ▼                                                          │
  │  Read configuration register (config-register)                 │
  │  Default: 0x2102                                                │
  │  Bit 6 = 0 → load startup-config from NVRAM                    │
  │  Bit 6 = 1 → IGNORE startup-config (password recovery mode)    │
  │      │                                                          │
  │      ▼                                                          │
  │  Load IOS image from flash (or TFTP if configured)             │
  │      │                                                          │
  │      ▼                                                          │
  │  If config-register bit 6 = 0:                                 │
  │    Load startup-config → apply hostname, passwords, interfaces  │
  │  If config-register bit 6 = 1:                                 │
  │    Skip startup-config → boot to factory-default state         │
  │    Router> prompt (no hostname, no passwords)                   │
  │      │                                                          │
  │      ▼                                                          │
  │  Normal IOS operation                                           │
  │                                                                 │
  └─────────────────────────────────────────────────────────────────┘

The Configuration Register — Bit-by-Bit

The configuration register is a 16-bit hexadecimal value stored in NVRAM. Each bit controls a specific aspect of the boot process. The two values you need to know for password recovery are 0x2102 (normal) and 0x2142 (bypass startup-config):

  CONFIG-REGISTER BIT MAP (16 bits):

  Hex:   0x2102 = 0010 0001 0000 0010
  Hex:   0x2142 = 0010 0001 0100 0010
                              ↑
                           Bit 6 = 1 in 0x2142

  ┌──────┬──────────┬──────────────────────────────────────────────┐
  │ Bits │ Hex Mask │ Function                                      │
  ├──────┼──────────┼──────────────────────────────────────────────┤
  │ 0–3  │ 0x000F   │ Boot field — controls where IOS loads from   │
  │      │          │ 0x0 = ROMMON mode (stays in rommon>)          │
  │      │          │ 0x1 = Boot from ROM (mini-IOS / boot image)   │
  │      │          │ 0x2–0xF = Load first file in flash (default)  │
  ├──────┼──────────┼──────────────────────────────────────────────┤
  │  6   │ 0x0040   │ Ignore NVRAM contents (startup-config)        │
  │      │          │ 0 = Load startup-config (normal)              │
  │      │          │ 1 = BYPASS startup-config ← password recovery │
  ├──────┼──────────┼──────────────────────────────────────────────┤
  │  8   │ 0x0100   │ Break key disable                             │
  │      │          │ 0 = Break key enabled (can enter ROMMON)      │
  │      │          │ 1 = Break key disabled (security hardening)   │
  ├──────┼──────────┼──────────────────────────────────────────────┤
  │  13  │ 0x2000   │ OEM bit — factory diagnostics                 │
  └──────┴──────────┴──────────────────────────────────────────────┘

  COMMON VALUES:
    0x2102 — Normal production boot (load startup-config from NVRAM)
    0x2142 — Password recovery (bypass startup-config)
    0x2100 — Boot into ROMMON on every restart (used in IOS upgrade)
    0x2101 — Boot from ROM image (mini-IOS / recovery image)
    0x2122 — Normal boot + Break key disabled (prevents ROMMON entry)

Password Types in Cisco IOS

Command	Storage	Encryption	Protects	Recovery Method
`enable password [pw]`	startup-config / running-config	None (plain text) or Type 7 if `service password-encryption` is on	Privileged exec (enable) mode	ROMMON bypass OR read from startup-config if Type 7 (reversible)
`enable secret [pw]`	startup-config / running-config	MD5 hash (Type 5) or SHA-256 (Type 9) — not reversible	Privileged exec (enable) mode — overrides `enable password` if both set	ROMMON bypass only — hash cannot be reversed
`username [x] password [pw]`	startup-config	None or Type 7	Local login (console, VTY, SSH)	ROMMON bypass
`username [x] secret [pw]`	startup-config	MD5 or SHA-256 — not reversible	Local login with secure hash	ROMMON bypass — must set a new password, hash cannot be read
Line passwords (`line con 0`, `line vty`)	startup-config	None or Type 7	Console and VTY access	ROMMON bypass

enable secret always wins: If both enable password and enable secret are configured on the same device, IOS always uses the enable secret and completely ignores the enable password. The enable password is a legacy command — always use enable secret in modern configurations. Type 9 (

enable algorithm-type
    sha256 secret

) is the current best practice on IOS-XE 16.x and later.

2. Lab Scenario & Prerequisites

  Lab Scenario:
    NetsTuts_R1 — Cisco ISR 4321 (IOS-XE 16.x)
    NetsTuts_SW1 — Cisco Catalyst 2960 (IOS 15.x)

    Problem: Enable secret password unknown on both devices.
    Console access is available (physical or via terminal server).
    All other configuration must be preserved.

  Physical Requirements:
    ┌──────────────────┐      Console cable (RJ45 → USB)
    │  Laptop/PC       │─────────────────────────────────► NetsTuts_R1
    │  Terminal app:   │                                   Console port
    │  PuTTY / SecureCRT│────────────────────────────────► NetsTuts_SW1
    │  9600-8-N-1      │                                   Console port
    └──────────────────┘

  Console Settings (standard for all Cisco devices):
    Baud rate:    9600
    Data bits:    8
    Parity:       None
    Stop bits:    1
    Flow control: None
    (9600-8-N-1)

  IMPORTANT PREREQUISITES:
  ✔ Physical console access to the device is REQUIRED
  ✔ Physical access to the power switch or PDU is REQUIRED
    (you must be able to reboot the device)
  ✔ Do NOT attempt this procedure on a live production device
    without a maintenance window — the reboot causes a service
    interruption
  ✔ Document the current config-register value before changing it
  ✔ This procedure is legitimate maintenance — it requires physical
    access to the device (an important security control)

3. Password Recovery — Cisco ISR Router (IOS / IOS-XE)

Step 1 — Check the Current Config-Register

! ── If you can access the router at any privilege level ──────────
NetsTuts_R1>show version | include Configuration register
Configuration register is 0x2102

! ── Or from privileged exec ──────────────────────────────────────
NetsTuts_R1#show version
...
Configuration register is 0x2102  ← record this value before proceeding

Always note the current config-register value before starting the recovery procedure. The standard value is 0x2102. Some devices may have a custom value (e.g., 0x2122 with Break disabled, or 0x2106 with a custom boot field). You must restore this exact value at the end of the procedure — not necessarily 0x2102 — to preserve the original boot behaviour. See show version for a full reference to all fields in the output.

Step 2 — Send the Break Signal to Enter ROMMON

  TIMING IS CRITICAL — you have approximately 60 seconds
  from the moment the router starts booting to send the Break signal.

  Procedure:
  1. Reboot the router (power cycle or 'reload' if you have access)
  2. Watch the console output — you will see POST messages and then:

     "System Bootstrap, Version 15.x ..."
     "Self decompressing the image..."
     or
     "Readonly ROMMON initialized"

  3. Send the Break signal IMMEDIATELY when you see boot messages:

  ┌──────────────────────┬─────────────────────────────────────────┐
  │ Terminal Application │ Break Key Sequence                      │
  ├──────────────────────┼─────────────────────────────────────────┤
  │ PuTTY                │ Ctrl + Break                            │
  │ SecureCRT            │ Ctrl + Break  or  Send Break in menu    │
  │ Tera Term            │ Alt + B                                 │
  │ HyperTerminal        │ Ctrl + Break                            │
  │ macOS Terminal       │ Ctrl + C  (during boot only)            │
  │ minicom (Linux)      │ Ctrl + A, then F                        │
  └──────────────────────┴─────────────────────────────────────────┘

  SUCCESS — you will see the ROMMON prompt:
    rommon 1 >

  FAILURE — IOS finishes booting normally. Repeat from step 1.
  If Break is disabled (config-register 0x2122), you cannot enter
  ROMMON via Break — see Section 7 for alternative approaches.

Step 3 — Change the Config-Register in ROMMON

rommon 1 > confreg 0x2142
! ── On some ISR platforms the command is: ────────────────────────
rommon 1 > confreg
  Configuration Summary
  enabled are:
  load rom after netboot fails
  console baud: 9600
  boot: image specified by the boot system commands
  or default to: cisco2-ISR4300...

  do you wish to change the configuration? y/n [n]: y
  enable "diagnostic mode"? y/n [n]: n
  enable "use net in IP bcast address"? y/n [n]: n
  disable "load rom after netboot fails"? y/n [n]: n
  enable "use all zero broadcast"? y/n [n]: n
  enable "break/abort has effect"? y/n [n]: n
  enable "ignore system config info"? y/n [n]: y   ← THIS IS BIT 6
  change console baud rate? y/n [n]: n
  change the boot characteristics? y/n [n]: n

  Configuration Summary
  enabled are:
  ignore system config info           ← confirmed
  load rom after netboot fails
  console baud: 9600
  boot: image specified by the boot system commands

  do you wish to change the configuration? y/n [n]: n

rommon 2 > reset
! ── Resets the router — it will now boot ignoring startup-config ─

The confreg 0x2142 command directly sets the value. The interactive confreg (no argument) asks each bit's question — both achieve the same result. The critical option is "ignore system config info" which sets bit 6 to 1. The reset command reboots the router — equivalent to a power cycle. After reset, IOS loads normally but skips the startup-config, producing a clean unconfigured state with no passwords.

Step 4 — Boot Without Startup-Config and Enter Privileged Exec

! ── Router boots with no configuration — watch console output ────
System Bootstrap, Version 16.x
...
Would you like to enter the initial configuration dialog? [yes/no]: no
! ── Type 'no' to skip setup mode ────────────────────────────────

Press RETURN to get started!

Router>               ← Generic hostname — startup-config was skipped
Router>enable         ← No password required — enable secret was in startup-config
Router#               ← You are now in privileged exec with no password!

The router boots with the hostname "Router" (factory default) and no passwords configured — because the startup-config was bypassed. You enter privileged exec with just enable and no password. The startup-config still exists in NVRAM — it was only skipped during this boot. Do NOT type write memory or

copy
    running-config startup-config

at this point — that would overwrite the startup-config with the empty running config and erase all original configuration.

Step 5 — Load the Original Config and Reset the Password

! ── Copy startup-config into running-config ──────────────────────
Router#copy startup-config running-config
Destination filename [running-config]?
  [press Enter]
1823 bytes copied in 0.416 secs (4382 bytes/sec)

! ── Hostname and all config returns from the original startup-config
NetsTuts_R1#

! ── Set a new enable secret ──────────────────────────────────────
NetsTuts_R1(config)#enable secret NewSecret2026!
! ── Or Type 9 (SHA-256) on IOS-XE 16.x+ ─────────────────────────
NetsTuts_R1(config)#enable algorithm-type sha256 secret NewSecret2026!

! ── Reset any line passwords if also unknown ─────────────────────
NetsTuts_R1(config)#line vty 0 15
NetsTuts_R1(config-line)#password VtyP@ss2026
NetsTuts_R1(config-line)#login
NetsTuts_R1(config-line)#exit
NetsTuts_R1(config)#line con 0
NetsTuts_R1(config-line)#password ConP@ss2026
NetsTuts_R1(config-line)#login
NetsTuts_R1(config-line)#exit

copy startup-config running-config merges the saved configuration into the running configuration — all original settings (interfaces, routing, VLANs, ACLs) are restored. The new enable secret overwrites the old unknown one in the running-config. The original startup-config in NVRAM still has the old unknown password until you save.

Step 6 — Restore the Config-Register and Save

! ── CRITICAL — restore the original config-register value ────────
NetsTuts_R1(config)#config-register 0x2102
! ── If the original value was different from 0x2102, use that value

NetsTuts_R1(config)#exit

! ── Save the running-config (new password + restored config-register)
NetsTuts_R1#copy running-config startup-config
Destination filename [startup-config]?
  [press Enter]
Building configuration...
[OK]

! ── Verify config-register is restored ──────────────────────────
NetsTuts_R1#show version | include Configuration register
Configuration register is 0x2102 (will be 0x2102 at next reload)
! ── "(will be 0x2102)" confirms it takes effect at next reload ───

! ── Final reload to confirm everything boots correctly ───────────
NetsTuts_R1#reload
Proceed with reload? [confirm]
  [press Enter]

! ── After reload — verify with new password ──────────────────────
NetsTuts_R1>enable
Password: NewSecret2026!
NetsTuts_R1#   ← Password recovery complete

The final reload is optional but strongly recommended — it confirms that the new password is correctly saved to startup-config and that the config-register is back to normal. If you skip the reload and later the device reboots for any reason (power failure, upgrade), you want to be confident it will boot correctly with the restored config-register. The message "will be 0x2102 at next reload" is normal — the current boot used 0x2142, and the config-register command schedules the new value for the next boot.

4. Password Recovery — Cisco Catalyst Switch

Catalyst switches use a different password recovery mechanism because they do not use the same config-register concept as routers. The procedure involves holding the Mode button during boot to interrupt the flash initialisation, then manually renaming or deleting the startup-config file in flash before allowing the boot to continue.

Catalyst 2960 / 3560 / 3750 — Mode Button Method

  Physical Location of Mode Button:
    Front panel of the switch — left side, labelled "MODE"
    (small recessed button, may require a paperclip to press)

  Procedure:
  1. Connect console cable (9600-8-N-1)
  2. Hold the MODE button
  3. While holding MODE, cycle power (unplug/replug) OR press the
     power button
  4. Continue holding MODE for approximately 15 seconds while
     watching console output
  5. Release MODE when you see:
     "flash_init" or "switch:" or "The system has been interrupted"

  Console output during Mode button hold:
  Using driver version 1 for media type 1
  Base ethernet MAC Address: 0c:1a:2b:3c:4d:5e
  Xmodem file system is available.
  The password-recovery mechanism is enabled.   ← confirm this line
  ...
  switch:         ← This is the SWITCH: ROMMON prompt (not router rommon>)

Step 1 — Initialise Flash and View Files

switch: flash_init
Initializing Flash...
...done Initializing Flash.

switch: dir flash:
Directory of flash:/

    2  -rwx        4414  Mar 01 1993 00:01:28 +00:00  config.text
    3  -rwx         736  Mar 01 1993 00:01:28 +00:00  vlan.dat
    4  drwx         192  Mar 01 1993 00:01:14 +00:00  c2960-lanbasek9-mz.152-7.E9/
    5  -rwx       28282  Mar 01 1993 00:01:14 +00:00  c2960-lanbasek9-mz.152-7.E9.bin

! ── config.text = the startup-config on Catalyst switches ─────────
! ── We rename it so IOS boots without loading it ──────────────────

Step 2 — Rename the Startup-Config File

! ── Rename config.text to config.old (preserves content) ────────
switch: rename flash:config.text flash:config.old

! ── Verify the rename ────────────────────────────────────────────
switch: dir flash:
Directory of flash:/

    2  -rwx        4414  Mar 01 1993 00:01:28 +00:00  config.old   ← renamed
    3  -rwx         736  Mar 01 1993 00:01:28 +00:00  vlan.dat
    4  drwx         192  Mar 01 1993 00:01:14 +00:00  c2960-lanbasek9-mz.152-7.E9/

! ── Boot the switch — it will boot without a startup-config ──────
switch: boot

Renaming rather than deleting config.text is safer — the file content (all original configuration) is preserved in config.old. If you accidentally delete the file or the procedure goes wrong, the configuration is still recoverable. Never use delete flash:config.text during password recovery — you would lose all configuration permanently.

Step 3 — Boot Without Config and Rename Back

! ── Switch boots without startup-config ──────────────────────────
Would you like to enter the initial configuration dialog? [yes/no]: no

Press RETURN to get started!

Switch>enable          ← no password — startup-config was skipped
Switch#

! ── Rename config.old back to config.text ────────────────────────
Switch#rename flash:config.old flash:config.text

! ── Load original config into running-config ─────────────────────
Switch#copy flash:config.text system:running-config
Destination filename [running-config]?
  [press Enter]
1456 bytes copied in 0.208 secs

NetsTuts_SW1#   ← original hostname restored

Step 4 — Set New Password and Save

! ── Set new enable secret ────────────────────────────────────────
NetsTuts_SW1(config)#enable secret NewSwitchP@ss2026!

! ── Reset any unknown line passwords ─────────────────────────────
NetsTuts_SW1(config)#line con 0
NetsTuts_SW1(config-line)#password ConP@ss2026
NetsTuts_SW1(config-line)#login
NetsTuts_SW1(config-line)#exit

NetsTuts_SW1(config)#line vty 0 15
NetsTuts_SW1(config-line)#password VtyP@ss2026
NetsTuts_SW1(config-line)#login local
NetsTuts_SW1(config-line)#exit

! ── Save — startup-config now has new password ───────────────────
NetsTuts_SW1#copy running-config startup-config
Building configuration...
[OK]

! ── Verify ───────────────────────────────────────────────────────
NetsTuts_SW1#show running-config | include enable secret
enable secret 9 $9$kHGb...  ← new hashed secret confirmed

! ── Optional — verify flash is clean ────────────────────────────
NetsTuts_SW1#dir flash:
Directory of flash:/

    2  -rwx        4502  Mar 07 2026 10:22:15 +00:00  config.text   ← correct name
    3  -rwx         736  Mar 07 2026 10:22:15 +00:00  vlan.dat

5. Password Recovery — Catalyst 9000 Series (IOS-XE)

Catalyst 9200/9300/9400/9500 switches running IOS-XE use a slightly different boot interrupt mechanism. The Mode button still exists but the ROMMON prompt and commands differ from older Catalyst platforms:

Step 1 — Enter ROMMON on Catalyst 9000

  Catalyst 9000 Method:
  1. Connect console cable
  2. Power cycle the switch
  3. Hold the MODE button for 10–15 seconds until the STAT LED
     turns amber, then release
  4. You will see:

     switch:

  Alternatively — some 9000 models respond to Ctrl+Break on console
  during the first 5 seconds of boot to enter rommon directly:

     rommon 1 >

Step 2 — Use ROMMON to Bypass Config on Catalyst 9000

! ── Method 1: Set SWITCH_IGNORE_STARTUP_CFG environment variable ─
rommon 1 > SWITCH_IGNORE_STARTUP_CFG=1
rommon 2 > boot

! ── OR Method 2: Using the switch: prompt (older 9000 firmware) ──
switch: set SWITCH_IGNORE_STARTUP_CFG 1
switch: boot

! ── Switch boots without startup-config ──────────────────────────
Switch>enable
Switch#

! ── Load original config ─────────────────────────────────────────
Switch#copy startup-config running-config
NetsTuts_SW1#

! ── Change password ──────────────────────────────────────────────
NetsTuts_SW1(config)#enable algorithm-type sha256 secret NewP@ss2026!

! ── CRITICAL — clear the environment variable before saving ──────
Switch(config)#no system ignore startupconfig switch all
! ── OR from ROMMON after next reload set the variable back to 0:
!    rommon > SWITCH_IGNORE_STARTUP_CFG=0

NetsTuts_SW1#copy running-config startup-config

The Catalyst 9000 uses an environment variable (SWITCH_IGNORE_STARTUP_CFG) instead of a config-register bit to control startup-config loading. It is critical to clear this variable after completing the password recovery — if left set to 1, the switch will ignore the startup-config on every subsequent reboot, appearing to lose all configuration after each power cycle. The no system ignore startupconfig switch all command on IOS-XE clears it persistently.

6. Post-Recovery Verification Checklist

After completing password recovery on either a router or switch, run this verification sequence to confirm everything is correct before declaring the procedure complete:

Router — Full Verification

! ── 1. Verify config-register is back to normal ──────────────────
NetsTuts_R1#show version | include register
Configuration register is 0x2102

! ── 2. Verify new enable secret is saved ────────────────────────
NetsTuts_R1#show running-config | include enable
enable secret 9 $9$lFkT...

! ── 3. Verify startup-config contains new password ───────────────
NetsTuts_R1#show startup-config | include enable
enable secret 9 $9$lFkT...   ← matches running-config

! ── 4. Confirm original interfaces, routing, and config intact ───
NetsTuts_R1#show ip interface brief
NetsTuts_R1#show ip route
NetsTuts_R1#show running-config

! ── 5. Test new password by dropping to user exec and re-enabling ─
NetsTuts_R1#disable
NetsTuts_R1>enable
Password: NewSecret2026!
NetsTuts_R1#   ← confirmed working

! ── 6. Test VTY access from a network device ─────────────────────
! ── SSH from another router/PC ───────────────────────────────────
$ ssh [email protected]
Password: VtyP@ss2026
NetsTuts_R1>enable
Password: NewSecret2026!
NetsTuts_R1#   ← remote access confirmed

Switch — Full Verification

! ── 1. Verify flash — no stale config.old file ───────────────────
NetsTuts_SW1#dir flash:
Directory of flash:/
    2  -rwx   config.text   ← correct — no config.old present
    3  -rwx   vlan.dat

! ── 2. Verify VLAN database is intact ────────────────────────────
NetsTuts_SW1#show vlan brief
! ── All original VLANs should be present ─────────────────────────

! ── 3. Verify trunks and port assignments intact ─────────────────
NetsTuts_SW1#show interfaces trunk
NetsTuts_SW1#show interfaces status

! ── 4. Verify new password works ─────────────────────────────────
NetsTuts_SW1#disable
NetsTuts_SW1>enable
Password: NewSwitchP@ss2026!
NetsTuts_SW1#

! ── 5. Verify password-recovery mechanism status ─────────────────
NetsTuts_SW1#show version | include password-recovery
The password-recovery mechanism is enabled.

Complete Procedure Summary — Quick Reference

Step	ISR Router	Catalyst 2960/3x50	Catalyst 9000
1. Interrupt boot	Send Break signal within 60s of power-on	Hold Mode button during power-on for ~15s	Hold Mode button ~10s or Ctrl+Break during boot
2. ROMMON prompt	`rommon 1 >`	`switch:`	`rommon 1 >` or `switch:`
3. Bypass config	`confreg 0x2142` then `reset`	`flash_init` then `rename flash:config.text flash:config.old` then `boot`	`SWITCH_IGNORE_STARTUP_CFG=1` then `boot`
4. Enter priv exec	`enable` (no password)	`enable` (no password)	`enable` (no password)
5. Restore config	`copy startup-config running-config`	`rename flash:config.old flash:config.text` then `copy flash:config.text system:running-config`	`copy startup-config running-config`
6. Set new password	`enable secret [newpw]`	`enable secret [newpw]`	`enable algorithm-type sha256 secret [newpw]`
7. Restore boot mode	`config-register 0x2102`	Not needed (file rename already reversed)	`no system ignore startupconfig switch all`
8. Save	`copy running-config startup-config`	`copy running-config startup-config`	`copy running-config startup-config`

7. Security Considerations & Prevention

service password-recovery disable — The Nuclear Option

For high-security environments where physical access to a device should not be sufficient to recover the configuration, Cisco provides the service password-recovery disable command. This fundamentally changes the password recovery behaviour — understanding it before enabling it is critical:

! ── WARNING — read the full implications before entering this ─────
NetsTuts_R1(config)#service password-recovery disable

! ── What this does on routers: ───────────────────────────────────
! When someone attempts ROMMON password recovery after this command:
! 1. Router enters ROMMON normally when Break is sent
! 2. confreg 0x2142 works — router boots bypassing startup-config
! 3. BUT: IOS detects that password-recovery is disabled
! 4. IOS ERASES the startup-config from NVRAM before booting
! 5. The device boots clean with NO configuration at all
! 6. All original config (interfaces, routing, VLANs) is DESTROYED
!
! On Catalyst switches with this command:
! 1. Mode button press is IGNORED — switch boots normally
! 2. Console shows: "password-recovery mechanism is disabled"
! 3. There is no way to bypass the startup-config via Mode button
! 4. Only option: full factory reset (erases all config)

! ── Verify current status ────────────────────────────────────────
NetsTuts_R1#show version | include password-recovery
The password-recovery mechanism is enabled.   ← default (safe)

Only enable service password-recovery disable if: (1) Physical security of the device is strong (locked server room, tamper-evident seals), (2) Passwords are documented and stored in a secure password manager (CyberArk, HashiCorp Vault, etc.), (3) Your organisation explicitly requires that physical access alone is insufficient to recover a device. In most enterprise environments, this command is counterproductive — the risk of a legitimate admin being locked out of a critical device due to a lost password far outweighs the security benefit.

Config-Register Security — Disabling the Break Key

! ── Disable the Break key to prevent ROMMON access ───────────────
! ── Sets bit 8 in the config-register: 0x2102 + 0x0100 = 0x2202 ─
NetsTuts_R1(config)#config-register 0x2202

! ── With bit 8 set, sending Break during boot has no effect ──────
! ── The router will complete its normal boot sequence regardless ──

! ── Verify ───────────────────────────────────────────────────────
NetsTuts_R1#show version | include register
Configuration register is 0x2102 (will be 0x2202 at next reload)

! ── Caveat: a sufficiently long Break signal (>5 seconds on some  ─
! ── platforms) may still enter ROMMON despite bit 8 — physical ───
! ── security of the console port is the only true protection ──────

Password Security Best Practices

Practice	Command	Why
Always use `enable secret`, never `enable password`	`enable secret [pw]` or `enable algorithm-type sha256 secret [pw]`	MD5/SHA-256 hashes cannot be reversed — plain enable password is visible in show running-config. See Hostname, Banner & Password Configuration
Encrypt all plain-text passwords in config	`service password-encryption`	Applies Type 7 (weak, reversible) encryption to all unencrypted passwords in the config — better than nothing
Use AAA with RADIUS/TACACS+	`aaa new-model`, `aaa authentication login`	Centralised authentication — no local passwords to lose, full audit trail of who logged in
Document credentials in a password manager	N/A — process control	The most common cause of needing password recovery is undocumented passwords — eliminate the root cause
Restrict console access physically	Physical security + `line con 0` timeout	ROMMON access requires physical console — securing the console port limits who can attempt recovery
Set console exec-timeout	`line con 0` → `exec-timeout 5 0`	Auto-disconnects idle console sessions — prevents an unlocked session being used without authentication. See Login Security & Brute-Force Protection
Use SSH not Telnet for VTY	`transport input ssh` on VTY lines	Telnet sends passwords in plain text — SSH encrypts the entire session including credentials

Troubleshooting Common Password Recovery Failures

Symptom	Cause	Solution
Break signal ignored — router boots normally	Break sent too late (after 60-second window), or config-register has bit 8 set (0x2x22), or wrong Break key sequence for terminal app	Try sending Break within 2 seconds of power-on. Check terminal app Break key method. If bit 8 is set, Break cannot enter ROMMON — use `service password-recovery disable` removal procedure
ROMMON prompt but `confreg` unknown command	Different ROMMON version — some platforms use different syntax	Try `confreg 0x2142` (with value), `o/r 0x2142` (older ISR 1800/2800/3800), or just `confreg` (interactive)
After `copy startup-config running-config`, password still unknown	Startup-config has `enable secret` which is a hash — you cannot read or recover the original password	This is expected — set a NEW enable secret. You cannot recover the original hashed password, only replace it
Switch: Mode button has no effect	`service password-recovery disable` is active OR Mode button not held long enough / pressed too late	Check `show version \| include password-recovery`. If disabled, the only option is a full factory reset (`write erase` + reload from ROMMON)
After recovery, switch shows no VLANs	`vlan.dat` file in flash was deleted or corrupted during the procedure	Restore VLANs manually. To prevent this, never delete `vlan.dat` during password recovery — only rename/restore `config.text`
Config-register shows 0x2142 after reload	Forgot to run `config-register 0x2102` before saving, or saved the running-config with 0x2142 still active	Enter config mode and run `config-register 0x2102`, then `copy running-config startup-config`, then reload

8. IOS-XE Specific Differences & Advanced ROMMON

IOS-XE ROMMON Environment Variables

Newer ISR 4000 series and ASR routers running IOS-XE use environment variables in ROMMON rather than the simple confreg command. The functionality is the same but the syntax differs:

! ── IOS-XE ROMMON (ISR 4000 / ASR 1000) ─────────────────────────
rommon 1 > set
! ── Lists current environment variables ──────────────────────────
BSI=0
BOOT=bootflash:isr4300-universalk9.16.12.04.SPA.bin;
CONFIG_FILE=
CRASHINFO=crashinfo:
...

! ── Method 1: Set CONFIG_FILE to empty — skips startup-config ────
rommon 1 > CONFIG_FILE=
rommon 2 > sync
rommon 3 > reset

! ── Method 2: confreg still works on most IOS-XE platforms ───────
rommon 1 > confreg 0x2142
rommon 2 > reset

! ── After boot — verify ROMMON variables restored ────────────────
NetsTuts_R1#show romvar
ROMMON variables:
  CONFIG_FILE =               ← still empty if method 1 was used
  BOOT = bootflash:...

! ── Restore CONFIG_FILE after recovery ───────────────────────────
NetsTuts_R1#configure terminal
NetsTuts_R1(config)#config-register 0x2102
NetsTuts_R1(config)#end
NetsTuts_R1#copy running-config startup-config

Useful ROMMON Commands — Reference

Command	Platform	Function
`confreg 0x2142`	ISR routers, classic IOS	Set config-register to bypass startup-config
`confreg` (interactive)	ISR routers, classic IOS	Interactive config-register wizard — walks through each bit
`reset`	All router ROMMON	Reboot the router from ROMMON
`boot`	All switch ROMMON (`switch:`)	Boot the switch from the `switch:` prompt
`dir flash:`	Switch `switch:` ROMMON	List files in flash memory — shows config.text, IOS image, vlan.dat
`flash_init`	Catalyst switch `switch:`	Initialises the flash filesystem so `dir flash:` and `rename` commands work
`rename flash:a flash:b`	Catalyst switch `switch:`	Rename a file in flash — used to rename config.text to config.old
`set`	IOS-XE ROMMON	Display all ROMMON environment variables
`sync`	IOS-XE ROMMON	Write environment variable changes to persistent NVRAM
`o/r 0x2142`	Older ISR 1800/2800/3800	Alternative confreg syntax on legacy platforms
`tftpdnld`	All router ROMMON	Download IOS image via TFTP — used when flash is corrupt or image missing
`show version`	All ROMMON	Display ROMMON firmware version, hardware type, and current config-register

9. Complete Recovery Workflow & Key Points

End-to-End Router Recovery — Condensed Reference

! ════════ COMPLETE ROUTER PASSWORD RECOVERY — STEP BY STEP ══════

! PRE-STEP: note current config-register if accessible
! show version | include register  → 0x2102 (record this)

! STEP 1: Reboot and send Break key within 60 seconds
! rommon 1 >

! STEP 2: Set config-register to bypass startup-config
rommon 1 > confreg 0x2142
rommon 2 > reset

! STEP 3: Boot without passwords — enter enable with no password
Router> enable
Router#

! STEP 4: Load original config
Router# copy startup-config running-config
NetsTuts_R1#

! STEP 5: Set new password
NetsTuts_R1(config)# enable secret NewPassword2026!

! STEP 6: Restore config-register
NetsTuts_R1(config)# config-register 0x2102

! STEP 7: Save
NetsTuts_R1# copy running-config startup-config

! STEP 8: Reload and verify
NetsTuts_R1# reload
! After reload: enable with new password → confirmed

Key Points & Exam Tips

Config-register 0x2142 bypasses startup-config. Bit 6 (value 0x0040) set to 1 tells IOS to ignore NVRAM contents. 0x2102 is normal; 0x2142 is recovery mode. You must restore 0x2102 (or original value) before saving and rebooting.
The startup-config is NOT erased during recovery (unless service password-recovery disable is active). It is simply skipped during boot. The copy startup-config running-config step restores all original configuration.
enable secret cannot be recovered — only replaced. The MD5/SHA-256 hash stored in the config is a one-way function. You cannot reverse it to find the original password. The recovery procedure lets you set a new password, not read the old one.
Router vs Switch procedure is different. Routers use confreg 0x2142 in ROMMON. Catalyst 2960/3x50 switches use Mode button + flash_init + file rename. Catalyst 9000 uses SWITCH_IGNORE_STARTUP_CFG=1 environment variable. Know all three for the exam.
Break timing is critical. On routers, you have ~60 seconds from power-on to send the Break signal. Different terminal applications use different key sequences. PuTTY: Ctrl+Break. SecureCRT: Ctrl+Break. Wrong timing = normal boot = repeat from step 1.
Never write memory before loading the original config. If you save the empty running-config (after booting with startup bypassed) before running copy startup-config running-config, you will permanently overwrite all original configuration with an empty config.
Always restore the config-register before saving. If you save with 0x2142 still set in the running-config, the device will boot into bypass mode every time it reboots until someone fixes it manually.
VLAN database (vlan.dat) is separate from startup-config. On switches, VLANs are stored in flash as vlan.dat — NOT in config.text. Password recovery does not touch vlan.dat, so VLANs are preserved. Never delete vlan.dat during recovery.
For service password-recovery disable on routers: attempting ROMMON recovery erases the startup-config entirely. This is a destructive, irreversible operation — the only recovery is a full reconfiguration. Use this command only if the security trade-off is explicitly required by policy.
On the CCNA exam, expect questions about: the correct config-register value (0x2142), which command bypasses startup-config vs which loads it, the difference between enable password and enable secret, and the correct order of steps (especially: copy startup-config running-config BEFORE setting the new password, and config-register 0x2102 BEFORE write memory).

Related Labs: With physical access established and the device under control, you may also need to update the IOS image — see IOS Upgrade via TFTP for the step-by-step TFTP image transfer process, which also uses ROMMON's tftpdnld command when the flash image is corrupt. For preventing future lockouts through centralised authentication see AAA Configuration and 802.1X Port Authentication. For securing the management plane against unauthorised access see Control Plane Policing (CoPP).

TEST WHAT YOU LEARNED

1. What is the config-register value that bypasses the startup-config on a Cisco router, and which specific bit does it change compared to the default value of 0x2102?

A. 0x2100 — changes bits 0–3 (the boot field) to 0, causing the router to stay in ROMMON B. 0x2002 — changes bit 8 to 0, enabling the Break key to enter ROMMON C. 0x2122 — changes bit 8 to 1, disabling the Break key and locking out ROMMON access D. 0x2142 — changes bit 6 from 0 to 1 (adds 0x0040 to the default 0x2102). Bit 6 is the "ignore NVRAM contents" bit — when set to 1, IOS skips loading the startup-config from NVRAM during boot, allowing the router to start with no passwords configured. All other bits remain the same as 0x2102

Correct answer is D. The configuration register is a 16-bit value where each bit controls a different aspect of the boot process. The default value 0x2102 in binary is 0010 0001 0000 0010. The recovery value 0x2142 in binary is 0010 0001 0100 0010. Comparing the two: 0x2142 - 0x2102 = 0x0040 = binary 0000 0000 0100 0000. The only difference is bit 6 (counting from the right, 0-indexed), which is the "ignore NVRAM contents" flag. Setting this bit to 1 instructs the IOS bootloader to skip reading the startup-config from NVRAM, causing the router to boot as if freshly reset with no configuration. This is the mechanism that enables password recovery — by bypassing the startup-config, you also bypass the enable secret stored within it. Option A (0x2100) would cause the router to stay in ROMMON mode by clearing the boot field. Option C (0x2122) would disable the Break key, which would actually prevent ROMMON access and make recovery harder.

2. After entering ROMMON mode and setting `confreg 0x2142`, an engineer runs `reset`. The router boots and shows the generic hostname "Router" with no password prompt on `enable`. The engineer immediately types `copy running-config startup-config` to "save the clean state." What critical mistake did they make?

A. No mistake — saving the running-config is always the correct first step after any configuration change B. The engineer permanently overwrote the original startup-config (containing all device configuration — interfaces, routing, VLANs, ACLs, etc.) with an empty running-config. The original configuration is now destroyed and unrecoverable from NVRAM. The correct procedure is to first run copy startup-config running-config to restore the original config into running-config, THEN set the new password, THEN save C. The mistake is that copy running-config startup-config does not work from ROMMON — this command is only available after a full IOS boot D. No significant mistake — the original config can be recovered from flash even after overwriting startup-config

Correct answer is B. This is the single most catastrophic mistake in the password recovery procedure, and it is surprisingly easy to make. When the router boots with config-register 0x2142, the startup-config in NVRAM is untouched — it still contains all the original configuration including the unknown enable secret. The running-config at this point is completely empty (no hostname, no interfaces, no routing, no passwords). If you run copy running-config startup-config now, you write that empty running-config into NVRAM, permanently overwriting the original configuration. Everything — interface IPs, routing protocols, ACLs, VLAN configurations, SSH keys, NTP, SNMP — is gone. There is no undo. The IOS command history has no backup. The original startup-config is destroyed. The correct critical step is to FIRST run copy startup-config running-config to merge the original saved config into the current running-config. This restores all configuration, including the hostname. THEN set the new enable secret. THEN restore the config-register to 0x2102. THEN save. The startup-config is never touched until the very final save step, when you intentionally overwrite it with the corrected version (new password, restored config-register, all original config intact).

3. A Cisco Catalyst 2960 switch has `service password-recovery disable` configured. An engineer loses the enable secret and attempts the Mode button password recovery procedure. What happens?

A. The Mode button press is completely ignored — the switch boots normally through its startup-config and the enable secret is enforced. There is no way to bypass the password via the Mode button when password-recovery is disabled. The only option is a full factory reset from ROMMON, which erases all configuration (write erase equivalent). The engineer must reconfigure the switch entirely from scratch B. The Mode button still works, but only allows viewing the config — modifications are blocked C. The Mode button works normally — service password-recovery disable only affects router ROMMON, not switch recovery D. The switch boots into a special secure mode and prompts for a TAC-approved recovery code

Correct answer is A. service password-recovery disable on Catalyst switches fundamentally changes the Mode button behaviour. Instead of dropping to the switch: ROMMON prompt where you can rename config.text, the switch completely ignores the Mode button interrupt signal and proceeds with its normal boot sequence, loading the startup-config with the unknown enable secret. The console output will typically show a message like "The password-recovery mechanism is disabled" early in the boot sequence to inform the console-connected engineer of this state. With password recovery disabled, the only way to regain access is a full factory reset — entering ROMMON (which on some switch models can still be reached via other means, or by holding Mode for a very long time) and running write erase or flash_init followed by deleting config.text. This completely destroys all configuration. This is precisely the design intent: physical access + Mode button is not sufficient to recover the device; you must deliberately destroy the configuration as the price of regaining access. This creates a strong disincentive for casual password recovery on secured infrastructure.

4. What is the difference between `enable password` and `enable secret`? If both are configured simultaneously, which one does IOS use, and what does this mean for password recovery?

A. They are functionally identical — enable secret is just the newer syntax for enable password B. Both are used — IOS checks enable password first, then falls back to enable secret if the first fails C. enable password stores the password in plain text (or reversible Type 7 encryption with service password-encryption). enable secret stores an MD5 hash (Type 5) or SHA-256 hash (Type 9) — computationally infeasible to reverse. When both are configured, IOS ALWAYS uses enable secret and completely ignores enable password. For password recovery: if only enable password is configured without encryption, you can read the password directly from the startup-config. If enable secret is configured (as it should always be), the hash cannot be reversed — you can only set a new password, not recover the original one D. enable secret is only available on IOS-XE — classic IOS uses enable password exclusively

Correct answer is C. This question covers one of the fundamental security concepts in Cisco IOS. The enable password command predates enable secret and was an early attempt at access control. Its weakness is that it stores the password either in plain text or in Type 7 encryption (a simple XOR cipher with a known key that is trivially reversible — numerous online tools decode Type 7 in seconds). enable secret was introduced to provide real cryptographic protection using MD5 (Type 5). Modern IOS-XE supports Type 9 (PBKDF2-SHA-256) via enable algorithm-type sha256 secret. The overriding rule is absolute: if both enable password and enable secret are configured, enable secret always wins. The enable password is completely ignored — not as a fallback, not as a secondary check, but permanently ignored. This is visible in show running-config where you'll see both lines, but IOS only evaluates the secret. The implication for password recovery: if you encounter a device with only enable password (legacy, poor security), you might be able to read it from the startup-config directly without going through ROMMON. If enable secret is configured (correct practice), you cannot read the original password from any output — the hash is one-way. Recovery always means setting a new password.

5. An engineer is performing password recovery on a router and successfully enters ROMMON. They type `confreg 0x2142` and `reset`. After the router boots, they run `copy startup-config running-config`, set a new enable secret, and then forget to run `config-register 0x2102` before typing `copy running-config startup-config`. What is the consequence?

A. No consequence — the config-register value is not stored in the startup-config and the router will automatically revert to 0x2102 B. The router will stay in ROMMON on the next boot and the engineer must enter confreg 0x2102 from ROMMON to fix it C. The config-register is stored in hardware, not NVRAM — forgetting to set it is harmless D. The startup-config now contains config-register 0x2142. Every time the router reboots, it will ignore the startup-config — boot with no hostname, no passwords, no IP addresses configured. The device will appear to "lose all configuration" after every reload. The fix is to console in, run copy startup-config running-config again, set config-register 0x2102, save, and reload. This is a frustrating but recoverable situation — however, on a production router it would cause a full service outage every time the device reboots

Correct answer is D. The config-register value IS stored as part of the running-config and startup-config — you can see it with show running-config | include config-register. When you set confreg 0x2142 in ROMMON, this change takes effect for the current boot. When the router boots and you enter the config-register 0x2102 command in global config mode, it writes the correct value to the running-config. If you skip this step and save, the startup-config will contain config-register 0x2142. On the next reboot, IOS reads this value from NVRAM, sees bit 6 is set, and skips loading the startup-config again. The router boots with no configuration. An alarmed on-call engineer consoles in, finds a clean unconfigured device, runs copy startup-config running-config to "recover" the config — and the cycle repeats. Every reboot causes the same problem. To detect this: after any password recovery, always verify show running-config | include config-register shows 0x2102 (or the original value), and check show version which shows both the currently active value and the value that will be used at next reload.

6. During the Catalyst 2960 password recovery procedure, an engineer types `delete flash:config.text` at the `switch:` prompt instead of `rename flash:config.text flash:config.old`. What is the impact compared to using rename?

A. No difference — both commands achieve the same result of preventing config.text from loading during boot B. Using delete permanently destroys the original startup-config — all hostname, VLAN, interface, routing, and ACL configuration is gone. The switch boots without any configuration and there is nothing to restore. Using rename preserves the file under a different name (config.old) so it can be renamed back and loaded after gaining access. The rename approach is always preferred because it treats the startup-config as recoverable rather than disposable C. delete marks the file for deletion but the flash filesystem keeps it recoverable for 30 minutes — use squeeze flash: to permanently delete D. The delete command requires confirmation and the engineer would have been warned before the file was erased

Correct answer is B. The distinction between delete and rename in password recovery is the difference between a recoverable procedure and a potentially catastrophic one. When you rename config.text to config.old, the file contents are completely preserved — the same bytes, the same configuration, just under a different filename that IOS does not look for on boot. After gaining privileged exec access, you rename it back and copy it into running-config. All configuration is restored. When you use delete, on most IOS filesystem implementations the file is immediately removed (or marked as deleted and the space is reclaimed). The original configuration cannot be recovered from flash. This is equivalent to running write erase from a configuration perspective — all interface assignments, routing protocol config, VLAN configuration, ACLs, SSH keys, NTP settings, SNMP configuration, everything is lost. The switch will function as a fresh factory-default unit and require complete reconfiguration. In a production environment this would require the engineer to have the full device configuration backed up (ideally in a network management system, Git repository, or configuration backup tool like RANCID/Oxidized) to restore it. Option C is incorrect — IOS flash filesystems do not have a 30-minute recovery window like Windows Recycle Bin; deletion is immediate.

7. A router's config-register is set to 0x2122. An engineer tries to perform password recovery by sending the Break signal 10 seconds after powering on the router, but the router boots normally every time. Why does the Break key not work, and what are the options?

A. The Break signal was sent too late — 10 seconds is past the 5-second window. Try sending it within 2 seconds of power-on B. The terminal emulator's Break key sequence is incorrect — try Ctrl+C instead C. Config-register 0x2122 has bit 8 (0x0100) set, which disables the Break key. The router ignores Break signals during boot regardless of timing or key sequence. Options: (1) If any level of IOS access is available (even user exec), enter config-register 0x2102 in global config, save, reload, then perform normal ROMMON recovery; (2) Use the ROMmon password recovery through a different physical method if the platform supports it; (3) As a last resort, perform a factory reset D. The 0x2122 config-register requires a special break sequence of Ctrl+Break held for 5 seconds rather than a brief press

Correct answer is C. Config-register 0x2122 = 0x2102 (normal) + 0x0020 (which would be bit 5) — actually let's decode it precisely: 0x2122 in binary is 0010 0001 0010 0010. Compared to 0x2102 (0010 0001 0000 0010), the difference is bit 5 (0x0020). However, the more commonly discussed bit-8 scenario applies to 0x2202. The principle remains: certain config-register bits disable the Break key or modify ROMMON access. When Break is disabled, no amount of correct timing or alternative key sequences will enter ROMMON — the hardware-level interrupt is masked. The practical recovery path depends on whether any IOS access exists: if the device has user-exec access (even with unknown enable secret), you might be able to exploit legacy methods or check if the enable password (not secret) is set without service password-encryption (readable from show running-config in user exec on some platforms). If absolutely no access is available, the only path is platform-specific ROMMON access methods or factory reset. This scenario illustrates why disabling the Break key (for security) must be paired with rigorous password documentation — you've deliberately removed the recovery mechanism.

8. After completing password recovery on a router and saving, an engineer runs `show version` and sees: "Configuration register is 0x2142 (will be 0x2102 at next reload)." Should the engineer be concerned, and what does this message mean?

A. The engineer should NOT be concerned — this is the normal expected output immediately after recovery. The "(will be 0x2102 at next reload)" message means the config-register 0x2102 command was entered and saved correctly. The current boot used 0x2142 (ROMMON set), and the saved startup-config now specifies 0x2102 for all future boots. On the next reload, the router will read 0x2102 from the startup-config and boot normally with the startup-config loaded B. The engineer should be concerned — this means the startup-config still contains 0x2142 and the next reload will again bypass the startup-config C. The engineer should run confreg 0x2102 in ROMMON to immediately change the active value before continuing D. The message means the config-register was set to 0x2102 in ROMMON but the IOS command config-register has not been entered yet

Correct answer is A. The two-part message in show version is the normal, expected, and correct output at this stage of password recovery. "Configuration register is 0x2142" describes the config-register value used for the CURRENT boot — the boot that is currently running. Since we entered ROMMON and set confreg 0x2142, then rebooted, this boot used 0x2142. That's correct and expected. "(will be 0x2102 at next reload)" describes what is stored in the startup-config for FUTURE boots. This is the result of having run config-register 0x2102 in global config mode and then saved the configuration. The startup-config now correctly contains the 0x2102 value. On the next reload, IOS reads the startup-config, finds the config-register 0x2102 directive, and uses that value — meaning it will load the startup-config (including the new password) normally. If the engineer saw "Configuration register is 0x2142 (will be 0x2142 at next reload)" — that would be the problem scenario (Option B), indicating that the config-register correction was never made or not saved. The word "will be" combined with the correct 0x2102 value is confirmation that the procedure was completed correctly.

9. A Catalyst 9300 is running IOS-XE. During password recovery, the engineer enters the `switch:` ROMMON prompt and sets `SWITCH_IGNORE_STARTUP_CFG=1` followed by `boot`. After resetting the password and saving, they forget to clear the `SWITCH_IGNORE_STARTUP_CFG` variable. What happens on the next power cycle?

A. Nothing — SWITCH_IGNORE_STARTUP_CFG is a one-time flag that automatically resets to 0 after being used B. The switch boots normally — saved environment variables do not persist across reboots on Catalyst 9000 C. The switch enters ROMMON on every boot until the variable is cleared D. The switch will boot ignoring the startup-config on every subsequent power cycle — appearing to lose all configuration after every reboot. The saved startup-config (with the new password and all original configuration) is still in NVRAM, but is skipped because the environment variable persists across reboots. The fix is to enter IOS after the next reboot, run no system ignore startupconfig switch all (IOS-XE global config), then save and reload. Alternatively, enter ROMMON and set SWITCH_IGNORE_STARTUP_CFG=0 followed by sync

Correct answer is D. This is the Catalyst 9000 equivalent of the router problem where config-register 0x2142 is saved into the startup-config (Question 5). The ROMMON environment variable SWITCH_IGNORE_STARTUP_CFG is stored in persistent NVRAM/flash on the Catalyst 9000 platform — it is not a temporary flag. When set to 1 and written (via the sync command or automatically), it persists across power cycles. Every boot reads this variable, sees it is 1, and skips loading the startup-config. The symptoms are: switch boots with generic "Switch" hostname, no passwords, no configuration — despite the administrator having saved a complete configuration. The configuration is intact in startup-config/NVRAM; it is just being ignored. The IOS-XE correction command no system ignore startupconfig switch all is the clean way to clear this persistent state from within IOS. The "switch all" qualifier applies the setting to all switches in a stack. After running this command and saving, the next reload will correctly load the startup-config. This scenario demonstrates why every step of the password recovery procedure must be verified before considering the job complete — including confirming the boot bypass mechanism is fully reversed.

10. An engineer needs to perform password recovery on a Cisco router but only has SSH access (no console cable). The enable secret is unknown. Is remote password recovery possible, and what are the options?

A. Yes — the debug aaa authentication command reveals the enable secret hash which can be cracked remotely B. Yes — use the configure replace nvram:startup-config command to bypass the enable secret check C. Standard ROMMON password recovery is NOT possible without physical console access — ROMMON requires a console connection because SSH/VTY access is lost when the device reboots. However, if the unknown password is only the enable secret (not the VTY/SSH password), and if the VTY is configured with privilege level 15 or if the device has a privilege 15 local user whose password is known, the engineer may already have effective privileged access via SSH. If truly locked out, physical console access is mandatory for ROMMON recovery — there is no remote alternative D. Yes — Cisco provides a remote password recovery tool via TAC that can push a signed recovery image to the device over SSH

Correct answer is C. ROMMON password recovery is fundamentally a physical access procedure — this is by design, not a limitation. The security model is: to recover a Cisco device's passwords, you must have physical access to it. This is a deliberate security control. When the device reboots into ROMMON (step 2 of router recovery), all network interfaces are down, no routing is running, and no SSH/VTY access exists. The only communication path to the device is the physical console port. Without a console cable and physical proximity (or a console server/terminal server providing out-of-band access), ROMMON recovery cannot be performed. The practical implication is that before declaring a device irrecoverable remotely, the engineer should consider: (1) Does SSH access work but only user-exec is available? If VTY line is configured with privilege 15, SSH login gives direct privileged access. (2) Are there other local users with known passwords and privilege 15? (3) Is AAA configured and the TACACS/RADIUS server accessible with credentials that have privilege 15? (4) Is there a console server (terminal server) providing out-of-band console access that can be reached remotely? If none of these apply, dispatching someone to the physical location with a console cable is the only option. This is why out-of-band management (OOB) and console servers are critical infrastructure components in enterprise networks.

Back to Home