Cisco Catalyst 9300 Password Recovery: Technical Walkthrough for Engineers

When a password is lost or misconfigured on critical infrastructure like the Cisco Catalyst 9300, time becomes your enemy. This guide offers a precise, engineering-first approach to regaining CLI access, without erasing your switch’s configuration.

PART 1: Why Password Recovery Still Matters in Enterprise Networks

Despite centralized AAA deployments, many environments still rely on local credentials for fallback or legacy access. The Cisco 9300 Series is a backbone switch in many enterprise cores and distribution layers, so any lockout must be addressed fast, cleanly, and with minimal disruption.

This guide is written with the assumption that you're an engineer, integrator, or operations staff with console access and downtime clearance.

PART 2: What You Need Before You Start

• Physical console access

• Console cable (RJ-45 to DB9, USB-C, or mini-USB, depending on model)

• Terminal emulator (PuTTY, Tera Term, SecureCRT, etc.)

• Authorized maintenance window (password recovery requires a reboot)

PART 3: Step-by-Step: Catalyst 9300 Password Recovery Process

1. Console In and Reboot

• Connect the console cable and set your terminal to:

  • Baud rate: 9600

  • Data bits: 8

  • Parity: None

  • Stop bits: 1

  • Flow control: None

• Power cycle the switch (turn it off and back on).

2. Enter ROMMON (Boot Loader) Mode

• Immediately press and hold the MODE button as the switch boots.

• Release the button once the SYST LED turns solid amber, then begins blinking.

• You should now see the switch: prompt — this confirms ROMMON mode is active.

3. Bypass the Startup Configuration

From the switch: prompt, enter:

SWITCH_IGNORE_STARTUP_CFG=1
boot

This will boot the switch with a blank running configuration, ignoring saved credentials.

4. Restore Config and Set New Password

Once booted:

• Enter privileged mode:

Switch> enable

• Load your saved configuration:

Switch# copy startup-config running-config

• Set a new local password using either:

Option A – Set enable secret:

Switch# configure terminal
Switch(config)# enable secret NewSecurePass123

Option B – Create a new local user:

Switch(config)# username admin privilege 15 secret NewSecurePass123

• Re-enable normal boot behavior:

Switch(config)# no system ignore startupconfig switch all

• Exit config mode:

Switch(config)# exit

5. Save Your Changes

Make sure everything is saved:

Switch# write memory

(Optional) Reboot the switch to test:

Switch# reload

PART 4: Troubleshooting Common Recovery Failures

Can't Enter ROMMON?

This is usually timing-related. Ensure you're pressing and holding the MODE button before the switch begins POST. It may take a few attempts.

“Password recovery is disabled” Message

If this appears, the device has password recovery protection enabled. You'll need to erase the configuration and reconfigure the switch manually.

In Stack Mode?

Only the master switch in a stack can enter recovery. Connect to the master, hold MODE, and reboot the entire stack. Recovery must be initiated from the master unit.

SSH Not Working Post-Recovery?

You may need to regenerate RSA keys:

Switch(config)# crypto key generate rsa modulus 2048

---

PART 5: Post-Recovery: Best Practices

• Backup configs regularly to SFTP/TFTP servers or USB drives.

• Use AAA servers (TACACS+/RADIUS) to reduce reliance on local accounts.

• Secure credential storage using encrypted vaults like Bitwarden or CyberArk.

---

If you manage Cisco infrastructure at scale, building a documented password recovery playbook for field engineers can save hours in the long run. This procedure should be tested and validated in your lab environment before rolling out as standard operating policy.