Cisco 9300 Password Recovery Guide – Step-by-Step Safe Procedure

Getting locked out of a Cisco Catalyst 9300 switch can be stressful, especially if it’s a production device or part of a StackWise deployment. Fortunately, recovering a lost password on a Cisco 9300 or 9300L running IOS XE is straightforward if you follow the correct procedure. This guide will walk you through a safe, step-by-step method to regain access without losing your existing configuration.

Table of Contents

• Part 1: Key Pre-Action Considerations
• Part 2: Cisco 9300 vs Older Catalyst Models
• Part 3: Step-by-Step Password Recovery (Standalone Switch)
• Part 4: StackWise Deployments
• Part 5: Common Troubleshooting
• Part 6: FAQs – Cisco 9300 Password Recovery

Part 1: Key Pre-Action Considerations

Before starting the recovery process, keep the following in mind:

• Can I recover the password without losing configuration?
  Yes. The procedure uses a ROMMON variable to bypass the stored passwords, allowing you to restore the original configuration after recovery.
• Will a reboot be required?
  Yes. Accessing ROMMON requires a power cycle or reload, so plan accordingly if this is a live switch.
• Does this affect licenses or support?
  The process does not erase configuration, but always verify post-recovery that licensing, StackWise roles, and interfaces are intact.

Part 2: Cisco 9300 vs Older Catalyst Models

The Cisco 9300 password recovery differs from older models like the 2960X or 3850:

Part 3: Step-by-Step Password Recovery (Standalone Switch)

Step 1: Connect via Console

Use a console cable and terminal emulator (PuTTY, SecureCRT, Tera Term). Typical settings: 9600 baud, 8 data bits, no parity, 1 stop bit.

Step 2: Interrupt Boot to Enter ROMMON

1. Power-cycle or reload the switch.
2. During boot, press Ctrl-C when prompted or press the Mode button repeatedly until the switch: prompt appears.

Step 3: Set ROMMON Variable

At the switch: prompt, instruct the switch to ignore the startup configuration:

switch: SWITCH_IGNORE_STARTUP_CFG=1
switch: boot

Step 4: Skip Initial Configuration Dialog

When prompted:

Continue with configuration dialog? [yes/no]:

Type no. The switch will boot without loading the saved configuration.

Step 5: Restore Configuration and Set New Password

Switch> enable
Switch# copy startup-config running-config
Switch# configure terminal
Switch(config)# username admin privilege 15 secret NEW_PASSWORD
Switch(config)# enable secret NEW_ENABLE_PASSWORD

Step 6: Reset Ignore Variable and Save

Switch# no system ignore startupconfig switch all
Switch# copy running-config startup-config
Switch# show romvar | include SWITCH_IGNORE_STARTUP_CFG

Expected result: SWITCH_IGNORE_STARTUP_CFG=0

Part 4: StackWise Deployments

Standard StackWise

• Power off all members except the active switch.
• Perform the recovery on the active member.
• Save configuration and power on remaining stack members.

StackWise Virtual (SVL)

• Power off the standby switch.
• Recover password on active switch.
• Verify SVL configuration remains intact, then power on standby.

Part 5: Common Troubleshooting

• ROMMON prompt not appearing: Try repeated Mode button presses instead of holding it.
• Configuration not restored: Ensure copy startup-config running-config executed and ignore variable cleared.
• Stack issues after recovery: Verify stack roles, priorities, and member numbering.

Part 6: FAQs – Cisco 9300 Password Recovery

Q1: How to reset password on Cisco 9300 switch?

Access ROMMON using Ctrl-C or Mode button, set SWITCH_IGNORE_STARTUP_CFG=1, boot the switch, restore the configuration, set a new password, and clear the ignore variable before saving.

Q2: Can I recover a Cisco 9300 password without factory reset?

Yes, this process retains all VLANs, interfaces, routing, and configuration.

Q3: What if I forget both enable and console passwords?

Use the same ROMMON procedure. Physical console access is required.

Q4: Does this work on Cisco 9300L?

Yes. The steps are identical for 9300 and 9300L running IOS XE.