How to sanitize a cisco 9200 switch.
This is needed when you want to put your equipment back in original configuration and don’t want to let any information on it.
To sanitize the switch the following steps need to be done:
1. Install a new default configuration
2. factory reset
3. Update the firmware
If you need to erase a switch without admin access Step 1 Ignore the startup configuration with the following command:
Switch: SWITCH_IGNORE_STARTUP_CFG=1
Step 2 Boot the switch with the packages.conf file from flash.
Switch: boot flash:packages.conf
Step 3 Terminate the initial configuration dialog by answering No.
Would you like to enter the initial configuration dialog? [yes/no]: No
Step 4 At the switch prompt, enter privileged EXEC mode.
Switch> enable
Switch#
1) Install a default configuration
To erase both configuration files (and start over), enter the write erase and reload commands:
switch> enable
switch# write erase
Erasing the nvram filesystem will remove all files! Continue? [confirm]y[OK]
Erase of nvram: complete
switch# reload
System configuration has been modified. Save? [yes/no]: n
!--- Do not save the configuration at this prompt. Otherwise, the switch
!--- reloads with the current running configuration and does not reset to default.
Proceed with reload? [confirm]y
2w0d: %SYS-5-RELOAD: Reload requested
delete flash:vlan.dat
Delete filename [vlan.dat]?
!--- Press Enter.
Delete flash:vlan.dat? [confirm]y
Cat2950# reload
Proceed with reload? [confirm]y
4w5d: %SYS-5-RELOAD: Reload requested
2) Factory reset
switch> enable
switch# factory-reset all
!--- The firmware will be deleted and need to be reloaded manually from a USB stick
3) Upgrade the firmware
As there is no firmware on the switch after the reset, this action is only to transfert a new firmware and boot on it.
We asume that the appropriate firmware is on a USB stick.
switch: dir usbflash0:Cisco/Catalyst_9200/Amsterdam-17.3.3/
Attributes Size Name
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
----A 482403517 cat9k_lite_iosxe.17.03.03.SPA.bin
----A 301 cat9k_lite_iosxe.17.03.03.SPA.txt
----A 500211 ol-17-3-9200.pdf
We need to boot to the new firmware before copy it to the switch:
switch: boot usbflash0:Cisco/Catalyst_9200/Amsterdam-17.3.3/cat9k_lite_iosxe.17.03.03.SPA.bin
boot: attempting to boot from [usbflash0:Cisco/Catalyst_9200/Amsterdam-17.3.3/cat9k_lite_iosxe.17.03.03.SPA.bin]
boot: reading file Cisco/Catalyst_9200/Amsterdam-17.3.3/cat9k_lite_iosxe.17.03.03.SPA.bin
The boot will recreate the structure of the flash with a new configuration.
No startup-config, starting autoinstall/pnp/ztp...
Autoinstall will terminate if any input is detected on console
--- System Configuration Dialog ---
Would you like to enter the initial configuration dialog? [yes/no]: no
Would you like to terminate autoinstall? [yes]:
Press RETURN to get started!
Once booted, we need to copy the firmware on the flash of the switch:
Switch#copy usbflash0:/Cisco/Catalyst_9200/cat9k_lite_iosxe.17.03.03.SPA.bin flash:
Destination filename [cat9k_lite_iosxe.17.03.03.SPA.bin]?
Copy in progress...CCCCCCC
We need to set the boot variable
Switch#dir
Directory of flash:/
80962 drwx 4096 Nov 12 2021 22:53:16 +00:00 .installer
81034 -rw- 482403517 Nov 12 2021 22:52:54 +00:00 cat9k_lite_iosxe.17.03.03.SPA.bin
81031 drwx 4096 Nov 12 2021 22:47:47 +00:00 pnp-tech
81030 -rw- 0 Nov 12 2021 22:46:17 +00:00 dope_hist
81024 -rw- 15088 Nov 12 2021 22:46:17 +00:00 rdope_out.txt
81025 -rw- 89 Nov 12 2021 22:46:14 +00:00 rdope.log
81029 -rw- 2097152 Nov 12 2021 22:46:10 +00:00 nvram_config_bkup
81027 -rw- 2097152 Nov 12 2021 22:46:10 +00:00 nvram_config
81023 drwx 4096 Nov 12 2021 22:46:05 +00:00 license_evlog
80967 drwx 4096 Nov 12 2021 22:46:05 +00:00 core
81021 drwx 4096 Nov 12 2021 22:45:44 +00:00 onep
81020 drwx 4096 Nov 12 2021 22:45:44 +00:00 pnp-info
81018 drwx 4096 Nov 12 2021 22:45:17 +00:00 .dbpersist
81004 -rw- 134458 Nov 12 2021 22:44:28 +00:00 memleak.tcl
81015 -rw- 2131 Nov 12 2021 22:44:12 +00:00 boothelper.log
80997 drwx 4096 Nov 12 2021 22:44:10 +00:00 dc_profile_dir
80966 -rw- 74 Nov 12 2021 22:43:52 +00:00 bootloader_evt_handle.log
80999 -rw- 3301 Nov 12 2021 22:33:26 +00:00 boothelper.log.old
81005 drwx 4096 Nov 12 2021 22:33:26 +00:00 Tbot
81000 drwx 4096 Nov 12 2021 22:33:20 +00:00 sys_report
80974 drwx 4096 Nov 12 2021 22:33:18 +00:00 tech_support
80973 drwx 4096 Nov 12 2021 22:33:18 +00:00 ss_disc
80972 -rw- 5242880 Nov 12 2021 22:33:18 +00:00 ssd
80968 drwx 4096 Nov 12 2021 22:33:18 +00:00 .prst_sync
80963 drwx 4096 Nov 12 2021 22:32:57 +00:00 .rollback_timer
1956839424 bytes total (1359659008 bytes free)
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#boot system flash:cat9k_lite_iosxe.17.03.03.SPA.bin
Switch(config)#exit
Switch#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
We can control the boot variables
Switch#sh boot
---------------------------
Switch 1
---------------------------
Current Boot Variables:
BOOT variable = flash:cat9k_lite_iosxe.17.03.03.SPA.bin;
Boot Variables on next reload:
BOOT variable = flash:cat9k_lite_iosxe.17.03.03.SPA.bin;
Manual Boot = no
Enable Break = no
Boot Mode = DEVICE
iPXE Timeout = 0
The last step is to reboot the switch without the USB stick to be sure all is good.
Switch# reload
Reload command is being issued on Active unit, this will reload the whole stack
Proceed with reload? [confirm]