Solved: How to “factory-reset secure” a Catalyst that is missing the command?

kk7734 · ‎08-19-2025

Hello,

We have been getting a lot of requests to record a record of having the devices NIST purged (NIST 800-88).

Now. Some versions of IOS-XE have the actual command, “factory-reset secure”, which prints a record in the console log that the device was purged before being used again or sent to be recycled.

We are working with some older models like the 2960 and 2960-S, that don’t have it, but we were going to test if formatting or using the “format flash:” or “write erase” or “erase /all non-default” commands 3 or more times would work?

If not, do I have to erase the flash and fill it up with randoms or zero out another way?

Can anyone add input there?

Thank you!

Stefan Mihajlov · ‎08-19-2025

@kk7734

On older devices like the 2960/2960-S, factory-reset secure is not available, so meeting NIST 800-88 requirements requires manual steps.

Here’s what’s commonly accepted:

write erase + erase flash: + erase /all nvram: – this clears config and some data but does not securely wipe flash.
For NIST compliance, you typically need to:
- Format the flash using format flash:
- Fill the flash with random or zero data (manually or via script using TFTP/copied files)
- Repeat 3x (as per NIST recommendation for non-crypto erasure)
You can also copy a large dummy file repeatedly until the flash is full, then reformat

View solution in original post

Leo Laohoo · ‎08-20-2025

The "format flash:" command will only empty the entire flash.

View solution in original post

Leo Laohoo · ‎08-19-2025

The command "factory-reset" is only for IOS-XE. Classic IOS does not have this command but formatting the flash is as good as it gets.

kk7734 · ‎08-20-2025

Hi Leo, thank you for clearing that up.

For classic IOS, does the format command write the entire flash every time you issue it? Or would I need to write over the “empty” space?

Joseph W. Doherty · ‎08-20-2025

Usually a format just resets the control structures for the media, much like a file deletion or erasure resets the control information for an individual file. I.e. file contents are still on the media but can now be rewritten.

As suggested by @Stefan Mihajlov copying data onto the flash would overwrite prior contents.

Possibly the easiest way to accomplish that might be to copy a file larger than free space. The copy will fail, when the free space is exhausted.

As to the NIST recommendation to do this 3x, I recall that addresses disk media might have a faint copy of the prior data on the edge of a track. I don't know if it applies to flash. (Even if it doesn't, I could see NIST just providing one recommendation that works everywhere even if not necessary everywhere.)

Leo Laohoo · ‎08-20-2025

The "format flash:" command will only empty the entire flash.

Stefan Mihajlov · ‎08-19-2025

@kk7734

On older devices like the 2960/2960-S, factory-reset secure is not available, so meeting NIST 800-88 requirements requires manual steps.

Here’s what’s commonly accepted:

write erase + erase flash: + erase /all nvram: – this clears config and some data but does not securely wipe flash.
For NIST compliance, you typically need to:
- Format the flash using format flash:
- Fill the flash with random or zero data (manually or via script using TFTP/copied files)
- Repeat 3x (as per NIST recommendation for non-crypto erasure)
You can also copy a large dummy file repeatedly until the flash is full, then reformat

Leo Laohoo · ‎08-20-2025

The Cisco Takeback and Reuse Program

Cisco Customer Recycling Solutions