Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
342
Views
7
Helpful
10
Replies

Password-recovery mechanism

chpmotry
Level 1
Level 1

‎07-08-2025 08:08 PM - edited ‎07-08-2025 08:12 PM

Hi guys .

The SOC administrator in my department told me that, for the purpose of securing the network, I should disable the password recovery service so that no one can access the switch configurations just by having a console cable. But I’m not sure whether disabling this feature might cause problems for me in the future if I ever need to access the ROMmon mode in switches model such as 2960s,2960x,2600,2960G models .please help me what are the problem occurred when i disabling this service"What problems might occur if I disable this feature?

0 Helpful
10 Replies 10

Leo Laohoo
Hall of Fame
Hall of Fame

‎07-08-2025 08:39 PM

@chpmotry wrote:
for the purpose of securing the network, I should disable the password recovery service so that no one can access the switch configurations just by having a console cable

The most important part about "securing the network" is physical access.  We have several thousands of routers and switches locked behind a Class C cabinet.  If an unauthorized person have access, the configuration of the router or the switch is the least of my worries. 

And finally, disabling password recovery is a two-edged-sword.  Most of the time I've seen have been deployed maliciously.  

chpmotry
Level 1
Level 1
In response to Leo Laohoo

‎07-08-2025 10:02 PM - edited ‎07-08-2025 10:04 PM

Thank you, dear colleague @Leo Laohoo .

I’ve been instructed to disable this feature, and I have no problem disabling the password recovery capability.

My main question is: could disabling this feature prevent me from accessing ROMmon mode in case the switch encounters a problem?

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to chpmotry

‎07-08-2025 11:43 PM - edited ‎07-08-2025 11:44 PM

@chpmotry wrote:
could disabling this feature prevent me from accessing ROMmon mode in case the switch encounters a problem?

Depends on the OS (IOS vs IOS-XE) and depends on the platform, but, yes.  In some platforms, particularly, classic IOS routers, disabling password-recovery means getting into ROMMON is made more difficult.  

In IOS-XE, disable password-recovery means any attempts to perform password will delete the config of the platform.  

chpmotry
Level 1
Level 1
In response to Leo Laohoo

‎07-09-2025 01:04 AM

Thanks for the clarification. For my use case, it's enough if I can at least access ROMmon in critical situations just to factory-reset the switch configuration. Are you sure that even this minimal level of access could be affected? I just want to make sure that disabling password recovery won’t prevent me from reaching ROMmon when I need to wipe the config.

 

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to chpmotry

‎07-09-2025 01:15 AM

@chpmotry wrote:
Are you sure that even this minimal level of access could be affected?

I cannot answer this question because I do not know what platform this situation applies to. 

 

@chpmotry wrote:
I just want to make sure that disabling password recovery won’t prevent me from reaching ROMmon when I need to wipe the config.

Wut?

If I want to wipe the config of a router, switch, AP or WLC, I do not need to go into ROMMON to do that.  

0 Helpful

chpmotry
Level 1
Level 1
In response to Leo Laohoo

‎07-12-2025 09:07 PM - edited ‎07-12-2025 09:11 PM

Thank you so much @Leo Laohoo .Most of the switches under my management are model 2960X with IOS version 15.

When the switch encounters a problem loading the NVRAM, the only way to perform software-level troubleshooting is through ROMmon

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to chpmotry

‎07-12-2025 10:38 PM

@chpmotry wrote:
When the switch encounters a problem loading the NVRAM, the only way to perform software-level troubleshooting is through ROMmon

RMA the switch.

0 Helpful

David Ruess
VIP
VIP

‎07-08-2025 09:30 PM

Security feature functions are always an acceptable risk type of scenario. It all depends on what your organization is willing to accept as the risk. As with what @Leo Laohoo said if the switch is locked in a controlled room where only personnel who are allowed to access the switch has access then it would be fine. However, if it's in a common area or an area where multiple entities have access there may be a security concern. You as a network professional present the facts and scenarios where its needed or not needed. At the end of the day whichever decision is made will be organization policy. If there are any downfalls it will need to be brought up again. For example, if the switch goes down and you couldn't do a password recovery (because you disabled the option) you would have to include that in your report of why it took so long to restore. Again, if the organization is ok with that metric, then that's what you will implement into your procedures.

 

-David

chpmotry
Level 1
Level 1
In response to David Ruess

‎07-08-2025 10:02 PM - edited ‎07-08-2025 10:03 PM

Thank you, dear colleague @David Ruess 
I’ve been instructed to disable this feature, and I have no problem disabling the password recovery capability.
My main question is: could disabling this feature prevent me from accessing ROMmon mode in case the switch encounters a problem?

0 Helpful

David Ruess
VIP
VIP
In response to chpmotry

‎07-08-2025 10:26 PM - edited ‎07-08-2025 10:26 PM

You should still be able to access ROMMON mode for other functions, but the Password recovery in there will likely be inaccessible.

Customers Also Viewed These Support Documents