This article is based on an old article I wrote back in 2018 on the same subject. Hopefully this article, with my experience in technology and writing, will be more helpful.
Over the years of building out and maintaining my home lab, I have accumulated a fair number of network switches. Some of them were purchased new, some were pulled from decommissioned infrastructure. The ones that came from somewhere else almost always have leftover configuration on them – old VLANs, passwords I don’t know, and management settings that conflict with my setup. Before I can put one of these into production in my network, it has to start completely clean.
Even switches I have owned for a while sometimes need to be wiped. If you fat-finger a change that locks you out of the management interface, or you are repurposing a switch from one part of the network to another and just want a guaranteed clean starting point.
Cisco is one of the most common switch brands you will run into, especially the Catalyst line of edge switches. They are workhorses and you can find them everywhere. This walkthrough will cover how to reset one of those switches back to factory defaults using the command line interface by getting into recovery mode and deleting the configuration files directly from flash.
Note – This process applies to legacy Cisco Catalyst IOS switches like the 2960, 3560, and 3750 series. If you have a newer Catalyst 9000 series switch running IOS-XE, the process is different. Those switches support a factory-reset all command you can run directly from the exec prompt, and recovery mode works differently.
What You’ll Need
Before we get into it, there are a couple things you need to have on hand.
Serial Cable – On legacy Catalyst switches (2960, 3560, 3750), the console port is an RJ-45 connector on the front panel. You will need a Cisco console cable, which is an RJ-45 to DB-9 serial cable (typically light blue in color). Since almost no modern laptops have a DB-9 serial port anymore, you will also need a USB to DB-9 serial adapter. I keep one in my toolkit at all times for exactly this reason. If you happen to be working with a newer Catalyst 9000 series switch, it has both the traditional RJ-45 console port and a USB Mini-B port on the front – a standard USB Mini-B cable connects directly to your laptop without the need for an adapter.
Terminal Software – You need something to communicate with the switch over that serial connection. PuTTY is the most common option on Windows and it’s free. When you set it up, make sure your connection settings match the Cisco default: 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control. If you don’t match these settings, you will get garbage characters on the screen or nothing at all.
Once you have both of those, connect your serial cable from your computer to the console port on the switch. Don’t power the switch on yet.
Getting Into Recovery Mode
The Cisco Catalyst switches have a recovery mode that is triggered during the boot process. This is how we are going to get access to the flash filesystem without needing to know the existing enable password or any login credentials.
Step 1 – Open your terminal before powering on
This is important. You want your terminal session open and connected before you power on the switch. That way you catch the very beginning of the boot output and you won’t miss the window to trigger recovery mode.
Step 2 – Power on the switch while holding the Mode button
Plug in the switch and immediately hold down the Mode button on the front panel. Keep holding it. You are looking for the SYST LED (System LED) on the front of the switch to flash amber. Once you see that, you can release the button.
If you miss the window, just unplug the switch and try again. It takes a couple attempts sometimes to get the timing right. The window is only a few seconds, so be ready.
Once you release the Mode button, the switch will drop you to a recovery prompt that looks like this:
switch:
That switch: prompt is what we are after. This is the switch’s boot loader environment and it gives us direct access to the flash filesystem.
Clearing the Configuration
Now that we are at the switch: prompt, there are three commands we need to run to get the switch back to a clean state.
Step 3 – Initialize the flash filesystem
flash_init
Run this command first. This mounts the flash storage so we can interact with the files on it. Without running this first, the del commands won’t be able to find anything. It will output some information about the flash as it initializes – that’s normal, just let it finish.
Step 4 – Delete the startup configuration
del flash:config.text
This is the main configuration file for the switch. It stores everything – VLANs, port configurations, interface settings, the enable password, management IP, all of it. When the switch boots and this file doesn’t exist, it starts fresh. Type y when it asks you to confirm the deletion.
Step 5 – Delete the VLAN database
del flash:vlan.dat
The VLAN database is stored separately from the main config file, which trips a lot of people up. If you only delete config.text, the switch will still come up with the old VLAN configuration intact. You have to delete both. Type y to confirm this one as well.
Rebooting the Switch
Step 6 – Boot the switch
boot
That’s it. The switch will reboot. Watch the terminal output during the boot process to make sure it doesn’t hit any errors. Don’t be surprised if it takes a while – a Catalyst switch typically takes 2 to 4 minutes to fully boot depending on the model, and stacked switches can take even longer. Just let it run.
What to Expect After the Reboot
When the switch finishes booting, it should prompt you with something like:
--- System Configuration Dialog ---
Would you like to enter the initial configuration dialog? [yes/no]:
If you see that prompt, you did it right. The switch is completely clean and at factory defaults. You can type no if you want to configure it manually through the CLI, or walk through the setup wizard if you prefer.
If the switch comes back up and immediately asks for a login or an enable password instead of the setup dialog, something went wrong. The most common cause is that config.text was not actually deleted. There is also a gotcha worth knowing about – when you hold the Mode button to enter recovery mode, some IOS versions automatically rename config.text to config.text.renamed before dropping you to the switch: prompt. This is part of Cisco’s built-in password recovery mechanism. If that file is sitting on the flash when you boot, the switch can pick it back up. If that happens, go back into recovery mode, run flash_init again, and then run dir flash: to see everything that is on the flash. Delete any config files you see, including anything named config.text.renamed, and reboot again.
One thing I always do immediately after getting a clean switch is run a few basic commands to verify the state before I start configuring it. show version will confirm the IOS version running on it, which matters for knowing which features are available. show flash: will show you everything on the flash so you can see what’s there. And show running-config should come back completely minimal – just the default IOS stub configuration with nothing custom in it.
If you are picking this switch up used or pulling it from somewhere with an unknown history, now is also a good time to check the IOS version and see if there is a newer version worth loading before you build out your configuration on top of it. Saves you from having to go back and do it later.
Resetting a Cisco switch this way has been part of my standard process every time I bring a new piece of used networking gear into the lab. It takes about five minutes and gives you a clean, known state to work from. A lot better than trying to figure out what someone else configured and hoping you caught everything they left behind.