Networking

How do I wipe data from Cisco routers and switches before discarding them?

Mike Mullins walks you through the process of clearing the configurations of both routers and switches in this best-practice Cisco tip.

As your organization's network continues to grow, you might find that you've outgrown your routers and switches and you need to deploy new ones. But what do you do with the old devices?

In "Don't Donate Corporate Secrets when Discarding Old Hardware," I discussed how to make sure you don't inadvertently pass on corporate data. But this best practice doesn't just apply to hard drives. You must also take steps to clear information from all other network devices before donating or selling them to make sure you don't donate your corporate secrets along with the hardware.

Wiping the configuration of your network devices is the best way to keep a black hat from gaining easy access to your network infrastructure. Let's look at how you can do this for both Cisco routers and switches.

Clear the configuration of your router

When it comes to clearing your Cisco router, you have two acceptable options. While most network administrators are familiar with both methods, they typically use them for different tasks.

The first method involves setting the configuration register to 0x2142. Most admins use this method to recover a password, but you can recover a password and wipe the configuration at the same time.

Follow these steps:

  1. Log on to the router, and enter the privileged EXEC mode by entering enable and then entering the enable password command.
  2. Enter configure terminal to go to Global Configuration Mode.
  3. Enter config-register 0x2142. (This causes the router to ignore the start-up configuration on the next reload.)
  4. Enter end, and reload the router by entering reload at the Router# prompt.
  5. The system will ask whether you want to save the configuration. Enter no, and confirm the reload at the next prompt.
  6. After the router has reloaded, the system will ask whether you want to enter the initial configuration dialog. Enter no.
  7. Change the configuration register setting to 0x2102 by entering enable and configure terminal to go back to Global Configuration Mode and then entering config-register 0x2102.
  8. Enter end, and then enter write memory to overwrite the existing start-up configuration with the current blank-running configuration.
  9. Enter reload to reload the router and complete the wiping operation.

However, if you already know the password to the router, you can use the second method. Follow these steps:

  1. Log on to your router, and enter the privileged EXEC mode by entering enable and then entering the enable password command.
  2. Enter configure terminal to go to Global Configuration Mode.
  3. Enter config-register 0x2102.
  4. Enter end, and then enter the write erase command to delete the current start-up configuration on the router.
  5. Enter reload to reload the router. When the system asks whether you want to save the configuration, enter no.

When the router reloads, it will reset back to the original factory defaults.

Clear the configuration of your switch

If your Cisco switch runs the CatOS, the procedure to wipe the configuration is relatively quick. Follow these steps:

  1. Log on to your switch, and enter the privileged EXEC mode by entering enable and then entering the enable password command.
  2. Enter clear config all to reset the entire system. You don't need to reload the switch because processing the command wipes the switch. If you've set a boot option, you need to change that option using the set boot command.

If your switch runs Cisco IOS, it maintains a running configuration file and a start-up configuration file, both of which you need to clear. Follow these steps:

  1. Log on to your switch, and enter the privileged EXEC mode by entering enable and then entering the enable password command.
  2. Enter write erase, which erases the NVRAM file system and removes all files.
  3. At the prompt, confirm that you want to erase all files.
  4. Enter reload, and enter no when prompted whether to save the configuration. (Otherwise, the switch will reload the current running configuration.)
  5. Confirm that you want to reload the switch, and your switch configuration is almost clean.

It's almost clean, but not quite. Most people forget to clear any VLAN information they've created for their switches. Depending on the hardware version of your switch and the software version of your OS, the command for this varies. For more information, check out Cisco's "Resetting Catalyst Switches to Factory Defaults" documentation, which walks you through the commands for clearing VLAN information from your switch.

Final thoughts

PCs aren't the only hardware you need to worry about wiping before donating -- you should apply this best practice to any network device you're discarding. Don't donate information about your networks: Clean all network devices before getting rid of them just as you would a hard drive on a computer.

14 comments
rahbm
rahbm

with ProCurve. Much easier to configure, and if you ever want to pension it off it can be easily reset to factory defaults in seconds. I can't believe all the messing around described above just to reset something. Also, no need to delete the firmware - anyone can download the latest version.

robert.a.hatcher
robert.a.hatcher

I just log in and go to enable mode. I delete config.text and vlan.dat and erase start and then I reboot. Done!

k.m.denver
k.m.denver

Great Topic...and very useful information.... Thankyou..!

Photogenic Memory
Photogenic Memory

I once ebayed a Cisco T1 router so I could practice. It was already password protected. when I finally got in; it was once used for a ReMAx Real estate business with all the original contact information, LOL! Funny stuff.

pompeychimes
pompeychimes

You should also blow away the IOS. In fact I format the flash completely. A lot of techs like to backup the config to flash and store additional IOS'. You don't want anybody taking/using the IOS that you purchased. You also don't want any crypto enabled IOS' out there for somebody to use and/or export.

Gmuscle
Gmuscle

Helpful, I recently had to do this very thing. Looked up on CISCO and worked out, wish I had last week.

career
career

# delete flash:vlan.dat # reload And you're done!

john.turner
john.turner

Mike, the premise of your first set of steps was that I don't have the router password and am trying to recover it (by changing the config register). If that's the case, how do I do step one - "Log into the router" and then "enter the enable password"? I think you have to use the console port and boot the router to rommon 1>, by entering during the boot sequence, to use your method 1 (vs. logging in), don't you? Thanks.

richardp
richardp

Once got a great deal on some used switches. The configs were still there, and clearly had come from a major healthcare provider. We wiped the switches, but the VLANS were still there. Twas a tedious effort manually clearing off those VLANs, but well worth the effort.

bobbycornetto
bobbycornetto

You're right, John. You have to hit the "Break" key during boot to get into ROMMON mode. Once in, type "confreg 0x2142". Then power cycle the router/switch and follow the rest of the directions given.

sweeex
sweeex

delete flash:vlan.dat reload This way you will erase all of your vlan configuration. Don't worry, the file will be regenerated with the default setting after reload.

Forum Surfer
Forum Surfer

I can't remember the exact switch model I was working on, nor the image revision. But if this particular model had the vtp mode set to transparent, you could run the command you described and it would appear that it worked as the flash file would no longer be listed. However, upon reload the vlan.dat file was still there exactly as before. It was not a recreated file, it was the original file. Luckily I checked before putting it in production elsewhere and wreaking havoc with spanning tree. I had to set the vtp mode to server in order to successfully delete vlan.dat.

Editor's Picks