First off, there are no miracles here, but in certain circumstances, this process could help you recover the credentials to a production Cisco 3750 stack without having to reload the entire stack and run the normal Cisco password recovery procedure. This will work for local credentials where the passwords are stored in the configuration with weak encryption (Cisco type 7).
Here’s the summary: take a spare 3750 and join it to the stack using normal, Cisco-approved procedures. It will get a copy of the config from the stack master. Power it down, and take it back out of the stack. Interrupt the boot sequence, initialize flash, and cat the config file. Use a Cisco-7 password decoder to decrypt local credentials.
Disclaimer: I and most other people have had good luck joining and removing stack members in live stacks, when you follow the all-important step of making sure the switch you’re going to add is POWERED OFF before plugging in the stackwise cables. If you power up the new switch, then plug in the stackwise cables to join it to the stack, you will probably blow up the stack. Don’t do it. That said, as far as I’m concerned, anytime you are plugging and unplugging stackwise cables, you risk upsetting the IOS deities. Therefore, if this stack is part of your super-critical “five nines is not enough” environment, don’t do this…unless you’re feeling lucky. You’ve been warned.
- You need a spare 3750 running an IOS version compatible with the stack. If the IOS version is too far off, the switch won’t be able to join the stack due to stackwise version incompatibility. An exact IOS match is ideal, but you might be able to get away with minor differences. If you don’t know what IOS version the stack is running, you can find out via SNMP assuming you know the proper SNMP information and the switch has been configured for SNMP. As a last resort, you can check the version sticker on the back of the switch (what Cisco shipped it with), and try that one…if it’s never been upgraded, you’ve gotten lucky.
- The stack must be smaller than nine high. Nine switches is as high as a 3750 stack goes last I knew, so you can’t join a tenth switch.
- You can temporarily use the redundant stack cable to join your switch to the stack, but make sure that ALL of your stackports are functioning first…otherwise, you’ll partition the stack when you unplug the redundant stackwise cable.
- Plug in the stackwise cable to the temporary switch, making sure the new switch is powered off.
- Power up the new switch. Presumably, you’re watching it boot via a console cable and terminal session. The boot could take several minutes, but once the new switch has joined the stack, the stack master will send a copy of the configuration to the new stack member you’ve just added.
- Power down the new switch, and put the stackwise cables back the way they were. As you were using the redundant stack cable, this should not pose any problem for the stack. Probably. (See the disclaimer above.)
- Take the 3750 and start up the normal password recovery procedure, which is to power it and hold down the button on the front left of the switch. If you’re monitoring via console, you’ll see the switch come up to the “switch:” prompt, at which point you can let go of the button.
- Do “flash_init” and “load_helper”. You should now be able to do a “dir flash:”. You should see “config.text” listed.
- Do “cat flash:config.text”. This will list the contents of the switch configuration. Since this config is a copy of the switch stack config, you’re now seeing the config the stack is running.
- Look for passwords in the configuration encrypted with Cisco-7 cipher. This is not a strong cipher, and can be decrypted with commonly available tools, such as the one available from SolarWinds (not free), or online. If you’re unlucky, there might not be anything you can work with in the config, but maybe you’ll be as fortunate as I was this morning when this little procedure bailed me out.