Wednesday, September 3, 2025

Configure Cisco no service password-recovery

The no service password-recovery is a security enhancement that prevents anyone with physical console access to perform router configuration and change local passwords. It also prevents anyone from changing the configuration register values and access the NVRAM which stores the startup config.

This command is applicable in a highly secure environment and for our scenario wherein we don't intend to retrieve or re-use our network gear since it's located in a very remote area.


Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#no service password-recovery
WARNING:
Executing this command will disable the password recovery mechanism.
Do not execute this command without another plan for
password recovery.

Are you sure you want to continue? [yes]: yes
Router(config)#end
Router#write memory
Building configuration...
[OK]

Router#show run | inc no service
no service pad
no service password-recovery


Disabling password recovery in a Cisco Catalyst switch use a slightly different command. You'll need to verify first if the switch is a standalone or a stacked using the show switch command.


Switch#show switch
Switch/Stack Mac Address : 3c0e.2357.1234 - Local Mac Address
Mac persistency wait time: Indefinite
                                             H/W   Current
Switch#   Role    Mac Address     Priority Version  State
------------------------------------------------------------
*1       Active   3c0e.2357.1234     1      V02     Ready

Switch#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
3850(config)#system ?
  debug        Debug Shell
  disable      Disable password recovery
  environment  Set the system environment settings
  fnf          Flexible Netflow
  ignore       Ignore Startup Config
  mode-button  Enable Mode button for reset
  mtu          Set the global ethernet payload size

Switch(config)#system disable ?
  password  Disable password recovery

Switch(config)#system disable password ?
  recovery  Disable password recovery

Switch(config)#system disable password recovery ?
  switch  Set config on switches in stack

Switch(config)#system disable password recovery switch ?
  <1-9>  Switch number
  all    Set config for all switches in stack

Switch(config)#system disable password recovery switch all
Applying config on Switch 1...[DONE]
Switch(config)#end
Switch#write memory
Building configuration...
Compressed configuration from 14004 bytes to 6042 bytes[OK]


The system disable password recovery switch command is not visible when you issue a show run.

Switch#show run | inc system
system mtu 1500
spanning-tree extend system-id

Switch#show run all | inc system disable
Switch# <BLANK>