Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Understanding Zeroization to Clear System Data


Zeroization completely erases all configuration information on the Routing Engines, including all plain-text passwords, secrets, and private keys for SSH, local encryption, local authentication, and IPsec.

The Authorized Administrator initiates the zeroization process by entering the request system zeroize (FIPS) operational command from the CLI after enabling FIPS mode. Use of this command is restricted to the Authorized Administrator.


Perform system zeroization with care. After the zeroization process is complete, no data is left on the Routing Engine. The switch is returned to the factory default state, without any configured users or configuration files.

Zeroization can be time-consuming. Although all configurations are removed in a few seconds, the zeroization process goes on to overwrite all media, which can take considerable time depending on the size of the media.

Why Zeroize?

Your switch is not considered n a valid Common Criteria configuration until all critical security parameters (CSPs) have been entered—or reentered—in accordance with the guidance provided in this document.

Best Practice

You must zeroize the system to remove sensitive information before repurposing the switch.

When to Zeroize?

As Authorized Administrator, perform zeroization in the following situations:

  • Before Enabling FIPS mode of operation: To prepare your switch for operation to comply with the requirements of NDcPP Version 2.1, perform zeroization before applying the guidance provided in this document.

  • Before repurposing: To begin repurposing, perform zeroization on the switch.

  • When a tamper-evident seal is disturbed. If the seal on a secure port has been tampered with, the system is considered to be compromised. After applying new tamper-evident seals to the appropriate locations, zeroize the system and set up new passwords and CSPs.