Locking Configuration Access

Problem

You want to prevent multiple concurrent users from making configuration changes at the same time.

Solution

To automatically prevent other users from making configuration changes at the same time as you, use the following command:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#configuration mode exclusive auto
Router1(config)#end
Router1#

To enable the ability to lock the configuration file, on an as-needed basis, use the following command:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#configuration mode exclusive manual 
Router1(config)#end 
Router1#

This feature was introduced in IOS Version 12.3(14)T.

 

Discussion

By default, the router running IOS software allows multiple concurrent users to change the running configuration files at once. In some operating environments, preventing multiple concurrent users from making changes is beneficial. Being able to prevent two users attempting to modify the same portion of the configuration file is desired. By enabling this feature, you temporarily prevent multiple users from modifying the router configuration at the same time.

Essentially, this feature allows only a single user to enter the configuration mode at a time. All other users on the router are effectively locked out of the configuration mode until the first user exits it. As we've seen in our examples, this feature runs in two modes, auto and manual. In auto mode, the configuration mode is automatically locked each time a user enters the configuration mode. In manual mode, users have the ability to manually lock the configuration mode each time they change the router configuration by using the lock keyword:

Router1#configure terminal lock
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#

If you don't issue the lock keyword, then the router will not lock the configuration mode and the router will function as normal. In auto mode, you don't need to issue the lock keyword, since it is implicitly enabled.

If you attempt to enter the configuration mode and someone has already locked it, then you will receive the following message informing you that the configuration mode is locked and by whom:

Router1#configure terminal 
Configuration mode locked exclusively by user 'ijbrown' process '31' from terminal '162'. Please try later.
Router1#

You can always show the status of the configuration lock by issuing the following command:

Router1#show configuration lock
Parser Configure Lock
---------------------
Owner PID : 31
User : ijbrown
TTY : 162
Type : EXCLUSIVE
State : LOCKED
Class : EXPOSED
Count : 1
Pending Requests : 0
User debug info : configure terminal lock
Router1#

If you absolutely need to change the router configuration and someone has locked you out, then you always have the option of terminating his or her session. Notice that user ijbrown has currently locked the configuration mode, and he is using TTY 162. In the next example, we will clear the TTY session and view the status of the configuration lock:

Router1#clear line 162
[confirm] 
 [OK]
Router1#show configuration lock 
Parser Configure Lock
---------------------
Owner PID : -1
User : unknown
TTY : -1
Type : NO LOCK
State : FREE
Class : unknown
Count : 0
Pending Requests : 0
User debug info : 
Router1#

Notice that once we clear the user's session, the lock is removed and we are then free to make configuration changes. In addition, once someone does lock the configuration mode, a system message is sent to inform all other users:

Sep 2 22:39:03.304 EDT: Configuration mode locked exclusively. The lock will be cleared once you exit out of configuration mode using end/exit






Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505
Simiral book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net