IOS Configuration Lock
How to avoid two people making changes to the configuration at the same time
The only command you need to use is the configuration mode exclusive {auto | manual} from global configuration mode.
- The auto keyword automatically locks the configuration session whenever the configure terminal command is used and this is the default option.
- The inverse manual keyword allows you to choose to lock the configuration session manually or simply leave it unlocked.
Here is how to do it:
In the configuration example below I will first enable manual configuration lock mode.
R1#config t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#configuration mode exclusive manual
R1(config)#end
R1#
Once I enable configuration lock mode, I can view its status using the show configuration lock command. This is shown below:
R1#sh config lock
Parser Configure Lock
———————
Owner PID : -1
User : 6200networks
TTY : -1
Type : NO LOCK
State : FREE
Class : unknown
Count : 0
Pending Requests : 0
User debug info :
Session idle state : TRUE
No of exec cmds getting executed : 0
No of exec cmds blocked : 0
Config wait for show completion : FALSE
Remote ip address : Unknown
Lock active time (in Sec) : 0
Lock Expiration timer (in Sec) :0
R1#
Notice the status displays free and the type display that no lock is in place because no user has initiated the feature yet. I will next initiate the configuration lock feature and then run the same command again, this time expecting different results.
R1#config terminal ?
lock Lock configuration mode
revert Parameters for reverting the configuration
R1#config terminal lock
Configuration mode locked exclusively. The lock will be cleared once you exit out of configuration mode using end/exit.
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#
*Sep 9 17:22:31.531: %PARSER-6-EXPOSEDLOCKACQUIRED: Exclusive configuration lock acquired by user ‘6200networks’ from terminal ‘0? -Process= “Exec”, ipl= 0, pid= 184
R1(config)#
Notice that after enable configuration lock and move into configuration lock mode, the parser tells me that exculsive lock has been acquired for my configuration session. Once I’m in configuration lock mode I will view the status of the lock session:
R1(config)#do sh config lock
Parser Configure Lock
———————
Owner PID : 184
User : 6200networks
TTY : 0
Type : EXCLUSIVE
State : LOCKED
Class : EXPOSED
Count : 1
Pending Requests : 0
User debug info : configure terminal lock
Session idle state : TRUE
No of exec cmds getting executed : 0
No of exec cmds blocked : 0
Config wait for show completion : FALSE
Remote ip address : Unknown
Lock active time (in Sec) : 47
Lock Expiration timer (in Sec) : 599
R1(config)#
Upon moving into configuration mode, the parser diplays that the sesion is exclusively locked and this time when I view the status of the lock mode it displays that there is an exclusive lock on the terminal session. Now lets examine what happens when I try and telnet into R1 from R2 while I have the configuration session locked on R1 and I attempt to move into configuration mode.
R2#telnet 192.168.10.1
Trying 192.168.10.1 … Open
…
User Access Verification
…
Password:
R1>en
Password:
R1#config t
Configuration mode locked exclusively by user ‘6200network’ process ‘184? from terminal ‘0?. Please try later. Rollback confirmed change timer is canceled due to configuration lock error.
R1#
Obviously the router performed as expected and denied my request to move into configuration mode because of the locked session via the console on R1. Upon exiting the configuration session on R1 you will receive the following display painted via the parser informing you that the session lock has been released.
*Sep 9 17:33:19.647: %PARSER-6-EXPOSEDLOCKRELEASED: Exclusive configuration lock released from terminal ‘0? -Process= “Exec”, ipl= 0, pid= 184
