Networking

Prevent router changes from multiple users with Cisco IOS configuration lock

If multiple network admins were to connect to a router and modify the configuration at the same time, changes could be lost or only partially implemented, resulting in network downtime. David Davis introduces a new Cisco feature called IOS configuration lock that helps prevent such clashes.

How can configuration locking help you?

As you know, anyone who has network admin access can make changes to the running configuration at any time. If you are running a large IT shop or in charge of just a few folks, this new feature will enable you to control the concurrent changes to your running configuration. Exclusive Configuration Change Access, or configuration lock as it's sometimes called, includes the Access Session Locking feature. Here is the full syntax for this command:

Router(config)# configuration mode exclusive {auto | manual} [expire seconds] [lock-show] [interleave] [terminate] [config_wait seconds] [retry_wait seconds]

While you can configure configuration lock to be automatic or manual, I would think that most admins would want to set it in automatic mode.

Set up configuration lock in automatic mode

Let's look at how easy it is to activate this feature.

Router(config)# configuration mode exclusive auto

If you use the auto keyword, it locks the configuration session whenever configure terminal is used. If you use the manual keyword, it allows you to choose locking when you use the keyword configure terminal lock command. Let's step through a few examples of this great feature.

If you use the manual keyword, you must enable configuration lock each time you enter the global configuration mode. Thus, instead of using configuration terminal or conf t, you would add the lock keyword on the end, like this:

Router# configure terminal lock
Enter configuration commands, one per line.  End with CNTL/Z
Router(config)#

The show configuration lock command

How do you know the status of your configuration lock? How do you know if someone else is currently editing the config? Use the show configuration lock command. Notice how the command output looks vastly different from when someone else has the configuration locked to when there is no lock.

Output when no one else is editing the configuration:

Router(config)# show configuration lock
Parser Configure Lock
Owner PID        :  10
User             :  User3
TTY              :  3
Type             :  EXCLUSIVE
State            :  LOCKED
Class            :  Exposed
Count            :  0
Pending Requests :  0
User debug info  :  0

Output when running config is locked by another user:

Router# show configuration lock
Parser Configure Lock
———————————————————————————
Owner PID                         : 3
User                              : unknown
TTY                               : 0
Type                              : EXCLUSIVE
State                             : LOCKED
Class                             : EXPOSED
Count                             : 1
Pending Requests                  : 0
User debug info                   : configure terminal
Session idle state                : TRUE
No of exec cmds getting executed  : 0
No of exec cmds blocked           : 0
Config wait for show completion   : FALSE
Remote ip address                 : Unknown
Lock active time (in Sec)         : 6
Lock Expiration timer (in Sec)    : 593
Router(config)#

Please note that using the configure terminal lock command is temporary and immediately released as soon as the network admin exits Cisco IOS configuration mode. When another network admin tries to telnet into a router that you have an exclusive lock on, he or she will get a lock error with the user id that has the exclusive lock. This can come in very handy when you realize how many network admins you may have changing and re-running configurations. Perhaps this would be a good time to re-evaluate why this is happening. Maybe you need to set up some new procedures to assist your network admins.

This is a good time to talk briefly about the rollback feature that comes with the exclusive lock feature. It could be that your admins may be trying to put the running config back to a saved copy config. The replace and configure rollback feature does exactly that. It replaces the current running configuration with any saved Cisco IOS configuration file. There are some restrictions though. Access Session Locking comes with this feature. It prevents processes like the show command from executing while the configuration changes are being made. Check out the Cisco "Configuration Replace and Configuration Rollback" documentation for further information.

The Cisco IOS configuration lock is an essential part of network administration. You can use this feature to lock out other admin users from running configurations or even accessing show commands. You can also limit the seconds with expire seconds field to the number of seconds in which the configuration lock is released after the user stops making configuration changes. And it's invaluable to see what processes are being used and who is making them, which will maximize the proficiency and efficiency of your network. For more information, see the Cisco documentation "Exclusive Configuration Change Access (Config Lock)."

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

Editor's Picks

Free Newsletters, In your Inbox