Networking

Prevent router changes from multiple users with Cisco IOS configuration lock

If multiple network admins were to connect to a router and modify the configuration at the same time, changes could be lost or only partially implemented, resulting in network downtime. David Davis introduces a new Cisco feature called IOS configuration lock that helps prevent such clashes.

How can configuration locking help you?

As you know, anyone who has network admin access can make changes to the running configuration at any time. If you are running a large IT shop or in charge of just a few folks, this new feature will enable you to control the concurrent changes to your running configuration. Exclusive Configuration Change Access, or configuration lock as it's sometimes called, includes the Access Session Locking feature. Here is the full syntax for this command:

Router(config)# configuration mode exclusive {auto | manual} [expire seconds] [lock-show] [interleave] [terminate] [config_wait seconds] [retry_wait seconds]

While you can configure configuration lock to be automatic or manual, I would think that most admins would want to set it in automatic mode.

Set up configuration lock in automatic mode

Let's look at how easy it is to activate this feature.

Router(config)# configuration mode exclusive auto

If you use the auto keyword, it locks the configuration session whenever configure terminal is used. If you use the manual keyword, it allows you to choose locking when you use the keyword configure terminal lock command. Let's step through a few examples of this great feature.

If you use the manual keyword, you must enable configuration lock each time you enter the global configuration mode. Thus, instead of using configuration terminal or conf t, you would add the lock keyword on the end, like this:

Router# configure terminal lock
Enter configuration commands, one per line.  End with CNTL/Z
Router(config)#

The show configuration lock command

How do you know the status of your configuration lock? How do you know if someone else is currently editing the config? Use the show configuration lock command. Notice how the command output looks vastly different from when someone else has the configuration locked to when there is no lock.

Output when no one else is editing the configuration:

Router(config)# show configuration lock
Parser Configure Lock
Owner PID        :  10
User             :  User3
TTY              :  3
Type             :  EXCLUSIVE
State            :  LOCKED
Class            :  Exposed
Count            :  0
Pending Requests :  0
User debug info  :  0

Output when running config is locked by another user:

Router# show configuration lock
Parser Configure Lock
------------------------------------------------------
Owner PID                         : 3
User                              : unknown
TTY                               : 0
Type                              : EXCLUSIVE
State                             : LOCKED
Class                             : EXPOSED
Count                             : 1
Pending Requests                  : 0
User debug info                   : configure terminal
Session idle state                : TRUE
No of exec cmds getting executed  : 0
No of exec cmds blocked           : 0
Config wait for show completion   : FALSE
Remote ip address                 : Unknown
Lock active time (in Sec)         : 6
Lock Expiration timer (in Sec)    : 593
Router(config)#

Please note that using the configure terminal lock command is temporary and immediately released as soon as the network admin exits Cisco IOS configuration mode. When another network admin tries to telnet into a router that you have an exclusive lock on, he or she will get a lock error with the user id that has the exclusive lock. This can come in very handy when you realize how many network admins you may have changing and re-running configurations. Perhaps this would be a good time to re-evaluate why this is happening. Maybe you need to set up some new procedures to assist your network admins.

This is a good time to talk briefly about the rollback feature that comes with the exclusive lock feature. It could be that your admins may be trying to put the running config back to a saved copy config. The replace and configure rollback feature does exactly that. It replaces the current running configuration with any saved Cisco IOS configuration file. There are some restrictions though. Access Session Locking comes with this feature. It prevents processes like the show command from executing while the configuration changes are being made. Check out the Cisco "Configuration Replace and Configuration Rollback" documentation for further information.

The Cisco IOS configuration lock is an essential part of network administration. You can use this feature to lock out other admin users from running configurations or even accessing show commands. You can also limit the seconds with expire seconds field to the number of seconds in which the configuration lock is released after the user stops making configuration changes. And it's invaluable to see what processes are being used and who is making them, which will maximize the proficiency and efficiency of your network. For more information, see the Cisco documentation "Exclusive Configuration Change Access (Config Lock)."

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

12 comments
foysol_bgd
foysol_bgd

Hi David, How Can I lock a router configuration to be locked during business hours? It will not be modified during this time by any user.

nacht
nacht

Is there ever an issue where one is in config mode and loses their connection, then is unable to get back in because of the lock (i.e. hung config session)?

agarber
agarber

Good Informartion to have. David should cover the setup of the (Management information base) for Tech Republic posting on a Friday sometime. These are valuable tools for us folks that use a CISCO ASA for VPN tunnels. The MIB (Management information base) will give you the bytes sent and received on a VPN session: ftp://ftp-sj.cisco.com/pub/mibs/supportlists/asa/asa-supportlist.html. Just need a SNMP server that can poll a MIB.

shaunstanislaus
shaunstanislaus

why doesn't it work on packet tracer routers? does it? because i tried typing that command, it does not work. Router#conf t lock ^ % Invalid input detected at '^' marker.

jdclyde
jdclyde

Everyone knows how easy it is to reset the password from a router to a server in a few minutes, if you have physical access to the device. This throws a new wrench in the batch. I assume Cisco has an easy way to reset this, provided you still have your physical access? Interesting article.

john.hamilton
john.hamilton

Hi, Interesting article. Is there anything in the IOS which will only allow accept configuration changes from some users (by source IP or authentication) ? We need to provide 'read only' access to Cisco switches to allow some staff to view port status, errors etc., but not allow them to change anything. -- John Hamilton

chuck.wilkins
chuck.wilkins

Password recovery must be done from the console port. You have to power off the router and enter the break sequence before the router finishes loading. Then you have to modify the config register. Good luck with doing this in a 'few mins'. How about that down time of the router, I think it might be noticed fairly quickly. Before you power down and change the password have your desk packed up. You won't be there long after the unauthorized change.

bart.thoen
bart.thoen

if it is the sole purpose of inspecting the interface status, you might want to use an SNMP capable tool which can read all that stuff. Using the SNMP read-only community string, you can read all the interface counter statistics.

wbaltas
wbaltas

Another option for users with a Cisco TACACS+ server (Access Control Server)is to limit which commands can be issued while in enable mode. I've played around with this and have limited junior technicians to show the show run command and a few others such as adding a description to an interface. If you need to limit access to routers, switches, and firewalls to multiple administrators with different technical skills. I recommend this solution. Bill Baltas

chuck.wilkins
chuck.wilkins

Hello, You do not need be in exec mode to display the interfaces. Example sh int fa0/0 sh ip int brief These are not exec commands. As long as they are not in enable mode they cannot enter 'config t' so the config is safe.

silvertip257
silvertip257

The alternative privilege levels the Cisco IOS provides will work great for what you'd like to do. That way it is possible for you to provide 'read only' access. Here's a link to one of Dave's previous articles on IOS privilege levels. http://articles.techrepublic.com.com/5100-10878_11-5659259.html As for restricting access by IP, that's the network layer (L3) and depending on the equipment/configuration you have, you may only be operating at layer 2 (Data Link) with your switches. You'll need to set up ACLs on your router(s) to restrict access to the switches' IPs. http://articles.techrepublic.com.com/5100-10878_11-5731134.html And don't forget you could use VLANs to manage who has access to which devices (administrative VLAN). Of course you'll still need a router involved to manage inter-VLAN communication.

jdclyde
jdclyde

and am talking about someone who does have the physical access they need. The problem is, having the password to the router would not help if someone had applied this lock on the config, now would it? Not talking a hack. Would this end up being like on a windows box, where the user encrypts the system? You can reset the password, but the data is toast. That would not be a good thing for a router. and yes, it only takes a few minutes, regardless of if it is a router, windows box or linux box. That is why there is suppose to be a lock on the door to the server and network rooms.

Editor's Picks