Cisco Configuration Mode Exclusive

By default anyone that has access to your router will be able to make changes to the configuration at the same time. It’s possible that one network admin is connected to the console, another one using telnet and the third network admin is connected through SSH. They can all make changes to the configuration simultaneously.

It might be a good idea to prevent this from happening…when one network admin is making changes, the other one shouldn’t be able to change anything.

Cisco created a feature called “Configuration Lock” that allows us to do this. Simply said, when one user uses “configure terminal” the others won’t be allowed to do the same thing. When the first user leaves the configuration mode, someone else can get access. Sounds good?

There are two options here:

  • Auto
  • Manual

When you use auto, whenever someone enters the configuration mode it will be locked so other users can’t enter configuration mode. The manual method does the same thing but you have to lock it yourself. I’ll show you how to use both options.

First we’ll configure telnet so that I have two methods to access the router…telnet and console:

R1(config)#username cisco password cisco
R1(config)#enable password cisco
R1(config)#line vty 0 4
R1(config-line)#login local

That takes care of that, let’s check out the lock feature:

R1(config)#configuration mode exclusive ?
  auto    Lock configuration mode automatically
  manual  Lock configuration mode on-demand

As you can see we have two options, auto and manual. We’ll start with the auto method.

Auto Lock Configuration Mode

You only have to use one command to enable the auto-locking of the configuration mode:

R1(config)#configuration mode exclusive auto

That’s all there is to it. Once you exit the configuration mode and re-enter it you’ll see this:

R1#configure terminal
 Configuration mode locked exclusively. The lock will be cleared once you exit out of configuration mode using end/exit
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#
%PARSER-6-EXPOSEDLOCKACQUIRED: Exclusive configuration lock acquired by user 'unknown' from terminal '0'  -Process= "Exec", ipl= 0, pid= 93

The router warns us that the configuration mode has been locked by an unknown user from terminal 0 (console). Let’s see what happens when another network admin tries to connect through telnet:

R2#telnet 192.168.12.1
Trying 192.168.12.1 ... Open

User Access Verification

Username: cisco
Password:
R1>enable
Password:
R1#

We are allowed to connect and use the privileged mode, this is what happens when you try to configure something:

R1#configure terminal
Configuration mode locked exclusively by user 'unknown' process '93' from terminal '0'. Please try later.

Too bad…we are locked out because the user on the console is still in configuration mode. There is a show command that gives us some more information:

R1(config)#do show configuration lock
Parser Configure Lock
---------------------
Owner PID                        : 93
User                             : unknown
TTY                              : 0
Type                             : EXCLUSIVE
State                            : LOCKED
Class                            : EXPOSED
Count                            : 1
Pending Requests                 : 0
User debug info                  : configure terminal
Session idle state               : TRUE
No of exec cmds getting executed : 0
No of exec cmds blocked          : 0
Config wait for show completion  : FALSE
Remote ip address                : Unknown
Lock active time (in Sec)        : 5
Lock Expiration timer (in Sec)   : 599

This tells us that the configuration mode is locked by an unknown user (console). Once this user exits the configuration mode someone else will be able to access it. Does this make sense so far? Let’s try the manual method.

Manual Lock Configuration Mode

Let’s get rid of the auto mode first:

R1(config)#no configuration mode exclusive auto

Now we’ll enable manual mode:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 676 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

635 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags:


Forum Replies

  1. Hello Rene,

    what will happen when I configure “configuration mode exclusive auto” when there is already another user in the global config mode? Will he be kicked from the global config mode or is he not allowed to enter any configure command?

    Kind regards,
    Bülent

  2. Hi Bülent,

    I haven’t tried it but I think nothing will happen. It doesn’t kick you out of the configuration mode but prevents you from entering it. The first time you enter the configuration mode after enabling it you will “lock” the config mode, not sooner.

    Rene

  3. Again a great configuration feature I didn’t know about.
    I immediately applied it on my home routers and tried to do the same
    on my ASA5505 and catalyst switch, but the “configuration mode”
    is not available :frowning:

    Although it’s very strange that the “show configuration lock” is working.
    Perhaps configuration locking is possible on a catalyst only via a ACS server.

  4. PS
    I strongly advise to enable the “exec-timout x x” feature on the vty lines when using the configuration lock.

  5. Hi Rene,

    I guess the question is…given that there are already two person playing on the config mode (person A and B). Person A configured the “configure mode exclusive” which is not originally on the config… what will happen to Person B? can he still commit changes? Or he will be thrown back to enable mode?

3 more replies! Ask a question or join the discussion by visiting our Community Forum