Cisco Configuration Mode Exclusive

By default, anyone who has access to your router will be able to make changes to the configuration at the same time. One network admin may be connected to the console, another one using telnet, and the third network admin is connected through SSH. They can all make changes to the configuration simultaneously.

It might be a good idea to prevent this from happening…when one network admin is making changes, the other one shouldn’t be able to change anything.

Cisco created a “Configuration Lock” feature that allows us to do this. Simply said, when one user uses configure terminal the others won’t be allowed to do the same thing. When the first user leaves the configuration mode, someone else can get access. Sounds good?

There are two options here:

• Auto
• Manual

When you use auto, whenever someone enters the configuration mode, it will be locked so other users can’t enter configuration mode. The manual method does the same thing, but you have to lock it yourself. I’ll show you how to use both options.

First, we’ll configure telnet so that I have two methods to access the router…telnet and console:

R1(config)#username cisco password cisco
R1(config)#enable password cisco
R1(config)#line vty 0 4
R1(config-line)#login local

That takes care of that, let’s check out the lock feature:

R1(config)#configuration mode exclusive ?
  auto    Lock configuration mode automatically
  manual  Lock configuration mode on-demand

As you can see, we have two options, auto and manual. We’ll start with the auto method.

Auto Lock Configuration Mode

You only have to use one command to enable the auto-locking of the configuration mode:

R1(config)#configuration mode exclusive auto

That’s all there is to it. Once you exit the configuration mode and re-enter it, you’ll see this:

R1#configure terminal
 Configuration mode locked exclusively. The lock will be cleared once you exit out of configuration mode using end/exit
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#
%PARSER-6-EXPOSEDLOCKACQUIRED: Exclusive configuration lock acquired by user 'unknown' from terminal '0'  -Process= "Exec", ipl= 0, pid= 93

The router warns us that the configuration mode has been locked by an unknown user from terminal 0 (console). Let’s see what happens when another network admin tries to connect through telnet:

R2#telnet 192.168.12.1
Trying 192.168.12.1 ... Open

User Access Verification

Username: cisco
Password:
R1>enable
Password:
R1#

We are allowed to connect and use the privileged mode. This is what happens when you try to configure something:

R1#configure terminal
Configuration mode locked exclusively by user 'unknown' process '93' from terminal '0'. Please try later.

Too bad…we are locked out because the user on the console is still in configuration mode. There is a show command that gives us some more information:

R1(config)#do show configuration lock
Parser Configure Lock
---------------------
Owner PID                        : 93
User                             : unknown
TTY                              : 0
Type                             : EXCLUSIVE
State                            : LOCKED
Class                            : EXPOSED
Count                            : 1
Pending Requests                 : 0
User debug info                  : configure terminal
Session idle state               : TRUE
No of exec cmds getting executed : 0
No of exec cmds blocked          : 0
Config wait for show completion  : FALSE
Remote ip address                : Unknown
Lock active time (in Sec)        : 5
Lock Expiration timer (in Sec)   : 599

This tells us that the configuration mode is locked by an unknown user (console). Once this user exits the configuration mode, someone else can access it. Does this make sense so far? Let’s try the manual method.

Manual Lock Configuration Mode

Let’s get rid of the auto mode first:

R1(config)#no configuration mode exclusive auto

Now we’ll enable manual mode: