By default anyone that has access to your router will be able to make changes to the configuration at the same time. It’s possible that one network admin is connected to the console, another one using telnet and the third network admin is connected through SSH. They can all make changes to the configuration simultaneously.
It might be a good idea to prevent this from happening…when one network admin is making changes, the other one shouldn’t be able to change anything.
Cisco created a feature called “Configuration Lock” that allows us to do this. Simply said, when one user uses “configure terminal” the others won’t be allowed to do the same thing. When the first user leaves the configuration mode, someone else can get access. Sounds good?
There are two options here:
When you use auto, whenever someone enters the configuration mode it will be locked so other users can’t enter configuration mode. The manual method does the same thing but you have to lock it yourself. I’ll show you how to use both options.
First we’ll configure telnet so that I have two methods to access the router…telnet and console:
R1(config)#username cisco password cisco R1(config)#enable password cisco R1(config)#line vty 0 4 R1(config-line)#login local
That takes care of that, let’s check out the lock feature:
R1(config)#configuration mode exclusive ? auto Lock configuration mode automatically manual Lock configuration mode on-demand
As you can see we have two options, auto and manual. We’ll start with the auto method.
Auto Lock Configuration Mode
You only have to use one command to enable the auto-locking of the configuration mode:
R1(config)#configuration mode exclusive auto
That’s all there is to it. Once you exit the configuration mode and re-enter it you’ll see this:
R1#configure terminal Configuration mode locked exclusively. The lock will be cleared once you exit out of configuration mode using end/exit Enter configuration commands, one per line. End with CNTL/Z. R1(config)# %PARSER-6-EXPOSEDLOCKACQUIRED: Exclusive configuration lock acquired by user 'unknown' from terminal '0' -Process= "Exec", ipl= 0, pid= 93
The router warns us that the configuration mode has been locked by an unknown user from terminal 0 (console). Let’s see what happens when another network admin tries to connect through telnet:
R2#telnet 192.168.12.1 Trying 192.168.12.1 ... Open User Access Verification Username: cisco Password: R1>enable Password: R1#
We are allowed to connect and use the privileged mode, this is what happens when you try to configure something:
R1#configure terminal Configuration mode locked exclusively by user 'unknown' process '93' from terminal '0'. Please try later.
Too bad…we are locked out because the user on the console is still in configuration mode. There is a show command that gives us some more information:
R1(config)#do show configuration lock Parser Configure Lock --------------------- Owner PID : 93 User : unknown TTY : 0 Type : EXCLUSIVE State : LOCKED Class : EXPOSED Count : 1 Pending Requests : 0 User debug info : configure terminal Session idle state : TRUE No of exec cmds getting executed : 0 No of exec cmds blocked : 0 Config wait for show completion : FALSE Remote ip address : Unknown Lock active time (in Sec) : 5 Lock Expiration timer (in Sec) : 599
This tells us that the configuration mode is locked by an unknown user (console). Once this user exits the configuration mode someone else will be able to access it. Does this make sense so far? Let’s try the manual method.
Manual Lock Configuration Mode
Let’s get rid of the auto mode first:
R1(config)#no configuration mode exclusive auto
Now we’ll enable manual mode: