Table Of Contents
Exclusive Configuration Change Access
Information About Exclusive Configuration Change Access and Access Session Locking
Exclusive Configuration Change Access Functionality
How to Use Exclusive Configuration Change Access and Access Session Locking
Enabling Exclusive Configuration Change Access and Access Session Locking
Obtaining Exclusive Configuration Change Access
Configuration Examples for Exclusive Configuration Change Access and Access Session Locking
Configuring an Exclusive Lock in Auto Mode: Example
Configuring an Exclusive Lock in Manual Mode: Example
Feature Information for Exclusive Configuration Change Access and Access Session Locking
Exclusive Configuration Change Access
Document Version 21 (June 2007)First Published: February 28, 2005Exclusive Configuration Change Access (also called the "Configuration Lock" feature) allows you to have exclusive change access to the Cisco IOS running configuration, preventing multiple users from making concurrent configuration changes.
The Access Session Locking featurette extends the Exclusive Configuration Change Access feature such that show and debug commands entered by the user holding the configuration lock always have execution priority; show and debug commands entered by other users are only allowed to run after the processes initiated by the configuration lock owner have finished.
The Exclusive Configuration Change Access feature ("exposed lock") is complementary with the locking mechanism in the Configuration Replace and Configuration Rollback feature ("rollback lock").
This document applies to software functionality in Cisco IOS Software Releases 12.3T/12.4/12.4T and 12.2S/12.2SR/12.2SX. For updated information, see the latest documentation available for your release.
Contents
•
Information About Exclusive Configuration Change Access and Access Session Locking
•
•
•
Information About Exclusive Configuration Change Access and Access Session Locking
To use the Exclusive Configuration Change Access and Access Session Locking feature, you should understand the following concepts:
•
Exclusive Configuration Change Access Functionality
Devices running Cisco IOS software maintain a running configuration that determines the configuration state of the device. Changes to the running configuration alter the behavior of the device. Because Cisco IOS software allows multiple users to change the running configuration via the device CLI (including the device console and telnet SSH), in some operating environments it would be beneficial to prevent multiple users from making concurrent changes to the Cisco IOS running configuration. Temporarily limiting access to the Cisco IOS running configuration prevents inadvertent conflicts or cases where two users attempt to configure the same portion of the running configuration.
Exclusive configuration change access provides a mechanism to prevent concurrent configuration of Cisco IOS software by multiple users.
This feature provides exclusive change access to the Cisco IOS running configuration from the time you enter global configuration mode by using the configure terminal command. This gives the effect of a "configuration lock," preventing other users from changing the Cisco IOS running configuration. The configuration lock is automatically released when the user exits Cisco IOS configuration mode.
The Exclusive Configuration Change Access feature is enabled using the configuration mode exclusive command in global configuration mode. Exclusive Configuration Change Access can be set to auto, so that the Cisco IOS configuration mode is locked whenever anyone uses the configure terminal command, or it can be set to manual, so that the Cisco IOS configuration mode is locked only when the configure terminal lock command is issued.
The Exclusive Configuration Change Access feature is complementary with the locking mechanism for the Configuration Replace and Configuration Rollback feature introduced in Cisco IOS Release 12.2(25)S and 12.3(7)T.
Access Session Locking
Access Session Locking, in addition to preventing concurrent configuration access, provides an option to prevent simultaneous processes, such as a show command entered by another user, from executing while other configuration commands are being executed. When this feature is enabled, the commands entered by the user with the configuration lock (such as configuration commands) always have priority over commands entered by other users.
How to Use Exclusive Configuration Change Access and Access Session Locking
This section contains the following procedures:
•
•
•
Enabling Exclusive Configuration Change Access and Access Session Locking
Perform this task to gain exclusive access to the Cisco IOS configuration mode.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
configuration mode exclusive {auto | manual}
Example:Router(config)# configuration mode exclusive auto
Enables exclusive configuration change access (configuration lock feature). When enabled, configuration sessions are performed in single-user (exclusive) mode.
•
•
Step 4
end
Example:Router(config)# end
Ends your configuration session and returns the CLI to privileged EXEC mode.
Obtaining Exclusive Configuration Change Access
Perform this task to obtain exclusive configuration change access for the duration of your configuration session. Use of the lock keyword with the configure terminal command is only necessary if the exclusive configuration mode has been set to manual (see the "Enabling Exclusive Configuration Change Access and Access Session Locking" section).
SUMMARY STEPS
1.
2.
3.
4.
5.
or
exitDETAILED STEPS
Monitoring and Troubleshooting the Exclusive Configuration Change Access and Access Session Locking Feature
Perform any or all of the steps in this task to monitor or troubleshoot the Exclusive Configuration Change Access and Access Session Locking feature.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Step 1
Use this command to display the status and details of any current configuration locks, including the owner, user, terminal, lock state, and lock class.
If you cannot enter global configuration mode, you can use this command to determine if the configuration session is currently locked by another user, and who that user is.
Router# show configuration lockParser Configure Lock------------------------------------------------------Owner PID : 3User : unknownTTY : 0Type : EXCLUSIVEState : LOCKEDClass : EXPOSEDCount : 1Pending Requests : 0User debug info : configure terminalSession idle state : TRUENo of exec cmds getting executed : 0No of exec cmds blocked : 0Config wait for show completion : FALSERemote ip address : UnknownLock active time (in Sec) : 6Lock Expiration timer (in Sec) : 593Router(config)#Step 2
Use this command to enable debugging of Cisco IOS configuration locks (exposed class locks or rollback class locks).
Router# debug configuration lockSession1 from console==========================Router# configure terminal lockConfiguration mode locked exclusively. The lock will be cleared once you exit out of configuration mode using end/exitEnter configuration commands, one per line. End with CNTL/Z.Router(config)#Parser : LOCK REQUEST in EXCLUSIVE modeParser: <configure terminal lock> - Config. Lock requested by process <3> client <PARSER Client>Parser: <configure terminal lock> - Config. Lock acquired successfully !Router(config)#
Configuration Examples for Exclusive Configuration Change Access and Access Session Locking
This section provides the following configuration examples:
•
•
Configuring an Exclusive Lock in Auto Mode: Example
The following example shows how to enable the exclusive lock in auto mode for single-user auto configuration mode using the configuration mode exclusive auto command. Once the Cisco IOS configuration file is locked exclusively, you can verify this configuration by using the show configuration lock command.
Router#Router# configure terminalRouter(config)# configuration mode exclusive autoRouter(config)# exitRouter#Router# configure terminal! Locks configuration mode exclusively.Router(config)# show configuration lockParser Configure LockOwner PID : 10User : User1TTY : 3Type : EXCLUSIVEState : LOCKEDClass : ExposedCount : 0Pending Requests : 0User debug info : 0Configuring an Exclusive Lock in Manual Mode: Example
The following example shows how to enable the exclusive locking feature in manual mode by using the configuration mode exclusive manual command. Once you have configured manual exclusive mode, you can lock the configuration mode by using the configure terminal lock command. In this mode, the configure terminal command will not automatically lock the parser configuration mode.
Router#Router# configure terminalRouter(config)# configuration mode exclusive manualRouter(config)# exitRouter# configure terminal lockEnter configuration commands, one per line. End with CNTL/Z.Router(config)#*Mar 25 17:02:45.928: Configuration mode locked exclusively. The lock will be cleared once you exit out of configuration mode using end/exitAdditional References
The following sections provide references related to the Exclusive Configuration Change Access and Access Session Locking feature.
Related Documents
Commands for managing configuration files
Cisco IOS Configuration Fundamentals and Network Management Command Reference, Release 12.3T
Information about managing configuration files
"Managing Configuration Files" chapter in the Cisco IOS Configuration Fundamentals and Network Management Configuration Guide, Release 12.3
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
Technical Assistance
Command Reference
This section documents modified commands only.
configuration mode exclusive
To enable single-user (exclusive) access functionality for the Cisco IOS command-line interface (CLI), use the configuration mode exclusive command in global configuration mode. To disable the single-user access (configuration locking) feature, use the no form of this command.
Syntax for Release 12.3T:
configuration mode exclusive {auto | manual}
no configuration mode exclusive {auto | manual}
Syntax for Release 12.0(31)S, 12.2(33)SRA, and Later Releases:
configuration mode exclusive {auto | manual} [expire seconds] [lock-show] [interleave] [terminate] [config_wait seconds] [retry_wait seconds]
Syntax Description
Defaults
Single-user mode is disabled.
Command Modes
Global configuration
Command History
For documentation updates beyond the releases listed here, see the latest documentation available for your release.
Usage Guidelines
The configuration mode exclusive command enables the exclusive configuration lock feature. The exclusive configuration lock allows single-user access to configuration modes using single-user configuration mode. While the device configuration is locked, no other users can enter configuration commands.
Users accessing the device using the state-full, session-based transports (telnet, SSH) are able to enter single-user configuration mode. The user enters single-user configuration mode by acquiring the exclusive configuration lock using the configure terminal lock privileged EXEC mode command. The configuration lock is released when the user exits configuration mode by using the end or exit command, or by pressing Ctrl-Z. While a user is in single-user configuration mode, no other users can configure the device. Users accessing CLI options through stateless protocols (that is, the HTTP web-based user interface) cannot access single-user configuration mode. (However, an API allows the stateless transports to lock the configuration mode, complete its operations, and release the lock.)
Examples
The following example shows how to configure the configuration file for single-user autoconfiguration mode by using the configuration mode exclusive auto command. Use the configuration terminal command to enter global configuration mode and lock the configuration mode exclusively. After the Cisco IOS configuration mode is locked exclusively, you can verify this configuration by entering the show configuration lock command.
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# configuration mode exclusive autoRouter(config)# endRouter# show running-configuration | include config Building configuration... Current configuration : 2296 bytes configuration mode exclusive auto <========== auto policy Router#Router# configure terminal ? <======== lock option not displayed when in auto policy Router# configure terminal <======= acquires the lockThe configuration mode is locked exclusively. The lock is cleared after you exit from configuration mode by entering end or exit.
Enter configuration commands, one per line. End with CNTL/Z. Router(config)#Router(config)# show configuration lock Parser Configure Lock --------------------- Owner PID : 3 User : unknown TTY : 0 Type : EXCLUSIVE State : LOCKED Class : EXPOSED Count : 1 Pending Requests : 0 User debug info : configure terminal Session idle state : TRUE No of exec cmds getting executed : 0 No of exec cmds blocked : 0 Config wait for show completion : FALSE Remote ip address : Unknown Lock active time (in Sec) : 6 Lock Expiration timer (in Sec) : 593 Router(config)#Router(config)# end <========= releases the lock Router#Router# show configuration lock Parser Configure Lock --------------------- Owner PID : -1 User : unknown TTY : -1 Type : NO LOCK State : FREE Class : unknown Count : 0 Pending Requests : 0 User debug info : Session idle state : TRUE No of exec cmds getting executed : 0 No of exec cmds blocked : 0 Config wait for show completion : FALSE Remote ip address : Unknown Lock active time (in Sec) : 0 Lock Expiration timer (in Sec) : 0 Router#The following example shows how to enable the exclusive locking feature in manual mode by using the configuration mode exclusive manual command. Once you have configured manual exclusive mode, you can lock the configuration mode by using the configure terminal lock command. In this mode, the configure terminal command does not automatically lock the parser configuration mode. The lock is cleared after you exit from configuration mode by entering end or exit.
Router#Router# configure terminal Configuration mode locked exclusively. The lock will be cleared once you exit out of configuration mode using end/exit Enter configuration commands, one per line. End with CNTL/Z. Router(config)#Router(config)# configuration mode exclusive manual Router(config)# end Router# Router# show running-configuration | include configuration Building configuration... Current configuration : 2298 bytes configuration mode exclusive manual <==== 'manual' policyRouter# show configuration lock Parser Configure Lock --------------------- Owner PID : -1 User : unknown TTY : -1 Type : NO LOCK State : FREE Class : unknown Count : 0 Pending Requests : 0 User debug info : Session idle state : TRUE No of exec cmds getting executed : 0 No of exec cmds blocked : 0 Config wait for show completion : FALSE Remote ip address : Unknown Lock active time (in Sec) : 0 Lock Expiration timer (in Sec) : 0 Router#Router# configure terminal ? lock Lock configuration mode <========= 'lock' option displayed in 'manual' policy Router# configure terminal <============ `configure terminal' won't acquire lock automatically Enter configuration commands, one per line. End with CNTL/Z.Router(config)# show configuration lock Parser Configure Lock --------------------- Owner PID : -1 User : unknown TTY : -1 Type : NO LOCK State : FREE Class : unknown Count : 0 Pending Requests : 0 User debug info : Session idle state : TRUE No of exec cmds getting executed : 0 No of exec cmds blocked : 0 Config wait for show completion : FALSE Remote ip address : Unknown Lock active time (in Sec) : 0 Lock Expiration timer (in Sec) : 0 Router(config)# endRouter# show configuration lock Parser Configure Lock --------------------- Owner PID : -1 User : unknown TTY : -1 Type : NO LOCK State : FREE Class : unknown Count : 0 Pending Requests : 0 User debug info : Session idle state : TRUE No of exec cmds getting executed : 0 No of exec cmds blocked : 0 Config wait for show completion : FALSE Remote ip address : Unknown Lock active time (in Sec) : 0 Lock Expiration timer (in Sec) : 0 Router# Router# configure Router# configure terminal Router# configure terminal ? lock Lock configuration mode <======= 'lock' option displayed when in 'manual' policy Router# configure terminal lock Router# configure terminal lock <============ acquires exclusive configuration lockConfiguration mode is locked exclusively. The lock is cleared after you exit from configuration mode by entering the end or exit command. Enter configuration commands, one per line. End with CNTL/Z. Router(config)#Router(config)# show configuration lock Parser Configure Lock --------------------- Owner PID : 3 User : unknown TTY : 0 Type : EXCLUSIVE State : LOCKED Class : EXPOSED Count : 1 Pending Requests : 0 User debug info : configure terminal lock Session idle state : TRUE No of exec cmds getting executed : 0 No of exec cmds blocked : 0 Config wait for show completion : FALSE Remote ip address : Unknown Lock active time (in Sec) : 5 Lock Expiration timer (in Sec) : 594Router(config)# end <================ 'end' releases exclusive configuration lock Router#Router# show configuration lock Parser Configure Lock --------------------- Owner PID : -1 User : unknown TTY : -1 Type : NO LOCK State : FREE Class : unknown Count : 0 Pending Requests : 0 User debug info : Session idle state : TRUE No of exec cmds getting executed : 0 No of exec cmds blocked : 0 Config wait for show completion : FALSE Remote ip address : Unknown Lock active time (in Sec) : 0 Lock Expiration timer (in Sec) : 0 Router#Related Commands
configure terminal
To enter global configuration mode, use the configure terminal command in privileged EXEC mode.
configure terminal [lock]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to enter global configuration mode. Note that commands in this mode are written to the running configuration file as soon as you enter them (using the Enter key/Carriage Return).
After you enter the configure terminal command, the system prompt changes from <router-name># to <router-name>(config)#, indicating that the router is in global configuration mode. To leave global configuration mode and return to privileged EXEC mode, type exit or press Ctrl-Z.
To view the changes to the configuration you have made, use the more system:running-config command or show running-config command in user EXEC or privileged EXEC mode.
Configuration Locking
The first user to enter the configure terminal lock command acquires the configuration lock (exclusive configuration mode).
Examples
In the following example, the user enters global configuration mode and locks the Cisco IOS software in exclusive mode:
Router# configure terminalRouter(config)# configure terminal lockEnter configuration commands, one per line. End with CNTL/Z.Router(config)#Related Commands
debug configuration lock
To enable debugging of the Cisco IOS configuration lock, use the debug configuration lock command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug configuration lock
no debug command lock
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
The following is sample output with debug configuration lock enabled (assuming that the feature is enabled using the configuration mode exclusive manual command in global configuration mode):
Router# debug configuration lockSession1 from console==========================Router# configure terminal lockConfiguration mode locked exclusively. The lock will be cleared once you exit out of configuration mode using end/exitEnter configuration commands, one per line. End with CNTL/Z.Router(config)#Parser : LOCK REQUEST in EXCLUSIVE modeParser: <configure terminal lock> - Config. Lock requested by process <3> client <PARSER Client>Parser: <configure terminal lock> - Config. Lock acquired successfully !Router(config)#Session2 VTY (User from session2 is trying to enter single user config (exclusive) config mode)=================================Router# configure terminal lockConfiguration mode locked exclusively by user 'unknown' process '3' from terminal '0'. Please try later.Router#Session1 from console=======================Router(config)#Parser : LOCK REQUEST in EXCLUSIVE modeParser: <configure terminal lock> - Config. Lock requested by process <104> client <PARSER Client>Parser: <configure terminal lock> - NON_BLOCKING : Config mode locked <EXCLUSIVE> owner <3>Router(config)#Router(config)# endRouter#%SYS-5-CONFIG_I: Configured from console by consoleParser: <Configure terminal> - Config. EXC UnLock requested by user<3>Parser: <Configure terminal> - Config UNLOCKED !Router#Related Commands
show configuration lock
To display information about the lock status of the running configuration file during a configuration replace operation, use the show configuration lock command in privileged EXEC mode.
show configuration lock
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
The following is sample output from the show configuration lock command when the running configuration file is locked by another user.
Cisco IOS Release 12.2(25)S, Release 12.2(28)SB, Release 12.3(14)T, and Later Releases
Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z.Router(config)# configuration mode exclusive ? auto Lock configuration mode automatically manual Lock configuration mode on-demandRouter(config)# configuration mode exclusive auto Router# endRouter# show running-config | include configuration configuration mode exclusive auto Router# Router# configure terminal <========= acquires the lock Enter configuration commands, one per line. End with CNTL/Z. Router# Router(config)# show configuration lock Parser Configure Lock --------------------- Owner PID : 3 User : unknown TTY : 0 Type : EXCLUSIVE State : LOCKED Class : EXPOSED Count : 1 Pending Requests : 0 User debug info : configure terminal Router(config)# Router(config)# end <======== releases the lockThe following is sample output from the show configuration lock command when the running configuration file is not locked by another user.
Router# show configuration lockParser Configure Lock --------------------- Owner PID : -1 User : unknown TTY : -1 Type : NO LOCK State : FREE Class : unknown Count : 0 Pending Requests : 0 User debug info : Router#Cisco IOS Release 12.0(31)S, 12.2(33)SRA, and Later Releases
Router# show configuration lockParser Configure Lock------------------------------------------------------Owner PID : 3User : unknownTTY : 0Type : EXCLUSIVEState : LOCKEDClass : EXPOSEDCount : 1Pending Requests : 0User debug info : configure terminalSession idle state : TRUENo of exec cmds getting executed : 0No of exec cmds blocked : 0Config wait for show completion : FALSERemote ip address : UnknownLock active time (in Sec) : 6Lock Expiration timer (in Sec) : 593Router(config)#Table 1 describes the significant fields shown in the displays.
The following example shows how to configure the configuration file for single user auto configuration mode (using the configuration mode exclusive auto command). Use the configure terminal command to enter global configuration mode and lock the configuration mode exclusively. Once the Cisco IOS configuration mode is locked exclusively, you can verify the lock using the show configuration lock command.
Router#Router# configure terminalRouter(config)# configuration mode exclusive autoRouter(config)# endRouter# configure terminalRouter(config)#Router(config)# show configuration lockParser Configure LockOwner PID : 10User : User1TTY : 3Type : EXCLUSIVEState : LOCKEDClass : ExposedCount : 0Pending Requests : 0User debug info : 0Related Commands
Feature Information for Exclusive Configuration Change Access and Access Session Locking
Table 2 contains document revision information.
Feature documentation is updated and republished for major Cisco IOS software releases.
This document may not contain the latest information for your software release. Please use the document publication date and associated release version number to determine if this document applies to your Cisco IOS software environment.
Table 2 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature. Updated feature support information is available from Cisco Feature Navigator at http://www.cisco.com/go/cfn.
Note
For updated information, including documentation corrections and updates, see the latest documentation available for your release.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2005-2007 Cisco Systems, Inc. All rights reserved.
Guest
