Configuration Lock

Ever busy with a scheduled change, and the configuration all of a sudden differs from what you configured five minutes ago?

Normal IOS (not XR) behaviour allows multiple users to make instant changes to the running configuration. Occasionally two users make changes to the same config portion at the same time. One overwriting the others. ONLY the last commands entered will take effect.

The Configuration Lock  feature allows a one to have exclusive change access to the Cisco IOS running configuration, preventing multiple users from making concurrent configuration changes.

There are two modes:

  • Auto
  • Manual

The Auto option will lock the configuration and give exclusive access to the first user that enters configuration mode by entering ‘config terminal’. This option is configured with the command:

Router# configure terminal
Router(config)# configuration mode exclusive auto
Router(config)# exit
Router# configure terminal             '<---- Locks configuration mode exclusively.'

The Manual option will only lock configuration access if the manually enabled. This is my preferred choice. The manual option must first be enabled but exclusively enabled.

Router# configure terminal
Router(config)# configuration mode exclusive manual
Router(config)# exit
Router# configure terminal lock
Enter configuration commands, one per line.  End with CNTL/Z.
*Feb 05 17:02:45.928:  Configuration mode locked exclusively. The lock will be cleared
once you exit out of configuration mode using end/exit

At any time, an individual can see who has the configuration access locked, by using the following command (if TACACS is configured the username would show):

Router# show configuration lock


3 thoughts on “Configuration Lock

  1. Ruhann,

    Great tip and a good blog. This should also lockout config via SNMP.

    We used to call these pearls. Like in “programming pearls”. Keep it up.

    I did some support other the years.

    Anytime you do this it is good to have a back door so you do not get yourself locked out. e.g. change of ACLs; routing etc. can do it.

    Some of these comments have only historical value.

    I would always do “who” before I start to do anything and once in a while just to check who is also on the router; and sometimes clear line when it idle for a while. Old hacking habit (white hat only).

    I have also found a good use for “reload in XXX” when you make gutsy configuration changes at remote uninhabited sites. When configs worked “reload cancel; wr” Saved a track roll many times.

    Some other brute force methods for locking people out on CLI.

    Clear other lines. Configure no login or ACL on these and keep only lines for yourself. I would usually keep more then one opened for myself not to get locked out (back door).

    Another one is to set some high # vty lines with different passwords. Busy out first few vty lines and change the idle time to high; keep connecting and at some point you get the high # vty that has restricted passwords.

    Here is another access tip. In the days when there was AUX (second asynch) port on Cisco devices we would put a modem on this port (does anybody still uses modems there is one in my laptop but I do not remember using it). We would test the modem periodically using Expect scripts; great tool for remote en-mass configs via CLI. From PSTN dial-in and from the inside with AT commands AT (expect OK) AT (set the string for the modem) AT DT # call out; expect a string. Escape back to CLI and clear AUX line.

    Modem does not work well on console since console does not support all the RS323 signals; e.g. for hangup.

    Another tip.

    Do hop by hop telnet to routers and change terminal escape character (e.g. “term esc $” on the way, so that you can escape to CLI on different hops.

    We are snowed in here (literary) about 2 feet so far since last night.

    I am catching up on leet

    — j3RzY 1337


    More down the history line.

    The “– name” goes way back; e-mail in pre-WEB days (late 80s) when we used to read RFCs to get educated. I sometimes feel I should write some Internet history; there are some cool links I digged out e.g. first public mention of the Cisco router on the mailing list.

    Does anybody know what project DoTu was: Document the Undocumented; documentation of hidden IOS commands.

  2. Hey j3RzY

    Thanks. LOL. I love reading your ranting. Such wisdom and knowledge. Thanks for sharing. It’s hot and humid here. I wish I was on the snow skiing :( I’ll reading through DoTU tomorrow and see how much still applies :) should be interesting. Keep in touch.

    Grenpa Sliwinski you are such a legend :D

Please leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.