Terminal Lock for VSH Sessions

Terminal Lock for VSH Sessions

Overview

Currently with NX-OS, there are many users logged in to the switch and make configuration changes in their sessions with CLI. The goal is to restrict this scenario and allow only one user to configure the switch. This is achieved by terminal lock CLIs that lock the terminal to allow only one user to access the configure terminal commands. As a result, the effect of a “configuration lock” is achieved that prevents other users from changing the NX-OS running configuration.

Terminal lock feature provides a locking mechanism to enable users to have an exclusive configuration access to modify NX-OS running configuration.

The following is the sequence of operations:

  1. terminal lock – This CLI provides the configuration lock to the user.

  2. terminal unlock – This CLI releases the terminal lock taken by any session.

  3. show terminal lock – This CLI shows the current terminal lock status and details.

Terminal Lock

The following are the guidelines for the terminal lock usage:

  • terminal lock allows config commands to be executed only in that current session where the lock is held.

  • terminal lock blocks only config commands in the other sessions, that means SHOW or EXEC CLIs are still allowed.

  • Default timeout for terminal lock is 1800 seconds (30 minutes).

  • Once the lock timer expires, terminal lock is released automatically.

  • terminal lock CLI can be executed by any user with network-admin privilege.

  • terminal lock is rejected if "configure dual-stage" session is in progress.

The following is the example CLI for the terminal lock:
switch# terminal lock?
lock Locks the CLI Config mode
switch# terminal lock ?
<CR>
<60-43200> Enter terminal lock timeout in seconds
*Default value is 1800
“terminal lock” locks the parser configuration mode and prints a syslog message as shown in below example.
switch# terminal lock
switch# 2021 Jun 19 17:53:37 switch %VSHD-5-VSHD_CLI_TERM_LOCK: terminal lock is taken by admin on console0

Note


If a user tries to enter a configured terminal in another session, the following error message is displayed: “Configuration locked. terminal lock is taken by other VSH session.”


Beginning with Cisco NX-OS Release 10.2(2)F, a new CLI option, "terminal lock mdp" is introduced to lock Model Driven Programmability interfaces like RESTCONF, NETCONF, gRPC, gNMI, and so on.

The CLI "terminal lock mdp" makes the terminal lock applicable to all configuration sessions including DME sessions.

The following is the sample output for the "terminal lock mdp" CLI:
switch# terminal lock?
  lock  Locks the CLI Config mode

switch# terminal lock ?
  <CR>
  <mdp>  Locks Model Driven Programmability sessions
  <60-43200>  Enter terminal lock timeout in seconds
              *Default value is 1800
switch# terminal lock mdp
2021 Oct 26 06:33:19 switch %VSHD-5-VSHD_CLI_TERM_LOCK: terminal lock is taken by admin on console0
switch#
switch# show terminal lock 
PID: 10018
User: admin
Session: console0
State: LOCKED
MDP lock: True
Lock acquired time: Mon Mar  8 09:24:03 2021
Lock Expiration timer (in Sec): 1800
switch#

Terminal Unlock

The following is the example CLI for the terminal unlock:
switch# terminal unlock?
unlock Force unlocking of the CLI config mode
switch# terminal unlock ?
<CR>
switch# terminal unlock
switch# 2021 Jun 19 17:53:21 switch %VSHD-5-VSHD_CLI_TERM_LOCK: terminal lock is released by admin on console0

Note


"terminal lock" can be taken by only one admin user, but lock can be released by any admin user using "terminal unlock."


Show Terminal Lock

This command displays the status and details of any current configuration locks, including the owner, user, session, lock state, and lock timer.

The following is the example CLI for the Show Terminal Lock when the lock is active:
switch# terminal lock
switch#
switch# show terminal lock
PID: 10018
User: admin
Session: console0
State: LOCKED
Lock acquired time: Mon Mar 8 09:24:03 2021
The following is the example CLI for the Show Terminal Lock when the lock is free:
switch# terminal unlock
switch#
switch#
switch# show terminal lock
PID: -1
User: unknown
Session: NA
State: FREE
Lock acquired time:
Lock Expiration timer (in Sec): 0
switch#