Can you tell from CLI if someone is currently using SDM?

Answered Question
Dec 30th, 2008
User Badges:

I just had a funny thing happen... I was doing some config changes on a router at the same time that someone else was doing config changes with SDM. Needless to say, I was confused by the seemingly magical changes to the running config that I wasn't doing! ha ha.

Anyway, is there any way from the CLI to tell that someone is "connected" to the router via SDM? Or should I lock out SDM users by giving the "no ip http server" and "no ip http secure-server" commands first before I start doing CLI changes?


Correct Answer by Edison Ortiz about 8 years 4 months ago

Thomas,


As Collin indicated the show users command will be able to display who is connected to the router, SDM or CLI.


The problem with SDM is that is not a persistent connection and the user will be listed when the command is executed and then it's removed from the list.


I tested in my lab - btw, who does the same. I'm connected via console and SDM, only console is shown because I haven't typed any command in SDM.


1#who

Line User Host(s) Idle Location

* 0 con 0 idle 00:00:00


Interface User Mode Idle Peer Address



Now, I'm going to execute a ping on SDM, this should place me in the list.


R1#who

Line User Host(s) Idle Location

* 0 con 0 idle 00:00:00

2 vty 0 idle 00:00:03 169.254.1.1


Interface User Mode Idle Peer Address


Once the ping finished, the connection is released by the router.


BTW, what version of IOS are you running? On the newer version of IOS, there is a command to archive config log changes and you should be able to tell who changed the config based on their username.


http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_config-logger_ps6350_TSD_Products_Configuration_Guide_Chapter.html


HTH,


__


Edison.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Collin Clark Tue, 12/30/2008 - 12:42
User Badges:
  • Purple, 4500 points or more

configuration mode exclusive auto will only allow one person at a time to make changes.

I'm pretty sure there is a command to see other users, I'll see if I can dig it up.


Hope that helps.


Update: The command is show users.

thomasdzubin Tue, 12/30/2008 - 12:57
User Badges:

"show users" only shows CLI users...not SDM users (I'm on both CLI & SDM right this very second so I tested it... only my CLI session shows)


The "configuration mode exclusive" commands also seem to apply only to CLI users and not SDM

Correct Answer
Edison Ortiz Tue, 12/30/2008 - 13:25
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Thomas,


As Collin indicated the show users command will be able to display who is connected to the router, SDM or CLI.


The problem with SDM is that is not a persistent connection and the user will be listed when the command is executed and then it's removed from the list.


I tested in my lab - btw, who does the same. I'm connected via console and SDM, only console is shown because I haven't typed any command in SDM.


1#who

Line User Host(s) Idle Location

* 0 con 0 idle 00:00:00


Interface User Mode Idle Peer Address



Now, I'm going to execute a ping on SDM, this should place me in the list.


R1#who

Line User Host(s) Idle Location

* 0 con 0 idle 00:00:00

2 vty 0 idle 00:00:03 169.254.1.1


Interface User Mode Idle Peer Address


Once the ping finished, the connection is released by the router.


BTW, what version of IOS are you running? On the newer version of IOS, there is a command to archive config log changes and you should be able to tell who changed the config based on their username.


http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_config-logger_ps6350_TSD_Products_Configuration_Guide_Chapter.html


HTH,


__


Edison.

Collin Clark Tue, 12/30/2008 - 13:38
User Badges:
  • Purple, 4500 points or more

Edison-


If you still have it labbed up could you test the

configuration mode exclusive auto command and see if it blocks SDM config if a CLI user is in?

Edison Ortiz Tue, 12/30/2008 - 16:50
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Collin,


The configuration mode exclusive enables the exclusive configuration lock feature.


Users accessing the device using the state-full, session-based transports (telnet, SSH) are able to enter single-user configuration mode.


However, the lock is placed when you enter in config mode by typing configure terminal lock from the EXEC mode. If you are in EXEC mode, the configuration isn't locked to other users until you type the command above.


For more details, please refer to the documentation:

http://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_c1.html#wp1030940


HTH,


__


Edison.

Collin Clark Wed, 12/31/2008 - 06:10
User Badges:
  • Purple, 4500 points or more

I am aware of what it does as we use it. I was just wondering if you were in config mode via the CLI if the SDM would prevent that user from making changes.

Edison Ortiz Wed, 12/31/2008 - 07:25
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

I was just wondering if you were in config mode via the CLI if the SDM would prevent that user from making changes.


No, I didn't test for that and I'll have to rebuild the lab for that test.. later date..


However, the link I posted confirms your initial post...


While a user is in single-user configuration mode, no other users can configure the device.



__


Edison.

thomasdzubin Wed, 12/31/2008 - 10:15
User Badges:

I just tried it on an 1811 running 12.4(6)T3 and the SDM changes *silently* fail and the GUI interface changes to make it appear that things worked...but they didn't!


And, of course, if two CLI users try to make changes, one gets the message:


NEW1811#config t

Configuration mode locked exclusively by user 'dzubin' process '59' from terminal '7'. Please try later.

NEW1811#


thomasdzubin Tue, 12/30/2008 - 13:59
User Badges:

Thanks Edison... So I only see SDM users when they are actually running a command...your explanation makes sense.

Actions

This Discussion