Solved: Re: Can you tell from CLI if someone is currently using SDM?

thomasdzubin · ‎12-30-2008

I just had a funny thing happen... I was doing some config changes on a router at the same time that someone else was doing config changes with SDM. Needless to say, I was confused by the seemingly magical changes to the running config that I wasn't doing! ha ha.

Anyway, is there any way from the CLI to tell that someone is "connected" to the router via SDM? Or should I lock out SDM users by giving the "no ip http server" and "no ip http secure-server" commands first before I start doing CLI changes?

Edison Ortiz · ‎12-30-2008

Thomas,

As Collin indicated the show users command will be able to display who is connected to the router, SDM or CLI.

The problem with SDM is that is not a persistent connection and the user will be listed when the command is executed and then it's removed from the list.

I tested in my lab - btw, who does the same. I'm connected via console and SDM, only console is shown because I haven't typed any command in SDM.

1#who

Line User Host(s) Idle Location

* 0 con 0 idle 00:00:00

Interface User Mode Idle Peer Address

Now, I'm going to execute a ping on SDM, this should place me in the list.

R1#who

Line User Host(s) Idle Location

* 0 con 0 idle 00:00:00

2 vty 0 idle 00:00:03 169.254.1.1

Interface User Mode Idle Peer Address

Once the ping finished, the connection is released by the router.

BTW, what version of IOS are you running? On the newer version of IOS, there is a command to archive config log changes and you should be able to tell who changed the config based on their username.

http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_config-logger_ps6350_TSD_Products_Configuration_Guide_Chapter.html

HTH,

__

Edison.

View solution in original post

Collin Clark · ‎12-30-2008

configuration mode exclusive auto will only allow one person at a time to make changes.

I'm pretty sure there is a command to see other users, I'll see if I can dig it up.

Hope that helps.

Update: The command is show users.

thomasdzubin · ‎12-30-2008

"show users" only shows CLI users...not SDM users (I'm on both CLI & SDM right this very second so I tested it... only my CLI session shows)

The "configuration mode exclusive" commands also seem to apply only to CLI users and not SDM

Edison Ortiz · ‎12-30-2008

Thomas,

As Collin indicated the show users command will be able to display who is connected to the router, SDM or CLI.

The problem with SDM is that is not a persistent connection and the user will be listed when the command is executed and then it's removed from the list.

I tested in my lab - btw, who does the same. I'm connected via console and SDM, only console is shown because I haven't typed any command in SDM.

1#who

Line User Host(s) Idle Location

* 0 con 0 idle 00:00:00

Interface User Mode Idle Peer Address

Now, I'm going to execute a ping on SDM, this should place me in the list.

R1#who

Line User Host(s) Idle Location

* 0 con 0 idle 00:00:00

2 vty 0 idle 00:00:03 169.254.1.1

Interface User Mode Idle Peer Address

Once the ping finished, the connection is released by the router.

BTW, what version of IOS are you running? On the newer version of IOS, there is a command to archive config log changes and you should be able to tell who changed the config based on their username.

http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_config-logger_ps6350_TSD_Products_Configuration_Guide_Chapter.html

HTH,

__

Edison.

Collin Clark · ‎12-30-2008

Edison-

If you still have it labbed up could you test the

configuration mode exclusive auto command and see if it blocks SDM config if a CLI user is in?

Edison Ortiz · ‎12-30-2008

Collin,

The configuration mode exclusive enables the exclusive configuration lock feature.

Users accessing the device using the state-full, session-based transports (telnet, SSH) are able to enter single-user configuration mode.

However, the lock is placed when you enter in config mode by typing configure terminal lock from the EXEC mode. If you are in EXEC mode, the configuration isn't locked to other users until you type the command above.

For more details, please refer to the documentation:

http://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_c1.html#wp1030940

HTH,

__

Edison.

Collin Clark · ‎12-31-2008

I am aware of what it does as we use it. I was just wondering if you were in config mode via the CLI if the SDM would prevent that user from making changes.

Edison Ortiz · ‎12-31-2008

I was just wondering if you were in config mode via the CLI if the SDM would prevent that user from making changes.

No, I didn't test for that and I'll have to rebuild the lab for that test.. later date..

However, the link I posted confirms your initial post...

While a user is in single-user configuration mode, no other users can configure the device.

__

Edison.

thomasdzubin · ‎12-31-2008

I just tried it on an 1811 running 12.4(6)T3 and the SDM changes *silently* fail and the GUI interface changes to make it appear that things worked...but they didn't!

And, of course, if two CLI users try to make changes, one gets the message:

NEW1811#config t

Configuration mode locked exclusively by user 'dzubin' process '59' from terminal '7'. Please try later.

NEW1811#

thomasdzubin · ‎12-30-2008

Thanks Edison... So I only see SDM users when they are actually running a command...your explanation makes sense.