NETCONF Protocol is one of the automation and programmability protocol with which we can configure and manage network devices automatically. In the previous lessons, we have talked about what is NETCONF. Now, it is time to configure NETCONF on Cisco devices. In this lesson, we will focus on Cisco NETCONF Configuration.
You can also check Cisco RESTCONF Configuration Example Lesson.
Table of Contents
To configure NETCONF on a Cisco device, we need some steps. First of all, our user needs privilege level 15 to work with NETCONF APIs.
Our Cisco NETCONF Configuration steps will be like below:
Let’s start our NETCONF Cisco Configuration.
Firstly, we will configure privilege level for NETCONF API access. Our privilege level must be 15 to work with NETCONF APIs. To configure a user ’s privilege level we use “username name privilege level password password” command. Here, we configure both privilege level and the user password.
For this configuration example, our username will be ipcisco, password will be abc123 and priviledge level will be 15. Because for NETCONF protocol, it must be 15.
Router# configure terminal
Router(config)# username ipcisco privilege 15 password abc123
As an option, we can also configure AAA if you are using AAA. To enable AAA (Authentication, Authorization and Accounting), we use “aaa new-model” command.
With “aaa authentication login default local” command, we set the authentication to use the local username database.
With “aaa authorization exec default local” command, we configure the AAA authorization to check local database. Here, we also allow the user to run Exec shell.
Router(config)# aaa new-model
Router(config)# aaa authentication login default local
Router(config)# aaa authorization exec default local
In this step we will enable NETCONF interface on our device. To do this we will use “netconf-yang” command. In 90 seconds, our model-based interface will be activated. Here, we will also use “netconf-yang feature candidate-datastore” command to enable candidate datastore.
Router(config)# netconf-yang
Router(config)# netconf-yang feature candidate-datastore
Router(config)# end
Note: On your device, legacy NETCONF protocol can be enabled. If it is enabled, standard RFC-compliant protocol will not work. So, firstly, you should disable legacy NETCONF with the command “no netconf legacy”.
After privilege level configuration to provide access and NETCONF interface configuration for NETCONF-YANG, now we will verify NETCONF. To do this we will use the below NETCONF verification commands:
With “show netconf-yang datastores” command, we will display information about NETCONF-YANG datastores.
Router# show netconf-yang datastores
Datastore Name : running
Globally Locked By Session : 20
Globally Locked Time : 2024-09-25T12:46:55-05:00
To display information about NETCONF-YANG sessions, we will use “show netconf-yang sessions” command. For detailed information, we can add “detail” keyword at the end of the command.
Router# show netconf-yang sessions
R: Global-lock on running datastore
C: Global-lock on candidate datastore
S: Global-lock on startup datastore
Number of sessions : 5
session-id transport username source-host global-lock
18 netconf-ssh admin 10.1.1.1 None
20 netconf-ssh admin 10.1.1.1 None
22 netconf-ssh admin 10.1.1.1 None
24 netconf-ssh admin 10.1.1.1 None
26 netconf-ssh admin 10.1.1.1 None
Router# show netconf-yang sessions detail
R: Global-lock on running datastore
C: Global-lock on candidate datastore
S: Global-lock on startup datastore
Number of sessions : 1
session-id : 15
transport : netconf-ssh
username : admin
source-host : 2001:db8::1
login-time : 2024-09-25T00:17:32-05:00
in-rpcs : 0
in-bad-rpcs : 0
out-rpc-errors : 0
out-notifications : 0
global-lock : None
With “show netconf-yang statistics” command, we can see the statistics of NETCONF.
Router# show netconf-yang statistics
netconf-start-time : 2024-09-25T00:17:32-05:00
in-rpcs : 0
in-bad-rpcs : 0
out-rpc-errors : 0
out-notifications : 0
in-sessions : 8
dropped-sessions : 0
in-bad-hellos : 0
To display the status of the software processes required to support NETCONF-YANG we use “show platform software yang-management process” command.
Router # show platform software yang-management process
confd : Running
nesd : Running
syncfd : Running
ncsshd : Running
dmiauthd : Running
vtyserverutild : Running
opdatamgrd : Running
nginx : Running
ndbmand : Running
For more information about NETCONF and YANG, you can also check the below RFCS:
Most of the Cisco routers which has recent software will support NETCONF/YANG. You can use NETCONF/YANF on IOS, IOS XR, IOS XE, NX-OS. The devices which run IOS 12.4(9)T and later, the devices which run IOS XE 2.1 and later will support NETCONF.
Leave a Reply