Cisco NETCONF Configuration

NETCONF Protocol is one of the automation and programmability protocol with which we can configure and manage network devices automatically. In the previous lessons, we have talked about what is NETCONF. Now, it is time to configure NETCONF on Cisco devices. In this lesson, we will focus on Cisco NETCONF Configuration.

 


You can also check Cisco RESTCONF Configuration Example Lesson. 


How to Configure NETCONF Protocol?

To configure NETCONF on a Cisco device, we need some steps. First of all, our user needs privilege level 15 to work with NETCONF APIs.

 

Our Cisco NETCONF Configuration steps will be like below:

  • Setting Privilege Level and Providing Access
  • NETCONF-YANG Configuration
  • NETCONF Verification

 

Let’s start our NETCONF Cisco Configuration.

 


Setting Privilege Level and Providing Access

Firstly, we will configure privilege level for NETCONF API access. Our privilege level must be 15 to work with NETCONF APIs. To configure a user ’s privilege level we use “username name privilege level password password” command. Here, we configure both privilege level and the user password.

 

For this configuration example, our username will be ipcisco, password will be abc123 and priviledge level will be 15. Because for NETCONF protocol, it must be 15.

 

Router# configure terminal

Router(config)# username ipcisco privilege 15 password abc123

 

As an option, we can also configure AAA if you are using AAA. To enable AAA (Authentication, Authorization and Accounting), we use “aaa new-model” command.

 

With “aaa authentication login default local” command, we set the authentication to use the local username database.

 

With “aaa authorization exec default local” command, we configure the AAA authorization to check local database. Here, we also allow the user to run Exec shell.

 

Router(config)# aaa new-model

Router(config)# aaa authentication login default local

Router(config)# aaa authorization exec default local

 


NETCONF-YANG Configuration

In this step we will enable NETCONF interface on our device. To do this we will use “netconf-yang” command. In 90 seconds, our model-based interface will be activated. Here, we will also use “netconf-yang feature candidate-datastore” command to enable candidate datastore.

 

Router(config)# netconf-yang

Router(config)# netconf-yang feature candidate-datastore

Router(config)# end

 

Note: On your device, legacy NETCONF protocol can be enabled. If it is enabled, standard RFC-compliant protocol will not work. So, firstly, you should disable legacy NETCONF with the command “no netconf legacy”.

 

 


NETCONF Verification

After privilege level configuration to provide access and NETCONF interface configuration for NETCONF-YANG, now we will verify NETCONF. To do this we will use the below NETCONF verification commands:

  • show netconf-yang datastores
  • show netconf-yang sessions
  • show netconf-yang sessions detail
  • show netconf-yang statistics
  • show platform software yang-management process

 

With “show netconf-yang datastores” command, we will display information about NETCONF-YANG datastores.

Router# show netconf-yang datastores

Datastore Name : running

Globally Locked By Session : 20

Globally Locked Time : 2024-09-25T12:46:55-05:00

 

To display information about NETCONF-YANG sessions, we will use “show netconf-yang sessions” command. For detailed information, we can add “detail” keyword at the end of the command.

 

Router# show netconf-yang sessions

R: Global-lock on running datastore

C: Global-lock on candidate datastore

S: Global-lock on startup datastore

Number of sessions : 5

session-id transport username source-host global-lock

18 netconf-ssh admin 10.1.1.1 None

20 netconf-ssh admin 10.1.1.1 None

22 netconf-ssh admin 10.1.1.1 None

24 netconf-ssh admin 10.1.1.1 None

26 netconf-ssh admin 10.1.1.1 None

 

Router# show netconf-yang sessions detail

R: Global-lock on running datastore

C: Global-lock on candidate datastore

S: Global-lock on startup datastore

Number of sessions : 1

session-id : 15

transport : netconf-ssh

username : admin

source-host : 2001:db8::1

login-time : 2024-09-25T00:17:32-05:00

in-rpcs : 0

in-bad-rpcs : 0

out-rpc-errors : 0

out-notifications : 0

global-lock : None

 

With “show netconf-yang statistics” command, we can see the statistics of NETCONF.

Router# show netconf-yang statistics

netconf-start-time : 2024-09-25T00:17:32-05:00

in-rpcs : 0

in-bad-rpcs : 0

out-rpc-errors : 0

out-notifications : 0

in-sessions : 8

dropped-sessions : 0

in-bad-hellos : 0

 

To display the status of the software processes required to support NETCONF-YANG we use “show platform software yang-management process” command.

 

Router # show platform software yang-management process

confd : Running

nesd : Running

syncfd : Running

ncsshd : Running

dmiauthd : Running

vtyserverutild : Running

opdatamgrd : Running

nginx : Running

ndbmand : Running

 

 


Related RFCs With NETCONF And YANG

For more information about NETCONF and YANG, you can also check the below RFCS:

  • RFC 6241 (Network Configuration Protocol)
  • RFC 6536 (NETCONF Access Control Model)
  • RFC 6020 (YANG – A Data Modeling Language for the Network Configuration Protocol (NETCONF)

 


FAQ About Cisco NETCONF

Which Cisco routers support the NETCONF protocol?

Most of the Cisco routers which has recent software will support NETCONF/YANG. You can use NETCONF/YANF on IOS, IOS XR, IOS XE, NX-OS. The devices which run IOS 12.4(9)T and later, the devices which run IOS XE 2.1 and later will support NETCONF.

 

Lesson tags: network automation
Back to: CCNP Enterprise 350-401 ENCOR v1.1 > Network Assurance

Leave a Reply

Your email address will not be published. Required fields are marked *

CCNP Enterprise 350-401 ENCOR v1.1

Collapse
Expand