NETCONF - A Simpler, More Efficient Way to Manage Networks

What is NETCONF ?

NETCONF is a protocol defined by the IETF to “install, manipulate, and delete the configuration of network devices”. NETCONF operations are realized on top of a Remote Procedure Call (RPC) layer using an XML encoding and provide a basic set of operations to edit and query configuration on a network device.

Capabilities of NETCONF ?

• Distinction between configuration and state data
• Multiple configuration data stores (candidate, running, startup)
• Configuration change transactions
• Configuration testing and validation support
• Selective data retrieval with filtering
• Streaming and playback of event notifications
• Extensible procedure call mechanism

NETCONF protocol is built on a four-layer approach:

1. Secure Transport Layer: Authentication and integrity can be provided by protocols such as TCP-based TLS and SSHv2. It uses SSH port number 830 as the default port. The port number is a configurable option

2) Message Layer: A set of RPC messages and notifications are defined for use including <rpc>, <rpc-reply> and <rpc-error>.

3) Operations Layer: Defines a set of base protocol operations invoked by RPC methods using XML-encoding. These include <get-config>, <edit-config> and <get>.

4) Content Layer: NETCONF data models and protocol operations use the YANG modeling language (RFC 6020). A data model outlines the structure, semantics and syntax of the data.

Popular platforms that support NETCONF :

• Cisco IOS
• Cisco NX-OS
• Juniper Junos
• Arista EOS
• Huawei VRP
• Dell Networking OS
• Brocade VDX
• Extreme Networks ERS
• OpenWrt

Automation Tools that use NETCONF

• ncclient: A Python library that provides a simple and easy-to-use interface for interacting with NETCONF devices.
• Netconf Browser: A graphical tool that allows you to view and edit the configuration of NETCONF devices.
• Yang Explorer: A tool that allows you to explore YANG models and generate NETCONF code.
• NETCONF Simulator: A tool that allows you to simulate NETCONF devices for testing and development purposes.
• NETCONF Toolkit: A collection of tools that can be used to manage NETCONF devices, including a client, server, and debugger.
• Cisco NSO : Automation Platform by Cisco that uses NETCONF to:
• Configure devices: NSO can use NETCONF to configure Cisco devices. This includes setting up interfaces, configuring routing protocols, and creating access lists.
• Collect data from devices: NSO can use NETCONF to collect data from Cisco devices. This data can be used to monitor the health of the network, troubleshoot problems, and generate reports.
• Automate tasks: NSO can use NETCONF to automate tasks on Cisco devices. This includes provisioning new devices, updating configurations, and rolling back changes.
• Juniper Contrail: A network orchestration platform that uses NETCONF to manage Juniper devices.
• OpenDaylight: An open source network orchestration platform that uses NETCONF to manage a variety of devices.
• Ansible: An open source automation platform that can use NETCONF to manage network devices.
• Nokia NSP : automation platform by Nokia that can use NETCONF to manage network devices.

NETCONF Operations:

Get

This operation retrieves data from the device’s configuration or state.

NETCONF request would retrieve the hostname of the device:

<get>
  <source>
    <filter>
      <path>/system/name</path>
    </filter>
  </source>
</get>

NETCONF request would retrieve all of the interfaces on the device:

<get>
  <source>
    <filter>
      <path>/interface/*</path>
    </filter>
  </source>
</get>

Get-config

This operation retrieves the entire configuration of the device or a specific part of the configuration.

NETCONF request would retrieve the entire running configuration of the device:

<get-config>
  <source>
    <target>
      <running>
    </target>
  </source>
</get-config>

NETCONF request would retrieve all of the interfaces in the running configuration of the device:

<get-config>
  <source>
    <target>
      <running>
    </target>
  </source>
  <filter>
    <path>/interface/*</path>
  </filter>
</get-config>

Edit-config

This operation edits the configuration of the device.

NETCONF request would edit the hostname of the device:

<edit-config>
  <target>
    <running>
  </target>
  <config>
    <data>
      <configuration>
        <path>/system/name</path>
        <update>
          <element>
            <path>/system/name</path>
            <value>new_hostname</value>
          </element>
        </update>
      </configuration>
    </data>
  </config>
  <confirm>
    <confirmed>
  </confirm>
</edit-config>

The <update> element can have one of the following values:

• replace: Replace the existing value with the new value.
• delete: Delete the existing value.
• merge: Merge the new value with the existing value.

The <confirm> element can be either confirmed or unconfirmed. The confirmed value will commit the edit operation to the device, while the unconfirmed value will discard the edit operation.

Copy-config

This operation copies the configuration of one device to another device.

NETCONF request would copy the running configuration to the startup configuration:

<copy-config>
  <source>
    <source-path>/running</source-path>
  </source>
  <target>
    <target-path>/startup</target-path>
  </target>
  <confirm>
    <confirmed>
  </confirm>
</copy-config>

Delete-config

This operation deletes the configuration of the device or a specific part of the configuration.

NETCONF request would delete the hostname from the running configuration:

<delete-config>
  <target>
    <running>
  </target>
  <config>
    <data>
      <configuration>
        <path>/system/name</path>
      </configuration>
    </data>
  </config>
</delete-config>

Lock

This operation locks the configuration of the device, preventing it from being modified.

The LOCK-CONFIG operation is a way to prevent other users from modifying the configuration of a network device. It can be used to lock the running configuration or the startup configuration.

The timeout value specifies how long the lock will be in effect. If the lock is not released before the timeout expires, the lock will be automatically released.

NETCONF request would lock the running configuration for 300 seconds:

<lock-config>
  <target>
    <running>
  </target>
  <timeout>300</timeout>
</lock-config>

Unlock

This operation unlocks the configuration of the device, allowing it to be modified.

<unlock-session>
  <session-id>1234</session-id>
</unlock-session>

The UNLOCK-SESSION operation is a way to unlock a NETCONF session. It can be used to unlock a session that has been locked by another user.

The session ID is a unique identifier for the NETCONF session. It can be obtained from the NETCONF <hello> message.

Close-session

This operation closes the NETCONF session.

The CLOSE-SESSION operation is a way to close a NETCONF session. It can be used to close a session that is no longer needed.

The session ID is a unique identifier for the NETCONF session. It can be obtained from the NETCONF <hello> message.

NETCONF request would close the session with ID 1234:

<close-session>
  <session-id>1234</session-id>
</close-session>

Getting Session ID from Hello message

The session ID can be obtained from the NETCONF <hello> message. The <hello> message is the first message that is exchanged between a NETCONF client and a NETCONF server. It is used to establish the session and to negotiate the capabilities of the client and the server.

The session ID is a unique identifier for the NETCONF session. It is included in the <hello> message in the <session-id> element.

For example, the following is a sample <hello> message:

<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <session-id>1234</session-id>
  <capabilities>
    <capability>urn:ietf:params:xml:ns:netconf:base:1.0</capability>
  </capabilities>
</hello>

The <session-id> element in this message has the value 1234, which is the session ID for this particular session.

NETCONF vs RESTCONF

NETCONF and RESTCONF are both network management protocols that are used to manage network devices. However, there are some key differences between the two protocols.

NETCONF is a standardized protocol that uses XML as its data format. It is a more complex protocol than RESTCONF, but it offers more features and flexibility. NETCONF is also more secure than RESTCONF, as it uses encryption to protect data in transit.

RESTCONF is a simpler protocol that uses JSON or XML as its data format. It is easier to learn and use than NETCONF, but it offers fewer features and flexibility. RESTCONF is also not as secure as NETCONF, as it does not use encryption to protect data in transit.

Here is a table of some of the key differences between NETCONF and RESTCONF:

Tools available for managing network devices with RESTCONF:

• ncclient: A Python library that provides a simple and easy-to-use interface for interacting with RESTCONF devices.
• Netconf Browser: A graphical tool that allows you to view and edit the configuration of RESTCONF devices.
• Yang Explorer: A tool that allows you to explore YANG models and generate RESTCONF code.
• NETCONF Toolkit: A collection of tools that can be used to manage RESTCONF devices, including a client, server, and debugger.
• PyEZ: A Python library that provides a high-level interface for interacting with NETCONF and RESTCONF devices.
• Napalm: A Python library that provides a unified API for interacting with a variety of network devices, including those that support RESTCONF.
• Cisco NSO : Orchestration Tool by Cisco supports NETCONF and RESTCONF both
• Ansible : Orchestration Tool by RedHat supports NETCONF and RESTCONF both
• Nokia NSP : Automation platform by Nokia that can use NETCONF and RESTCONF to manage network devices.

In general, NSO uses NETCONF for its primary management protocol, but RESTCONF is also supported for simpler tasks.

Ansible uses mostly all , we can use according to the requirement and choice of supported by device .

• ansible.netcommon.restconf_config :Provides a persistent connection using Restconf protocol
• ansible.netcommon.netconf : Provides a persistent connection using the netconf protocol

— — — — — — — — — — — — — — — — — — — — — — — — — -

Thanks .

Ranjeet Jangra

Network and Cloud Automation Professional with 15 years of experience in Development | Testing | Deployment | Support | Automation on various Technologies like IP-Routing, Cloud, Programming, Containers, Kubernetes, Telemetry, Orchestration, Network-Programmability, YANG, TextFSM, Jinja, RestAPI , Terraform , AWS , Ansible , Cisco NSO and so on .
https://www.linkedin.com/in/ranjeetjangra/