NETCONF and RESTCONF Configuration
NETCONF (Network Configuration Protocol) and RESTCONF are essential management protocols in modern network device configuration, both critical topics in CCNP Enterprise (ENCOR) studies. NETCONF is an IETF standard protocol (RFC 6241) that uses XML for configuration and state data management. It op… NETCONF (Network Configuration Protocol) and RESTCONF are essential management protocols in modern network device configuration, both critical topics in CCNP Enterprise (ENCOR) studies. NETCONF is an IETF standard protocol (RFC 6241) that uses XML for configuration and state data management. It operates over SSH, TLS, or BEEP transport mechanisms and provides a standardized approach to install, manipulate, and delete network device configurations. NETCONF uses a client-server model where the client (manager) sends RPCs (Remote Procedure Calls) to the server (device). Key operations include get-config (retrieve configurations), edit-config (modify configurations), and copy-config (copy between datastores). NETCONF separates running and candidate datastores, allowing operators to stage changes before committing them, enhancing safety and reliability. RESTCONF (RFC 8040) modernizes configuration management by using HTTP/HTTPS with REST principles and JSON/XML encoding. It provides a more web-friendly alternative to NETCONF, making it suitable for modern DevOps environments. RESTCONF uses standard HTTP methods: GET (retrieve), POST (create), PUT (replace), PATCH (modify), and DELETE (remove). It builds upon YANG data models, the same foundation NETCONF uses, ensuring consistency across protocols. Both protocols leverage YANG (RFC 7950) as their data modeling language, providing a standardized schema for device capabilities and configurations. This enables automation, validation, and consistency across multi-vendor environments. Key differences: NETCONF prioritizes transactional integrity with candidate/running separation, while RESTCONF emphasizes simplicity and HTTP familiarity. NETCONF requires more processing overhead; RESTCONF is lighter-weight. For CCNP Enterprise and Network Assurance, understanding both protocols is crucial for implementing network automation, ensuring configuration compliance, and enabling programmatic network management. Organizations often use RESTCONF for quick operations and NETCONF for critical, transaction-heavy configurations, making both skills essential for modern network engineers.
NETCONF and RESTCONF Configuration Guide for CCNP ENCOR
Understanding NETCONF and RESTCONF
NETCONF (Network Configuration Protocol) and RESTCONF are standardized protocols that enable programmatic management and configuration of network devices. These technologies form the foundation of network automation and are critical components of modern network management strategies.
Why NETCONF and RESTCONF Are Important
In today's dynamic network environments, manual configuration of thousands of devices is impractical and error-prone. NETCONF and RESTCONF address this challenge by:
- Enabling Automation: Automate repetitive configuration tasks across multiple devices simultaneously
- Improving Consistency: Ensure uniform configurations across the network infrastructure
- Reducing Human Error: Minimize mistakes caused by manual configuration processes
- Increasing Scalability: Manage large-scale networks efficiently without proportional increases in administrative overhead
- Providing Standardization: Use industry-standard protocols rather than vendor-specific CLI commands
- Enabling DevOps Integration: Integrate network management into software development and operations pipelines
- Supporting Real-time Monitoring: Retrieve device state and operational data programmatically
What is NETCONF?
NETCONF (RFC 6241) is a standard network management protocol that uses XML for configuration and state data. It operates over secure transport protocols such as SSH and TLS.
Key Characteristics of NETCONF:
- XML-Based: Uses XML for encoding configuration and operational data
- Transport Agnostic: Can operate over SSH, TLS, BEEP, or other secure transports
- Secure: Supports encryption and authentication through underlying transport protocols
- Transactional: Provides atomic operations and rollback capabilities
- CRUD Operations: Supports Create, Read, Update, and Delete operations through RPC (Remote Procedure Call)
- Session-Based: Establishes persistent connections between client and server
NETCONF Architecture:
NETCONF operates in layers:
- Transport Layer: SSH, TLS, BEEP, or other protocols
- Messages Layer: XML messages exchanged between client and server
- Operations Layer: Standard operations like get-config, edit-config, copy-config, delete-config, lock, unlock, kill-session, and close-session
- Content Layer: Configuration and state data defined by device models (YANG)
What is RESTCONF?
RESTCONF (RFC 8040) is a REST-based protocol that provides HTTP/HTTPS access to YANG-modeled data. It brings RESTful principles to network device management.
Key Characteristics of RESTCONF:
- REST-Based: Uses standard HTTP methods (GET, POST, PUT, DELETE, PATCH)
- JSON/XML Support: Can encode data in either JSON or XML format
- Stateless: Each request is independent; no persistent sessions required
- HTTP-Based: Operates over HTTP or HTTPS
- Easier Learning Curve: Developers familiar with REST APIs find RESTCONF intuitive
- Web-Friendly: Works seamlessly with standard web development tools and frameworks
RESTCONF Architecture:
- HTTP Transport: Uses standard HTTP/HTTPS protocols
- RESTful Resources: Treats YANG data nodes as RESTful resources with URIs
- Standard HTTP Methods: GET for retrieval, POST for creation, PUT/PATCH for updates, DELETE for removal
- Media Types: Supports application/yang-data+json and application/yang-data+xml
How NETCONF Works
Step-by-Step NETCONF Process:
- Session Establishment: Client establishes a secure SSH connection to the NETCONF server on the network device (default port 830)
- Capabilities Exchange: Client and server exchange their capabilities in XML format
- RPC Request: Client sends an RPC request containing the operation and parameters as XML
- Device Processing: The network device processes the request, validates the configuration, and executes the operation
- RPC Reply: Device sends back an RPC reply containing the result or error information in XML
- Session Termination: Client closes the session when operations are complete
Common NETCONF Operations:
- <get-config>: Retrieve running or startup configuration data
- <edit-config>: Modify configuration data with options for merge, replace, or delete
- <copy-config>: Copy configuration from one datastore to another
- <lock>/<unlock>: Prevent or allow concurrent modifications by other users
- <get>: Retrieve both configuration and operational data
- <kill-session>: Terminate a specific NETCONF session
- <close-session>: Gracefully close the current session
How RESTCONF Works
Step-by-Step RESTCONF Process:
- Authentication: Client authenticates to the RESTCONF server using HTTP authentication methods (Basic, OAuth, etc.)
- HTTP Request: Client sends an HTTP request with a standard method (GET, POST, PUT, DELETE)
- URI Mapping: The RESTCONF server maps the URI path to YANG data nodes
- Processing: Server processes the request and performs the requested operation on the YANG data
- HTTP Response: Server returns an HTTP response with appropriate status code and response body
- Response Handling: Client processes the response and handles any errors
RESTCONF URI Structure:
RESTCONF URIs follow a predictable pattern based on YANG models:
/restconf/data/yang-module:container/leaf-name
Example: /restconf/data/ietf-interfaces:interfaces/interface=eth0/enabled
HTTP Methods in RESTCONF:
- GET: Retrieve configuration or operational data
- POST: Create new resource or invoke operations (RPC)
- PUT: Replace an entire resource
- DELETE: Remove a resource
- PATCH: Partially modify a resource
YANG Data Models
Both NETCONF and RESTCONF rely on YANG (RFC 6020) to define the structure of configuration and operational data. YANG is a data modeling language that specifies:
- Configuration parameters and their types
- Operational state information
- RPC methods and notifications
- Constraints and validation rules
YANG models provide a contract between the client and server, ensuring both understand the same data structure.
Key Differences Between NETCONF and RESTCONF
| Feature | NETCONF | RESTCONF |
|---|---|---|
| Protocol | Proprietary network management protocol | REST over HTTP/HTTPS |
| Transport | SSH, TLS, BEEP | HTTP/HTTPS only |
| Data Format | XML only | JSON or XML |
| Session Type | Persistent sessions | Stateless (REST) |
| Learning Curve | Steeper for developers new to XML | Easier for web developers |
| Transactions | Built-in atomic transactions | No built-in transactions |
| Locking | Lock operations available | No native locking mechanism |
| Use Case | Network-centric automation | DevOps and web integration |
Practical NETCONF Example
Establishing a NETCONF Session and Retrieving Configuration:
1. Connect to device: ssh -p 830 admin@192.168.1.1
2. Send NETCONF get-config RPC:
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id='101' xmlns='urn:ietf:params:xml:ns:netconf:base:1.0'>
<get-config>
<source><running/></source>
<filter type='subtree'>
<interfaces xmlns='urn:ietf:params:xml:ns:yang:ietf-interfaces'/>
</filter>
</get-config>
</rpc>
3. Device responds with configuration: The device sends back the requested interface configuration in XML format
Practical RESTCONF Example
Retrieving Interface Configuration via RESTCONF:
HTTP Request:
GET /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0%2F0%2F1 HTTP/1.1
Host: 192.168.1.1:443
Authorization: Basic YWRtaW46YWRtaW4=
Accept: application/yang-data+json
HTTP Response (200 OK):
{
'ietf-interfaces:interface': {
'name': 'GigabitEthernet0/0/1',
'type': 'ethernetCsmacd',
'enabled': true,
'mtu': 1500
}
}
Configuration Management with NETCONF and RESTCONF
Common Configuration Scenarios:
- Interface Configuration: Enable/disable interfaces, set IP addresses, configure QoS
- Routing Configuration: Add or modify static routes, BGP configurations, OSPF settings
- ACL Management: Create and modify access control lists
- VLAN Management: Configure VLANs and trunk settings
- Device Settings: Hostname, NTP, DNS, syslog configuration
- Security Policies: Configure firewall rules and security zones
Understanding Device Datastores
NETCONF and RESTCONF work with multiple device datastores:
- <running>: The current active configuration on the device
- <candidate>: A proposed configuration that can be validated before committing
- <startup>: Configuration that will be loaded when the device restarts
The edit-config operation typically modifies the running datastore, and changes can be validated, committed, or rolled back.
Error Handling and Validation
Both NETCONF and RESTCONF include robust error handling mechanisms:
- Schema Validation: Data is validated against YANG models before acceptance
- RPC Error Responses: NETCONF returns detailed error information in structured XML
- HTTP Status Codes: RESTCONF uses standard HTTP status codes (400, 401, 403, 404, 409, etc.)
- Rollback Capability: NETCONF can rollback transactions if errors occur
Security Considerations
- Encrypted Transport: Always use SSH for NETCONF and HTTPS for RESTCONF in production
- Authentication: Implement strong authentication mechanisms (certificates, strong passwords)
- Authorization: Use Role-Based Access Control (RBAC) to restrict operations
- Audit Logging: Log all configuration changes for compliance and troubleshooting
- Input Validation: Validate all input to prevent injection attacks
Real-World Use Cases
Network Service Provisioning: Automatically configure new customer circuits with consistent settings
Mass Device Updates: Deploy firmware updates and configuration changes across hundreds of devices
Multi-Vendor Environments: Use YANG models to abstract vendor differences and deploy consistent policies
Intent-Based Networking: Define network intent at a high level and have automation systems translate it to device configurations
CI/CD Integration: Validate network configurations as part of application deployment pipelines
Tools and Technologies
Common tools for NETCONF/RESTCONF automation include:
- Ansible: Network modules for NETCONF and RESTCONF operations
- Python Libraries: ncclient for NETCONF, requests for RESTCONF
- Postman: Test RESTCONF APIs and generate code snippets
- Cisco DNA Center: Uses NETCONF/RESTCONF for device management
- Contrail/Tungsten Fabric: SDN controllers using these protocols
Exam Tips: Answering Questions on NETCONF and RESTCONF Configuration
Tip 1: Understand the Fundamental Differences
Know the core distinction: NETCONF is session-based with XML and persistent connections, while RESTCONF is stateless REST with JSON/XML support over HTTP. Use this distinction to eliminate wrong answers immediately.
Tip 2: Remember the Protocol Defaults
NETCONF defaults to port 830 over SSH. RESTCONF uses standard HTTP/HTTPS ports (80/443). Exam questions often test your knowledge of these defaults.
Tip 3: Focus on YANG as the Common Thread
Both protocols rely on YANG data models. Understand that YANG defines the structure of configuration and operational data for both NETCONF and RESTCONF. This is a key concept for exam questions.
Tip 4: Know the NETCONF RPC Operations
Memorize the main NETCONF RPC operations: get-config, edit-config, copy-config, lock/unlock, get, kill-session, and close-session. Exam questions may ask which operation to use for specific tasks.
Tip 5: Understand RESTCONF HTTP Methods
Map REST methods to operations: GET for retrieval, POST for creation/RPC invocation, PUT for complete replacement, PATCH for partial updates, DELETE for removal. Practice identifying which method suits which scenario.
Tip 6: Know the Datastore Hierarchy
Understand the relationship between running, candidate, and startup datastores. Questions may ask which datastore to query for current configuration vs. pending changes.
Tip 7: Recognize RPC Message Structure
Be familiar with basic NETCONF RPC structure: the message-id attribute, namespace declarations, and RPC operation elements. You may need to identify valid or invalid NETCONF messages.
Tip 8: Understand URI Construction in RESTCONF
Learn to map YANG module names to RESTCONF URI paths. For example, 'ietf-interfaces:interfaces' becomes part of the URI. Practice constructing URIs from YANG models.
Tip 9: Know When to Use Each Protocol
NETCONF is ideal for network automation when transactional integrity is critical. RESTCONF is better when integrating with existing web infrastructure or DevOps tools. Exam questions may ask which protocol fits a given scenario.
Tip 10: Understand Security Mechanisms
NETCONF security relies on the underlying transport (SSH), while RESTCONF uses HTTP/HTTPS with standard web authentication. Know which is more suitable for different security requirements.
Tip 11: Recognize Locking and Transaction Mechanisms
NETCONF has explicit lock/unlock and transactional capabilities. RESTCONF does not. Questions may test your understanding of these differences in concurrent modification scenarios.
Tip 12: Practice Filtering Syntax
NETCONF supports filter operations to retrieve specific configuration subsets. Be familiar with basic filter syntax and how to construct filters for specific use cases.
Tip 13: Understand Error Responses
NETCONF returns errors in RPC-reply messages with error-type, error-tag, and error-message elements. RESTCONF returns standard HTTP status codes with error details in the response body. Know the difference.
Tip 14: Know the Operational vs. Configuration Split
NETCONF's get-config retrieves only configuration, while get retrieves both configuration and operational data. Exam questions may test this distinction.
Tip 15: Study Real Device Examples
If possible, review actual NETCONF/RESTCONF implementations on Cisco IOS-XE, IOS-XR, or NX-OS devices. Many exam questions are based on real device behavior.
Tip 16: Understand Notifications
NETCONF supports server-initiated notifications for events. Understand how notifications differ from polling-based approaches and when they are useful.
Tip 17: Know Common YANG Extensions
Be familiar with common YANG concepts like containers, leaves, leaf-lists, lists, and presence containers. These appear in data model questions.
Tip 18: Practice Scenario-Based Questions
Exams often present scenarios like 'a network administrator needs to update configuration on 500 routers.' Determine which protocol and approach (NETCONF operations, RESTCONF calls) would be most efficient.
Tip 19: Understand Capabilities Exchange
NETCONF begins with capabilities exchange where client and server advertise supported features. Know that this determines which operations are available in the session.
Tip 20: Know the Scope of the CCNP ENCOR Exam
The exam focuses on practical knowledge of using these protocols for network automation. Concentrate on real-world configuration scenarios rather than deep protocol specifications. Be ready to explain why you would choose NETCONF or RESTCONF for a specific task.
Sample Exam Question and Answer Strategy
Question: 'A network administrator needs to deploy identical configurations to 200 Cisco IOS-XE devices. The configuration must be validated before deployment, and if an error occurs on any device, all changes must be rolled back. Which protocol is most suitable, and why?'
Answer Strategy:
- Identify the key requirement: Transactional integrity with rollback capability
- Recall NETCONF advantage: Built-in transaction support and atomic operations
- Consider RESTCONF limitation: No native transaction support
- Provide complete answer: 'NETCONF is most suitable because it supports atomic transactions with built-in lock, validate, and rollback mechanisms. The administrator can lock the candidate datastore, load configurations, validate, commit, or rollback if errors occur. RESTCONF lacks these transactional capabilities.'
Conclusion
NETCONF and RESTCONF represent the evolution of network management toward programmability and automation. Mastering these protocols is essential for modern network engineers and automation specialists. Success on the CCNP ENCOR exam requires understanding not just the technical details, but the practical application of these technologies in real network environments. Focus on understanding when and why to use each protocol, practice constructing valid messages and URIs, and study actual device implementations to solidify your knowledge.
🎓 Unlock Premium Access
CCNP Enterprise (ENCOR) + ALL Certifications
- 🎓 Access to ALL Certifications: Study for any certification on our platform with one subscription
- 2873 Superior-grade CCNP Enterprise (ENCOR) practice questions
- Unlimited practice tests across all certifications
- Detailed explanations for every question
- ENCOR 350-401: 5 full exams plus all other certification exams
- 100% Satisfaction Guaranteed: Full refund if unsatisfied
- Risk-Free: 7-day free trial with all premium features!