NETCONF and RESTCONF Configuration

NETCONF and RESTCONF Configuration Guide for CCNP ENCOR

Understanding NETCONF and RESTCONF

NETCONF (Network Configuration Protocol) and RESTCONF are standardized protocols that enable programmatic management and configuration of network devices. These technologies form the foundation of network automation and are critical components of modern network management strategies.

Why NETCONF and RESTCONF Are Important

In today's dynamic network environments, manual configuration of thousands of devices is impractical and error-prone. NETCONF and RESTCONF address this challenge by:

• Enabling Automation: Automate repetitive configuration tasks across multiple devices simultaneously
• Improving Consistency: Ensure uniform configurations across the network infrastructure
• Reducing Human Error: Minimize mistakes caused by manual configuration processes
• Increasing Scalability: Manage large-scale networks efficiently without proportional increases in administrative overhead
• Providing Standardization: Use industry-standard protocols rather than vendor-specific CLI commands
• Enabling DevOps Integration: Integrate network management into software development and operations pipelines
• Supporting Real-time Monitoring: Retrieve device state and operational data programmatically

What is NETCONF?

NETCONF (RFC 6241) is a standard network management protocol that uses XML for configuration and state data. It operates over secure transport protocols such as SSH and TLS.

Key Characteristics of NETCONF:

• XML-Based: Uses XML for encoding configuration and operational data
• Transport Agnostic: Can operate over SSH, TLS, BEEP, or other secure transports
• Secure: Supports encryption and authentication through underlying transport protocols
• Transactional: Provides atomic operations and rollback capabilities
• CRUD Operations: Supports Create, Read, Update, and Delete operations through RPC (Remote Procedure Call)
• Session-Based: Establishes persistent connections between client and server

NETCONF Architecture:

NETCONF operates in layers:

• Transport Layer: SSH, TLS, BEEP, or other protocols
• Messages Layer: XML messages exchanged between client and server
• Operations Layer: Standard operations like get-config, edit-config, copy-config, delete-config, lock, unlock, kill-session, and close-session
• Content Layer: Configuration and state data defined by device models (YANG)

What is RESTCONF?

RESTCONF (RFC 8040) is a REST-based protocol that provides HTTP/HTTPS access to YANG-modeled data. It brings RESTful principles to network device management.

Key Characteristics of RESTCONF:

• REST-Based: Uses standard HTTP methods (GET, POST, PUT, DELETE, PATCH)
• JSON/XML Support: Can encode data in either JSON or XML format
• Stateless: Each request is independent; no persistent sessions required
• HTTP-Based: Operates over HTTP or HTTPS
• Easier Learning Curve: Developers familiar with REST APIs find RESTCONF intuitive
• Web-Friendly: Works seamlessly with standard web development tools and frameworks

RESTCONF Architecture:

• HTTP Transport: Uses standard HTTP/HTTPS protocols
• RESTful Resources: Treats YANG data nodes as RESTful resources with URIs
• Standard HTTP Methods: GET for retrieval, POST for creation, PUT/PATCH for updates, DELETE for removal
• Media Types: Supports application/yang-data+json and application/yang-data+xml

How NETCONF Works

Step-by-Step NETCONF Process:

1. Session Establishment: Client establishes a secure SSH connection to the NETCONF server on the network device (default port 830)
2. Capabilities Exchange: Client and server exchange their capabilities in XML format
3. RPC Request: Client sends an RPC request containing the operation and parameters as XML
4. Device Processing: The network device processes the request, validates the configuration, and executes the operation
5. RPC Reply: Device sends back an RPC reply containing the result or error information in XML
6. Session Termination: Client closes the session when operations are complete

Common NETCONF Operations:

• <get-config>: Retrieve running or startup configuration data
• <edit-config>: Modify configuration data with options for merge, replace, or delete
• <copy-config>: Copy configuration from one datastore to another
• <lock>/<unlock>: Prevent or allow concurrent modifications by other users
• <get>: Retrieve both configuration and operational data
• <kill-session>: Terminate a specific NETCONF session
• <close-session>: Gracefully close the current session

How RESTCONF Works

Step-by-Step RESTCONF Process:

1. Authentication: Client authenticates to the RESTCONF server using HTTP authentication methods (Basic, OAuth, etc.)
2. HTTP Request: Client sends an HTTP request with a standard method (GET, POST, PUT, DELETE)
3. URI Mapping: The RESTCONF server maps the URI path to YANG data nodes
4. Processing: Server processes the request and performs the requested operation on the YANG data
5. HTTP Response: Server returns an HTTP response with appropriate status code and response body
6. Response Handling: Client processes the response and handles any errors

RESTCONF URI Structure:

RESTCONF URIs follow a predictable pattern based on YANG models:
/restconf/data/yang-module:container/leaf-name

Example: /restconf/data/ietf-interfaces:interfaces/interface=eth0/enabled

HTTP Methods in RESTCONF:

• GET: Retrieve configuration or operational data
• POST: Create new resource or invoke operations (RPC)
• PUT: Replace an entire resource
• DELETE: Remove a resource
• PATCH: Partially modify a resource

YANG Data Models

Both NETCONF and RESTCONF rely on YANG (RFC 6020) to define the structure of configuration and operational data. YANG is a data modeling language that specifies:

• Configuration parameters and their types
• Operational state information
• RPC methods and notifications
• Constraints and validation rules

YANG models provide a contract between the client and server, ensuring both understand the same data structure.

Key Differences Between NETCONF and RESTCONF

Practical NETCONF Example

Establishing a NETCONF Session and Retrieving Configuration:

1. Connect to device: ssh -p 830 admin@192.168.1.1

2. Send NETCONF get-config RPC:

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id='101' xmlns='urn:ietf:params:xml:ns:netconf:base:1.0'>
  <get-config>
    <source><running/></source>
    <filter type='subtree'>
      <interfaces xmlns='urn:ietf:params:xml:ns:yang:ietf-interfaces'/>
    </filter>
  </get-config>
</rpc>

3. Device responds with configuration: The device sends back the requested interface configuration in XML format

Practical RESTCONF Example

Retrieving Interface Configuration via RESTCONF:

HTTP Request:
GET /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0%2F0%2F1 HTTP/1.1
Host: 192.168.1.1:443
Authorization: Basic YWRtaW46YWRtaW4=
Accept: application/yang-data+json

HTTP Response (200 OK):
{
  'ietf-interfaces:interface': {
    'name': 'GigabitEthernet0/0/1',
    'type': 'ethernetCsmacd',
    'enabled': true,
    'mtu': 1500
  }
}

Configuration Management with NETCONF and RESTCONF

Common Configuration Scenarios:

• Interface Configuration: Enable/disable interfaces, set IP addresses, configure QoS
• Routing Configuration: Add or modify static routes, BGP configurations, OSPF settings
• ACL Management: Create and modify access control lists
• VLAN Management: Configure VLANs and trunk settings
• Device Settings: Hostname, NTP, DNS, syslog configuration
• Security Policies: Configure firewall rules and security zones

Understanding Device Datastores

NETCONF and RESTCONF work with multiple device datastores:

• <running>: The current active configuration on the device
• <candidate>: A proposed configuration that can be validated before committing
• <startup>: Configuration that will be loaded when the device restarts

The edit-config operation typically modifies the running datastore, and changes can be validated, committed, or rolled back.

Error Handling and Validation

Both NETCONF and RESTCONF include robust error handling mechanisms:

• Schema Validation: Data is validated against YANG models before acceptance
• RPC Error Responses: NETCONF returns detailed error information in structured XML
• HTTP Status Codes: RESTCONF uses standard HTTP status codes (400, 401, 403, 404, 409, etc.)
• Rollback Capability: NETCONF can rollback transactions if errors occur

Security Considerations

• Encrypted Transport: Always use SSH for NETCONF and HTTPS for RESTCONF in production
• Authentication: Implement strong authentication mechanisms (certificates, strong passwords)
• Authorization: Use Role-Based Access Control (RBAC) to restrict operations
• Audit Logging: Log all configuration changes for compliance and troubleshooting
• Input Validation: Validate all input to prevent injection attacks

Real-World Use Cases

Network Service Provisioning: Automatically configure new customer circuits with consistent settings

Mass Device Updates: Deploy firmware updates and configuration changes across hundreds of devices

Multi-Vendor Environments: Use YANG models to abstract vendor differences and deploy consistent policies

Intent-Based Networking: Define network intent at a high level and have automation systems translate it to device configurations

CI/CD Integration: Validate network configurations as part of application deployment pipelines

Tools and Technologies

Common tools for NETCONF/RESTCONF automation include:

• Ansible: Network modules for NETCONF and RESTCONF operations
• Python Libraries: ncclient for NETCONF, requests for RESTCONF
• Postman: Test RESTCONF APIs and generate code snippets
• Cisco DNA Center: Uses NETCONF/RESTCONF for device management
• Contrail/Tungsten Fabric: SDN controllers using these protocols

Exam Tips: Answering Questions on NETCONF and RESTCONF Configuration

Tip 1: Understand the Fundamental Differences

Know the core distinction: NETCONF is session-based with XML and persistent connections, while RESTCONF is stateless REST with JSON/XML support over HTTP. Use this distinction to eliminate wrong answers immediately.

Tip 2: Remember the Protocol Defaults

NETCONF defaults to port 830 over SSH. RESTCONF uses standard HTTP/HTTPS ports (80/443). Exam questions often test your knowledge of these defaults.

Tip 3: Focus on YANG as the Common Thread

Both protocols rely on YANG data models. Understand that YANG defines the structure of configuration and operational data for both NETCONF and RESTCONF. This is a key concept for exam questions.

Tip 4: Know the NETCONF RPC Operations

Memorize the main NETCONF RPC operations: get-config, edit-config, copy-config, lock/unlock, get, kill-session, and close-session. Exam questions may ask which operation to use for specific tasks.

Tip 5: Understand RESTCONF HTTP Methods

Map REST methods to operations: GET for retrieval, POST for creation/RPC invocation, PUT for complete replacement, PATCH for partial updates, DELETE for removal. Practice identifying which method suits which scenario.

Tip 6: Know the Datastore Hierarchy

Understand the relationship between running, candidate, and startup datastores. Questions may ask which datastore to query for current configuration vs. pending changes.

Tip 7: Recognize RPC Message Structure

Be familiar with basic NETCONF RPC structure: the message-id attribute, namespace declarations, and RPC operation elements. You may need to identify valid or invalid NETCONF messages.

Tip 8: Understand URI Construction in RESTCONF

Learn to map YANG module names to RESTCONF URI paths. For example, 'ietf-interfaces:interfaces' becomes part of the URI. Practice constructing URIs from YANG models.

Tip 9: Know When to Use Each Protocol

NETCONF is ideal for network automation when transactional integrity is critical. RESTCONF is better when integrating with existing web infrastructure or DevOps tools. Exam questions may ask which protocol fits a given scenario.

Tip 10: Understand Security Mechanisms

NETCONF security relies on the underlying transport (SSH), while RESTCONF uses HTTP/HTTPS with standard web authentication. Know which is more suitable for different security requirements.

Tip 11: Recognize Locking and Transaction Mechanisms

NETCONF has explicit lock/unlock and transactional capabilities. RESTCONF does not. Questions may test your understanding of these differences in concurrent modification scenarios.

Tip 12: Practice Filtering Syntax

NETCONF supports filter operations to retrieve specific configuration subsets. Be familiar with basic filter syntax and how to construct filters for specific use cases.

Tip 13: Understand Error Responses

NETCONF returns errors in RPC-reply messages with error-type, error-tag, and error-message elements. RESTCONF returns standard HTTP status codes with error details in the response body. Know the difference.

Tip 14: Know the Operational vs. Configuration Split

NETCONF's get-config retrieves only configuration, while get retrieves both configuration and operational data. Exam questions may test this distinction.

Tip 15: Study Real Device Examples

If possible, review actual NETCONF/RESTCONF implementations on Cisco IOS-XE, IOS-XR, or NX-OS devices. Many exam questions are based on real device behavior.

Tip 16: Understand Notifications

NETCONF supports server-initiated notifications for events. Understand how notifications differ from polling-based approaches and when they are useful.

Tip 17: Know Common YANG Extensions

Be familiar with common YANG concepts like containers, leaves, leaf-lists, lists, and presence containers. These appear in data model questions.

Tip 18: Practice Scenario-Based Questions

Exams often present scenarios like 'a network administrator needs to update configuration on 500 routers.' Determine which protocol and approach (NETCONF operations, RESTCONF calls) would be most efficient.

Tip 19: Understand Capabilities Exchange

NETCONF begins with capabilities exchange where client and server advertise supported features. Know that this determines which operations are available in the session.

Tip 20: Know the Scope of the CCNP ENCOR Exam

The exam focuses on practical knowledge of using these protocols for network automation. Concentrate on real-world configuration scenarios rather than deep protocol specifications. Be ready to explain why you would choose NETCONF or RESTCONF for a specific task.

Sample Exam Question and Answer Strategy

Question: 'A network administrator needs to deploy identical configurations to 200 Cisco IOS-XE devices. The configuration must be validated before deployment, and if an error occurs on any device, all changes must be rolled back. Which protocol is most suitable, and why?'

Answer Strategy:

1. Identify the key requirement: Transactional integrity with rollback capability
2. Recall NETCONF advantage: Built-in transaction support and atomic operations
3. Consider RESTCONF limitation: No native transaction support
4. Provide complete answer: 'NETCONF is most suitable because it supports atomic transactions with built-in lock, validate, and rollback mechanisms. The administrator can lock the candidate datastore, load configurations, validate, commit, or rollback if errors occur. RESTCONF lacks these transactional capabilities.'

Conclusion

NETCONF and RESTCONF represent the evolution of network management toward programmability and automation. Mastering these protocols is essential for modern network engineers and automation specialists. Success on the CCNP ENCOR exam requires understanding not just the technical details, but the practical application of these technologies in real network environments. Focus on understanding when and why to use each protocol, practice constructing valid messages and URIs, and study actual device implementations to solidify your knowledge.