- Configuring Cisco Networking Services
- CNS Configuration Agent
- CNS Image Agent
- CNS Event Agent
- Cisco Networking Services Config Retrieve Enhancement with Retry and Interval
- Cisco Networking Services Interactive CLI
- Cisco Networking Services Security Enhancement
- Command Scheduler (Kron)
- Network Configuration Protocol
- NETCONF over SSHv2
- NETCONF Access for Configurations over BEEP
Contents
- NETCONF over SSHv2
- Finding Feature Information
- Prerequisites for NETCONF over SSHv2
- Restrictions for NETCONF over SSH
- Information About NETCONF over SSHv2
- NETCONF over SSHv2
- How to Configure NETCONF over SSHv2
- Enabling SSH Version 2 Using a Hostname and Domain Name
- Enabling SSH Version 2 Using RSA Key Pairs
- Starting an Encrypted Session with a Remote Device
- Troubleshooting Tips
- What to Do Next
- Verifying the Status of the Secure Shell Connection
- Enabling NETCONF over SSHv2
- Configuration Examples for NETCONF over SSHv2
- Example: Enabling SSHv2 Using a Hostname and Domain Name
- Enabling Secure Shell Version 2 Using RSA Keys Example
- Starting an Encrypted Session with a Remote Device Example
- Configuring NETCONF over SSHv2 Example
- Additional References for NETCONF over SSHv2
- Feature Information for NETCONF over SSHv2
NETCONF over SSHv2
You can use the Network Configuration Protocol (NETCONF) over Secure Shell Version 2 (SSHv2) feature to perform network configurations via the Cisco command-line interface (CLI) over an encrypted transport. The NETCONF Network Manager, which is the NETCONF client, must use Secure Shell Version 2 (SSHv2) as the network transport to the NETCONF server. Multiple NETCONF clients can connect to the NETCONF server.
- Finding Feature Information
- Prerequisites for NETCONF over SSHv2
- Restrictions for NETCONF over SSH
- Information About NETCONF over SSHv2
- How to Configure NETCONF over SSHv2
- Configuration Examples for NETCONF over SSHv2
- Additional References for NETCONF over SSHv2
- Feature Information for NETCONF over SSHv2
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for NETCONF over SSHv2
Restrictions for NETCONF over SSH
Information About NETCONF over SSHv2
NETCONF over SSHv2
To run the NETCONF over SSHv2 feature, the client (a Cisco device running Cisco software) establishes an SSH transport connection with the server (a NETCONF network manager). The following image shows a basic NETCONF over SSHv2 network configuration. The client and server exchange keys for security and password encryption. The user ID and password of the SSHv2 session running NETCONF are used for authorization and authentication purposes. The user privilege level is enforced and the client session may not have full access to the NETCONF operations if the privilege level is not high enough. If authentication, authorization, and accounting (AAA) is configured, the AAA service is used as if a user had established an SSH session directly to the device. Using the existing security configuration makes the transition to NETCONF almost seamless. Once the client has been successfully authenticated, the client invokes the SSH connection protocol and the SSH session is established. After the SSH session is established, the user or application invokes NETCONF as an SSH subsystem called “netconf.”
Secure Shell Version 2
SSHv2 runs on top of a reliable transport layer and provides strong authentication and encryption capabilities. SSHv2 provides a means to securely access and securely execute commands on another computer over a network.
NETCONF does not support SSH version 1. The configuration for the SSH Version 2 server is similar to the configuration for SSH version 1. Use the ip ssh version command to specify which version of SSH that you want to configure. If you do not configure this command, SSH by default runs in compatibility mode; that is, both SSH version 1 and SSH version 2 connections are honored.
Note | SSH version 1 is a protocol that has never been defined in a standard. If you do not want your device to fall back to the undefined protocol (version 1), you should use the ip ssh version command and specify version 2. |
Use the ip ssh rsa keypair-name command to enable an SSH connection using Rivest, Shamir, and Adelman (RSA) keys that you have configured. If you configure the ip ssh rsa keypair-name command with a key-pair name, SSH is enabled if the key pair exists, or SSH will be enabled if the key pair is generated later. If you use this command to enable SSH, you do not need to configure a hostname and a domain name.
How to Configure NETCONF over SSHv2
Enabling SSH Version 2 Using a Hostname and Domain Name
Perform this task to configure your device for SSH version 2 using a hostname and domain name. You may also configure SSH version 2 by using the RSA key pair configuration (see Enabling SSH Version 2 Using RSA Key Pairs).
1.
enable
2.
configure
terminal
3.
hostname
hostname
4.
ip
domain-name
name
5.
crypto
key
generate
rsa
6.
ip
ssh
[timeout
seconds |
authentication-retries
integer]
7.
ip
ssh
version
2
DETAILED STEPS
Enabling SSH Version 2 Using RSA Key Pairs
Perform this task to enable SSH version 2 without configuring a hostname or domain name. SSH version 2 will be enabled if the key pair that you configure already exists or if it is generated later. You may also configure SSH version 2 by using the hostname and domain name configuration. (See “Enabling SSH Version 2 Using a Hostname and Domain Name.)
1.
enable
2.
configure
terminal
3.
ip
ssh
rsa
keypair-name
keypair-name
4.
crypto
key
generate
rsa
usage-keys
label
key-label
modulus
modulus-size
5.
ip
ssh
[timeout
seconds |
authentication-retries
integer]
6.
ip
ssh
version
2
DETAILED STEPS
Starting an Encrypted Session with a Remote Device
Perform this task to start an encrypted session with a remote networking device. (You do not have to enable your device. SSH can be run in disabled mode.)
From any UNIX or UNIX-like device, the following command is typically used to form an SSH session:
ssh -2 -s user@router.example.com netconf
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 | Do one of the following:
Example: Device# ssh -v 2 -c aes256-cbc -m hmac-sha1-96 -l user2 10.76.82.24 Example: Device# ssh -v 2 -c aes256-cbc -m hmac-sha1-96 user2@10.76.82.24 |
Starts an encrypted session with a remote networking device. The first example adheres to the SSH version 2 conventions. A more natural and common way to start a session is by linking the username with the hostname. For example, the second configuration example provides an end result that is identical to that of the first example. |
Troubleshooting Tips
The ip ssh version command can be used for troubleshooting your SSH configuration. By changing versions, you can determine which SSH version has a problem.
What to Do Next
For more information about the ssh command, see the Cisco IOS Security Command Reference.
Verifying the Status of the Secure Shell Connection
Perform this task to display the status of the SSH connection on your device.
Note | You can use the following show commands in user EXEC or privileged EXEC mode. |
1.
enable
2.
show
ssh
3.
show
ip
ssh
DETAILED STEPS
Command or Action | Purpose |
---|
Examples
The following output from the show ssh command displays status about SSH version 2 connections.
Device# show ssh Connection Version Mode Encryption Hmac State Username 1 2.0 IN aes128-cbc hmac-md5 Session started lab 1 2.0 OUT aes128-cbc hmac-md5 Session started lab %No SSHv1 server connections running.
The following output from the show ip ssh command displays the version of SSH that is enabled, the authentication timeout values, and the number of authentication retries.
Device# show ip ssh SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3
Enabling NETCONF over SSHv2
Perform this task to enable NETCONF over SSHv2.
SSHv2 must be enabled.
Note | There must be at least as many vty lines configured as there are concurrent NETCONF sessions. |
Note |
1.
enable
2.
configure
terminal
3.
netconf
ssh
[acl
access-list-number]
4.
netconf
lock-time
seconds
5.
netconf
max-sessions
session
6.
netconf
max-message
size
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Device> enable |
Enables privileged EXEC mode. |
Step 2 |
configure
terminal
Example: Device# configure terminal |
Enters global configuration mode. |
Step 3 |
netconf
ssh
[acl
access-list-number]
Example: Device(config)# netconf ssh acl 1 |
Enables NETCONF over SSHv2. |
Step 4 |
netconf
lock-time
seconds
Example: Device(config)# netconf lock-time 60 |
(Optional) Specifies the maximum time, in seconds, a NETCONF configuration lock is in place without an intermediate operation. |
Step 5 |
netconf
max-sessions
session
Example: Device(config)# netconf max-sessions 5 |
(Optional) Specifies the maximum number of concurrent NETCONF sessions allowed. |
Step 6 |
netconf
max-message
size
Example: Device(config)# netconf max-message 37283 |
(Optional) Specifies the maximum size, in kilobytes (KB), for the messages received in a NETCONF session. |
Configuration Examples for NETCONF over SSHv2
Example: Enabling SSHv2 Using a Hostname and Domain Name
configure terminal hostname host1 ip domain-name example.com crypto key generate rsa ip ssh timeout 120 ip ssh version 2
Enabling Secure Shell Version 2 Using RSA Keys Example
The following example shows how to configure SSHv2 using RSA keys:
Device# configure terminal
Device(config)# ip ssh rsa keypair-name sshkeys
Device(config)# crypto key generate rsa usage-keys label sshkeys modulus 768 Device(config)# ip ssh timeout 120 Device(config)# ip ssh version 2
Starting an Encrypted Session with a Remote Device Example
The following example shows how to start an encrypted SSH session with a remote networking device, from any UNIX or UNIX-like device:
Device(config)# ssh -2 -s user@router.example.com netconf
Configuring NETCONF over SSHv2 Example
The following example shows how to configure NETCONF over SSHv2:
Device# configure terminal Device(config)# netconf ssh acl 1 Device(config)# netconf lock-time 60 Device(config)# netconf max-sessions 5 Device(config)# netconf max-message 2345 Device# ssh-2 -s username@10.1.1.1 netconf
The following example shows how to get the configuration for loopback interface 113.
1. First, send the “hello”:
2. Next, send the get-config request:
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 | First, send the “hello”:
Example: <?xml version="1.0" encoding=\"UTF-8\"?> <hello><capabilities> <capability>u?rn:ietf:params:netconf:base:1.0</capability> <capability>urn:ietf:params:netconf:capability:writeable-running:1.0</capability> <capability>urn:ietf:params:netconf:ca?pability:roll?back-on-error:1.0</capability> <capability>urn:ietf:params:netconf:capability:startup:1.0</capability> <capability>urn:ietf:params:netconf:ca?pability:url:?1.0</capability> <capability>urn:cisco:params:netconf:capability:pi-data-model:1.0</capability> <capability>urn:cisco:params:netconf:capabili?ty:notificati?on:1.0</capability> </capabilities> </hello>]]>]]> | |
Step 2 | Next, send the get-config request:
Example: <?xml version="1.0"?> <rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"xmlns:cpi="http://www.cisco.com/cpi_10/schema" message-id="101"> <get-config> <source> <running/> </source> <filter> <config-format-text-cmd> <text-filter-spec> interface Loopback113 </text-filter-spec> </config-format-text-cmd> </filter> </get-config> </rpc>]]>]]> |
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="101"xmlns=\"urn:ietf:params:netconf:base:1.0\">
<data>
<cli-config-data>
interface Loopback113
description test456
no ip address
load-interval 30
end
</cli-config-data>
</data>
</rpc-rep?ly>]]>]]>
Additional References for NETCONF over SSHv2
Related Documents
Related Topic |
Document Title |
---|---|
Cicso IOS Commands |
|
NETCONF commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples |
Cisco IOS Cisco Networking Services Command Reference |
IP access lists commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples Security commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples |
Cisco IOS Security Command Reference |
IP access lists |
IP Access List Overview and Creating an IP Access List and Applying It to an Interface modules in the Cisco IOS Security Configuration Guide: Securing the Data Plane. |
Secure Shell and Secure Shell Version 2 |
“Configuring Secure Shell” module in the Cisco IOS Security Configuration Guide: Securing User Services. |
Standards and RFCs
RFC |
Title |
---|---|
RFC 2246 |
The TLS Protocol Version 1.0 |
RFC 4251 |
The Secure Shell (SSH) Protocol Architecture |
RFC 4252 |
The Secure Shell (SSH) Authentication Protocol |
RFC 4741 |
NETCONF Configuration Protocol |
RFC 4742 |
Using the NETCONF Configuration Protocol over Secure SHell (SSH) |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for NETCONF over SSHv2
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
NETCONF over SSHv2 |
Cisco IOS XE Release 2.1 12.2(33)SB 12.2(33)SRA 12.2(33)SXI 12.4(9)T |
The NETCONF over SSHv2 feature enables you to perform network configurations via the Cisco command-line interface (CLI) over an encrypted transport. The following commands were introduced or modified by this feature: netconf lock-time, netconf max-message, netconf max-sessions netconf ssh. |