The Network Configuration Protocol

The Network Configuration Protocol (Netconf) provides mechanisms to install, manipulate, and delete the configuration of network devices. It uses an Extensible Markup Language (XML)-based data encoding for the configuration data as well as the protocol messages, as defined in RFC6241. Yang is a data modeling language used with Netconf, as defined in RFC6020.

Netconf uses a simple RPC-based (Remote Procedure Call) mechanism to facilitate communication between a client and a server. The client can be a script or application typically running as part of a network manager. The server is typically a network device.

Netconf runs within a Secure Shell (SSH) session as an SSH subsystem, as defined in RFC6242.

The configuration of features need not be done the traditional way (using CLIs), the client application (controller) reads the Yang model and communicates with the Netconf server (IOS XR) accordingly.

Netconf Sessions and Operations

A Netconf session is the logical connection between a network configuration application and a network device. A device should be capable of supporting multiple sessions and atleast one Netconf session.

Characteristics of a netconf session:

  • Netconf is connection-oriented - SSH is the underlying transport.

  • The netconf client establishes session with the server.

  • Netconf sessions are established with the hello message. Features and capabilities are announced.

  • Sessions can be terminated using the close or kill messages.

Basic Netconf operations:

  • Get configuration <get-config>

  • Get all information <get>

  • Edit configuration <edit-config>

  • Copy configuration <copy-config>


    Note
    <copy-config> does not support source attribute with “data store” at present.

  • <lock>, <unlock>

  • <kill-session>

  • <close-session>

  • Commit configuration <commit>

The Yang data model

Each feature has a defined Yang Model which is synthesized from the schemas. A model is published in a tree format and includes:

  • Top level nodes and their subtrees

  • Subtrees that augment nodes in other yang models 

Example: The aaa Yang model
(exec-19.42.10) bash-4.2$ pyang -f tree Cisco-IOS-XR-aaa-lib-cfg.yang
module: Cisco-IOS-XR-aaa-lib-cfg
    +--rw aaa
       +--rw accountings
       |  +--rw accounting* [type listname]
       |     +--rw type                  xr:Cisco-ios-xr-string
       |     +--rw listname              xr:Cisco-ios-xr-string
       |     +--rw rp-failover?          dt1:Aaa-accounting-rp-failover
       |     +--rw broadcast?            dt1:Aaa-accounting-broadcast
       |     +--rw type-xr?              dt1:Aaa-accounting
       |     +--rw method1?              dt1:Aaa-method-accounting
       |     +--rw method2?              dt1:Aaa-method-accounting
       |     +--rw method3?              dt1:Aaa-method-accounting
       |     +--rw method4?              dt1:Aaa-method-accounting
       |     +--rw server-group-name1?   string
       |     +--rw server-group-name2?   string
       |     +--rw server-group-name3?   string
       |     +--rw server-group-name4?   string
       +--rw authorizations
       |  +--rw authorization* [type listname]
       |     +--rw type                  xr:Cisco-ios-xr-string
       |     +--rw listname              xr:Cisco-ios-xr-string
       |     +--rw method1?              dt1:Aaa-method
       |     +--rw method2?              dt1:Aaa-method
       |     +--rw method3?              dt1:Aaa-method
       |     +--rw method4?              dt1:Aaa-method
       |     +--rw server-group-name1?   string
       |     +--rw server-group-name2?   string
       |     +--rw server-group-name3?   string
       |     +--rw server-group-name4?   string
       +--rw accounting-update!
       |  +--rw type                 dt1:Aaa-accounting-update
       |  +--rw periodic-interval?   uint32
       +--rw banner
       |  +--rw login?   string
       +--rw authentications
          +--rw authentication* [type listname]
             +--rw type                  xr:Cisco-ios-xr-string
             +--rw listname              xr:Cisco-ios-xr-string
             +--rw method1?              dt1:Aaa-method
             +--rw method2?              dt1:Aaa-method
             +--rw method3?              dt1:Aaa-method
             +--rw method4?              dt1:Aaa-method
             +--rw server-group-name1?   string
             +--rw server-group-name2?   string
             +--rw server-group-name3?   string
             +--rw server-group-name4?   string

Advantages of using the Yang model are:

  • Yang supports programmatic interfaces.

  • Yang supports simplified network management applications.

  • Yang supports interoperability that provides a standard way to model management data.

Netconf and Yang

The workflow displayed here, will help the user to understand how Netconf-Yang can configure and control the network with minimal user intervention. The required components:

  • Cisco 8000 Series Router with Netconf capability

  • Netconf Client Application with connection to the router

S. No.

Device / component

Action

1

Cisco router

Login/ access the router.

2

Cisco router

Prerequisites for enabling Netconf:

  • Crypto keys must be generated.

3

Cisco router

Enable Netconf agent. Use the netconf-yang agent ssh and ssh server netconf command. The port can be selected. By default, it is set as 830.

4

Cisco router

Yang models are a part of the software image. The models can be retrieved from the router , using the <get-schema> operation.

5

Netconf client (application)

The application can be on any standalone application or a SDN controller supporting Netconf

Installs and processes the Yang models.

The client can offer a list of supported yang models; else the user will have to browse and locate the required yang file.

There is a yang model file for each configuration module; for instance if the user wants to configure CDP , the relevant yang model is Cisco-IOS-XR-cdp-cfg

Note

 

Refer the table which lists all the supported yang models Supported Yang Models

5

Netconf client

Sends Netconf operation request over SSH to the router. A configuration request could include Yang-based XML data to the router. Currently, SSH is the only supported transport method.

6

Cisco router

Understands the Yang-based XML data and the network is configured accordingly (in case of configuration request from the client).

The interactions between the client and the router happens until the network is configured as desired.

Supported Yang Models

The Yang models can be downloaded from a prescribed location (ftp server) or can also be retrieved directly from the router using the get-schema operation.

For a feature, separate Yang models are available for configuring the feature and to get operational statistics (show commands). The -cfg.yang suffix denotes configuration and -oper*.yang is for operational data statistics. In some cases, -oper is followed by -sub, indicating that a submodule(s) is available.

For a list of supported Yang models, see https://github.com/YangModels/yang/tree/master/vendor/cisco/xr

Denial of Services Defense for Netconf-Yang

In case of a DoS (Denial of Service) attack on Netconf, wherein, Netconf receives numerous requests in a short span of time, the router may become irresponsive if Netconf consumes most of the bandwidth or CPU processing time. This can be prevented, by limiting the traffic directed at the Netconf agent. This is achieved using the netconf-yang agent rate-limit and netconf-yang agent session commands.

If rate-limit is set, the Netconf processor measures the incoming traffic from the SSH server. If the incoming traffic exceeds the set rate-limit, the packets are dropped.

If session-limit is set, the Netconf processor checks for the number of open sessions. If the number of current sessions is greater than or equal to, the set limit, no new sessions are opened.

Session idle- timeout and absolute-timeout also prevent DoS attacks. The Netconf processor closes the sessions, even without user input or intervention, as soon at the time out session is greater than or equal to the set time limit.

The relevant commands are discussed in detail, in the System Security Command Reference for Cisco 8000 Series Routers

Enabling NETCONF over SSH

This task enables NETCONF over SSH. SSH is currently the only supported transport method .

If the client supports, Netconf over ssh can utilize the multi-channeling capabilities of IOS XR ssh server.

Prerequisite:

  • Crypto keys must be generated prior to this configuration.

Procedure

Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters mode.

Step 2

netconf-yang agent ssh

Example:

RP/0/RP0/CPU0:router (config) # netconf agent ssh

Enables NETCONF agent over SSH connection. After NETCONF is enabled, the Yang model in the controllcker, can configure the relevant models.

Note

 

The Yang models can be retrieved from the router via NETCONF <get-schema> operation.

Step 3

ssh server netconf [ vrf vrf-name[ ipv4 access-listipv4 access list name] [ ipv6 access-list ipv6 access list name]]

Example:

RP/0/RP0/CPU0:router (config) # ssh server netconf vrf netconfvrf ipv4 access-list InternetFilter

Brings up the netconf subsytem support with SSH server using a specified VRF of up to 32 characters. If no VRF is specified, the default VRF is used. To stop the SSH server from receiving any further connections for the specified VRF, use the no form of this command.

Optionally ACLs for IPv4 and IPv6 can be used to restrict access to the netconf subsystem of the ssh server before the port is opened.

Note

 

The netconf subsystem support with SSH server can be configured for use with multiple VRFs .

Step 4

ssh server netconf port port-number

Example:

RP/0/RP0/CPU0:router (config) # ssh server netconf port 830

Configures a port for the netconf ssh server. This command is optional. If no port is specified, port 830 is uses by default.

Note

 

830 is the IANA-assigned TCP port for NETCONF over SSH, but it can be changed using this command.

What to do next

The show netconf-yang statistics command and show netconf-yang clients command can be used to verify the configuration details of the netconf agent.

The clear netconf-yang agent session command clears the specified Netconf session (on the Netconf server side).

Examples: Netconf over SSH

This section illustrates some examples relevant to Netconf:

Enabling netconf-yang for ssh transport and netconf subsystem for default vrf with default port (830) 


config
netconf-yang agent ssh
ssh server netconf vrf default
		!
!

Enabling netconf-yang for ssh transport and netconf subsystem for vrf green and vrf red with netconf port (831) 


config
netconf-yang agent ssh
!
ssh server netconf vrf green
ssh server netconf vrf red
ssh server netconf port 831
		!
!

Show command outputs 

show netconf-yang statistics
Summary statistics        requests|             total time|   min time per request|   max time per request|   avg time per request|
other                             0|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|
close-session                     4|       0h  0m  0s   3ms|       0h  0m  0s   0ms|       0h  0m  0s   1ms|       0h  0m  0s   0ms|
kill-session                      0|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|
get-schema                        0|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|
get                               0|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   
get-config                        1|       0h  0m  0s   1ms|       0h  0m  0s   1ms|       0h  0m  0s   1ms|       0h  0m  0s   1ms|
edit-config                       3|       0h  0m  0s   2ms|       0h  0m  0s   0ms|       0h  0m  0s   1ms|       0h  0m  0s   0ms|
commit                            0|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|
cancel-commit                     0|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|
lock                              0|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|
unlock                            0|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|
discard-changes                   0|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|
validate                          0|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|

show netconf-yang clients
client session ID|   NC version|    client connect time|        last OP time|        last OP type|    <lock>|            
22969| 			 												1.1|         0d  0h  0m  2s|             11:11:24|      			 close-session|        No|           
15389|     												1.1|         0d  0h  0m  1s|           	 11:11:25|          get-config|        		 No|