Configuring Network Configuration Protocol

This module provides details of the Network Configuration Protocol. For relevant commands, see System Security Command Reference for Cisco CRS Routers.

Release

Modification

Release 5.3.0

This feature was introduced.

Release 5.3.1

Support extended for more Yang models.

Release 6.0

Support extended for the Netconf subsystem configuration to be vrf aware. The configuration of the netconf port is no longer sufficient to start the Netconf subsystem support. At least one vrf needs to be configured. The configuration of the port is now optional.

The Network Configuration Protocol

The Network Configuration Protocol (Netconf) provides mechanisms to install, manipulate, and delete the configuration of network devices. It uses an Extensible Markup Language (XML)-based data encoding for the configuration data as well as the protocol messages. Yang is a data modeling language used with Netconf.

Netconf uses a simple RPC-based (Remote Procedure Call) mechanism to facilitate communication between a client and a server. The client can be a script or application typically running as part of a network manager. The server is typically a network device.

The configuration of features need not be done the traditional way (using CLIs), the client application (controller) reads the Yang model and communicates with the Netconf server (IOS XR) accordingly.

Netconf Sessions and Operations

A Netconf session is the logical connection between a network configuration application and a network device. A device should be capable of supporting multiple sessions and atleast one Netconf session.

Characteristics of a netconf session:

  • Netconf is connection-oriented - SSH is the underlying transport.

  • The netconf client establishes session with the server.

  • Netconf sessions are established with the hello message. Features and capabilities are announced.

  • Sessions can be terminated using the close or kill messages.

Basic Netconf operations:

  • Get configuration <get-config>

  • Get all information <get>

  • Edit configuration <edit-config>

  • Copy configuration <copy-config>


    Note

    <copy-config> does not support source attribute with “data store” at present.
  • <lock>, <unlock>

  • <kill-session>

  • <close-session>

  • Commit configuration <commit>

The Yang data model

Each feature has a defined Yang Model which is synthesized from the schemas. A model is published in a tree format and includes:
  • Top level nodes and their subtrees

  • Subtrees that augment nodes in other yang models

Example: The aaa Yang model
module: Cisco-IOS-XR-aaa-lib-cfg
   +--rw aaa
      +--rw accountings
      |  +--rw accounting* [type listname]
      |     +--rw type                 xr:Cisco-ios-xr-string
      |     +--rw listname             xr:Cisco-ios-xr-string
      |     +--rw rp-failover?         Aaa-accounting-rp-failover
      |     +--rw broadcast?           Aaa-accounting-broadcast
      |     +--rw type-xr?             Aaa-accounting
      |     +--rw method*              Aaa-method
      |     +--rw server-group-name*   string
      +--rw authorizations
      |  +--rw authorization* [type listname]
      |     +--rw type                 xr:Cisco-ios-xr-string
      |     +--rw listname             xr:Cisco-ios-xr-string
      |     +--rw method*              Aaa-method
      |     +--rw server-group-name*   string
      +--rw accounting-update!
      |  +--rw type                 Aaa-accounting-update
      |  +--rw periodic-interval?   uint32
      +--rw authentications
         +--rw authentication* [type listname]
            +--rw type                 xr:Cisco-ios-xr-string
            +--rw listname             xr:Cisco-ios-xr-string
            +--rw method*              Aaa-method
            +--rw server-group-name*   string

Advantages of using the Yang model are:

  • Yang supports programmatic interfaces.

  • Yang supports simplified network management applications.

  • Yang supports interoperability that provides a standard way to model management data.

Netconf and Yang

The workflow displayed here, will help the user to understand how Netconf-Yang can configure and control the network with minimal user intervention. The required components:
  • Cisco Router (ASR9000 series or CRS) with Netconf capability

  • Netconf Client Application with connection to the router

S. No.

Device / component

Action

1

Cisco router (ASR 9000 or CRS router)

Login/ access the router.

2

Cisco router

Prerequisites for enabling Netconf.
  • k9sec pie must be installed.

  • Crypto keys must be generated.

3

Cisco router

Enable Netconf agent. Use the netconf-yang agent ssh and ssh server netconf command. The port can be selected. By default, it is set as 830.

4

Cisco router

Yang models are a part of the software image. The models can be retrieved from the router , using the <get-schema> operation.

5

Netconf client (application)

The application can be on any standalone application or a SDN controller supporting Netconf

Installs and processes the Yang models.

The client can offer a list of supported yang models; else the user will have to browse and locate the required yang file.

There is a yang model file for each configuration module; for instance if the user wants to configure CDP , the relevant yang model is Cisco-IOS-XR-cdp-cfg

Note 

Refer the table which lists all the supported yang models. Supported Yang Models

5

Netconf client

Sends Netconf operation request over SSH to the router. A configuration request could include Yang-based XML data to the router. Currently, SSH is the only supported transport method.

6

Cisco router

Understands the Yang-based XML data and the network is configured accordingly (in case of configuration request from the client).

The interactions between the client and the router happens until the network is configured as desired.

Supported Yang Models

The Yang models can be downloaded from a prescribed location (ftp server) or can also be retrieved directly from the router using the get-schema operation.

For a feature, separate Yang models are available for configuring the feature and to get operational statistics (show commands). The -cfg.yang suffix denotes configuration and -oper*.yang is for operational data statistics. In some cases, -oper is followed by -sub, indicating that a submodule(s) is available.

For a list of supported Yang models, see https://github.com/YangModels/yang/tree/master/vendor/cisco/xr

Denial of Services Defence for Netconf-Yang

In case of a DoS (Denial of Service) attack on Netconf, wherein, Netconf receives numerous requests in a short span of time, the router may become irresponsive if Netconf consumes most of the bandwidth or CPU processing time. This can be prevented, by limiting the traffic directed at the Netconf agent. This is achieved using the netconf-yang agent rate-limit and netconf-yang agent session commands.

If rate-limit is set, the Netconf processor measures the incoming traffic from the SSH server. If the incoming traffic exceeds the set rate-limit, the packets are dropped.

If session-limit is set, the Netconf processor checks for the number of open sessions. If the number of current sessions is greater than or equal to, the set limit, no new sessions are opened.

Session idle- timeout and absolute-timeout also prevent DoS attacks. The Netconf processor closes the sessions, even without user input or intervention, as soon at the time out session is greater than or equal to the set time limit.

The relevant commands are discussed in detail, in the System Security Command Reference for Cisco CRS Routers

Dynamic Loading of Operational Yang Models

Netconf is enhanced to pre-load only the configurational yang models in memory, when it starts. The operational yang models are loaded into memory only when a request is issued. This helps reduce consumption of the RAM memory.

Enabling NETCONF over SSH

This task enables NETCONF over SSH. SSH is currently the only supported transport method .

If the client supports, Netconf over ssh can utilize the multi-channeling capabilities of IOS XR ssh server. For additional details about Multi-channeling in SSH, see Implementing Secure Shell in System Security Configuration Guide.

Prerequisites:

  • k9sec pie must be installed, otherwise the port configuration for the netconf ssh server cannot be completed. (The Netconf subsystem for SSH, as well as, SSH cannot be configured without the k9sec pie.)

  • Crypto keys must be generated prior to this configuration.

  • The Netconf-YANG feature is packaged in the mgbl pie, which must be installed before enabling the Netconf-YANG agent.

SUMMARY STEPS

  1. configure
  2. netconf-yang agent ssh
  3. ssh server netconf [ vrf vrf-name[ ipv4 access-listipv4 access list name] [ ipv6 access-list ipv6 access list name]]
  4. ssh server netconf port port-number

DETAILED STEPS

  Command or Action Purpose
Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2

netconf-yang agent ssh

Example:

RP/0/RP0/CPU0:router (config) # netconf agent ssh

Enables NETCONF agent over SSH connection. After NETCONF is enabled, the Yang model in the controllcker, can configure the relevant models.

Note 

The Yang models can be retrieved from the router via NETCONF <get-schema> operation.

Step 3

ssh server netconf [ vrf vrf-name[ ipv4 access-listipv4 access list name] [ ipv6 access-list ipv6 access list name]]

Example:

RP/0/RP0/CPU0:router (config) # ssh server netconf vrf netconfvrf ipv4 access-list InternetFilter

Brings up the netconf subsytem support with SSH server using a specified VRF of up to 32 characters. If no VRF is specified, the default VRF is used. To stop the SSH server from receiving any further connections for the specified VRF, use the no form of this command.

Optionally ACLs for IPv4 and IPv6 can be used to restrict access to the netconf subsystem of the ssh server before the port is opened.

Note 

The netconf subsystem support with SSH server can be configured for use with multiple VRFs .

Step 4

ssh server netconf port port-number

Example:

RP/0/RP0/CPU0:router (config) # ssh server netconf port 830

Configures a port for the netconf ssh server. This command is optional. If no port is specified, port 830 is uses by default.

Note 

830 is the IANA-assigned TCP port for NETCONF over SSH, but it can be changed using this command.

What to do next

The show netconf-yang statistics command and show netconf-yang clients command can be used to verify the configuration details of the netconf agent.

The clear netconf-yang agent session command clears the specified Netconf session (on the Netconf server side).

Examples: Netconf over SSH

This section illustrates some examples relevant to Netconf:

Enabling netconf-yang for ssh transport and netconf subsystem for default vrf with default port (830)


config
netconf-yang agent ssh
ssh server netconf vrf default
		!
!

Enabling netconf-yang for ssh transport and netconf subsystem for vrf green and vrf red with netconf port (831)


config
netconf-yang agent ssh
!
ssh server netconf vrf green
ssh server netconf vrf red
ssh server netconf port 831
		!
!

Show command outputs

show netconf-yang statistics
Summary statistics        requests|             total time|   min time per request|   max time per request|   avg time per request|
other                             0|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|
close-session                     4|       0h  0m  0s   3ms|       0h  0m  0s   0ms|       0h  0m  0s   1ms|       0h  0m  0s   0ms|
kill-session                      0|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|
get-schema                        0|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|
get                               0|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   
get-config                        1|       0h  0m  0s   1ms|       0h  0m  0s   1ms|       0h  0m  0s   1ms|       0h  0m  0s   1ms|
edit-config                       3|       0h  0m  0s   2ms|       0h  0m  0s   0ms|       0h  0m  0s   1ms|       0h  0m  0s   0ms|
commit                            0|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|
cancel-commit                     0|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|
lock                              0|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|
unlock                            0|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|
discard-changes                   0|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|
validate                          0|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|       0h  0m  0s   0ms|
show netconf-yang clients
client session ID|   NC version|    client connect time|        last OP time|        last OP type|    <lock>|            
22969| 			 												1.1|         0d  0h  0m  2s|             11:11:24|      			 close-session|        No|           
15389|     												1.1|         0d  0h  0m  1s|           	 11:11:25|          get-config|        		 No|



Additional Reference

Table 1. Related Documents

Related Topic

Document Title

Netconf-Yang

For related commands, see System Security Command Reference for Cisco CRS Routers

Table 2. Standards

Component

RFCs

YANG

6020

NETCONF

6241

NETCONF over SSH

6242