Translate

Archives

NX-OS NETCONF Support

NETCONF (Network Configuration Protocol) is a network management protocol developed and standardized by the IETF Netconf Working Group. It was first published in December 2006 as RFC 4741 with a revised version published in June 2011 as RFC 6241. It provides mechanisms to install, manipulate, and delete the configuration of network devices.

The same IETF Working Group also produced supporting RFCs for various transport mappings, including:

  • RFC 4742 – Using the NETCONF Configuration Protocol over Secure SHell (SSH). Obsoleted by RFC 6242 (2011) which introduced a new framing mechanism to address some potential security issues with the initial design
  • RFC 4743 – Using NETCONF over the SOAP (Simple Object Access Protocol)
  • RFC 5539 – NETCONF over Transport Layer Security (TLS)
  • RFC 5277 – NETCONF Event Notifications. Describes an asynchronous notification mechanism allowing clients to subscribe to named event streams
  • RFC 6243 – With-defaults Capability for NETCONF. Describes an extension to the NETCONF protocol that allows clients to identify how defaults are processed by the server

NETCONF is an RPC-based protocol which uses XML (Extensible Markup Language) to encode data as well as the protocol messages. The protocol messages are exchanged on top of a secure transport protocol such as SSL or TLS.

The NETCONF protocol can be conceptually partitioned into four layers:

  • The Content layer consists of configuration data and notification data.
  • The Operations layer defines a set of base protocol operations to retrieve and edit the configuration data.
  • The Messages layer provides a mechanism for encoding remote procedure calls and notifications
  • The Secure Transport layer provides a secure and reliable transport of messages between a client and a server.

The NETCONF protocol was designed to address the shortcomings of existing practices and protocols for configuration management. According to Tail-F, a Network Service Orchestration company:

CLI scripting was the primary approach to making automated configuration changes to the network prior to NETCONF. CLI scripting has several limitations including lack of transaction management, no structured error management and ever changing structure and syntax of commands that makes scripts fragile and costly to maintain. These are all side-effects of the basic fact that CLIs are designed to be used by humans and not an API for programmatic access.

SNMP is another approach that could be used to write changes, but, in practice, is mostly used for performance and monitoring applications. Reasons for this include the lack of a defined discovery process that makes it hard to find the correct MIB modules, limitations inherent in the use of the UDP protocol, and the lack of useful standard security and commit mechanisms.

Closely tied to NETCONF is YANG which is a data modeling language used to model configuration and state data manipulated by the NETCONF protocol, NETCONF remote procedure calls, and NETCONF notifications. YANG was developed by the IETF NETCONF Data Modeling Language Working Group (NETMOD), and is defined in RFC 6020. YANG structures the data definitions into tree structures and provides many modeling features, including an extensible type system, formal separation of state and configuration data and a variety of syntactic and semantic constraints. YANG data definitions are contained in modules and provide a rich set of features for extensibility and reuse.

The Cisco NX-OS implementation of NETCONF requires you to use a SSHv2 (Secure Shell Version 2) session for communication with the target device. See RFC 4742 for more information about using NETCONF over SSH . The target device provides an SSHv2 subsystem service called xmlagent that supports NETCONF over SSH Version 2.

SSHv2 subsystems are a layer of abstraction for defining and conveniently invoking remote commands on a server. For example, the default /etc/sshd/sshd_config file for Fedora 20 defines a subsystem for the sftpd server:

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

As shown below, you invoke the xmlagent subsystem with the -s xmlagent command line argument. Note that some Cisco NETCONF documentation incorrectly states that the requisite subsystem is named netconf. Only SSH version 2 supports subsystems.

As you can see, all NETCONF messages are in the form of conforming XML documents with valid namespaces. You must end all the XML documents with ]]>]]> to support synchronization in NETCONF over SSH. You can obtain the NX-OS XML Schema Definition at the Cisco download website.

The following are some examples of how to use NETCONF on a Nexus 7000. By the way, in case you are unaware of it, the operating system on a Nexus 7000 is NX-OS and not IOS. For more information about the NX-OS XML interfaces, see here.

Example 1 – Hello
The hello message (XML document) must be the first message sent by a NETCONF-aware client after the NETCONF server emits it’s hello message.

To manually send an XML document to the XML server through an SSH session that you opened in a command shell, you can copy the XML text from an editor and paste it into the SSH session as I did above.

<?xml version="1.0"?>
<nc:hello xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <nc:capabilities>
      <nc:capability>urn:ietf:params:xml:ns:netconf:base:1.0</nc:capability>
   </nc:capabilities>
</nc:hello>]]>]]>

Example 2 – Show Server Status

<?xml version="1.0"?>
<nc:rpc message-id="1" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0"
   xmlns="http://www.cisco.com/nxos:1.0:xml">
    <nc:get>
     <nc:filter type="subtree">
       <show>
         <xml>
           <server>
            <status/>
           </server>
         </xml>
       </show>
      </nc:filter>
     </nc:get>
</nc:rpc>]]>]]>

<?xml version="1.0" encoding="ISO-8859-1"?>
<nc:rpc-reply xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns="http://www.cisco.com/nxos:1.0:xml" message-id="1">
 <nc:data>
  <show>
   <xml>
    <server>
     <status>
      <__XML__OPT_Cmd_show_xml___readonly__>
       <__readonly__>
        <operational_status>
         <o_status>enabled</o_status>
        </operational_status>
        <maximum_sessions_configured>
         <max_session>8</max_session>
        </maximum_sessions_configured>
        <TABLE_sessions>
         <ROW_sessions>
          <session_id>3940</session_id>
          <user_name>admin</user_name>
          <start_time>Sat May 10 15:08:31 2014</start_time>
          <sap_id>2627</sap_id>
          <timeout>1200</timeout>
          <time_remaining_to_timeout>1197</time_remaining_to_timeout>
          <ip_addr>192.168.100.1</ip_addr>
         </ROW_sessions>
        </TABLE_sessions>
       </__readonly__>
      </__XML__OPT_Cmd_show_xml___readonly__>
     </status>
    </server>
   </xml>
  </show>
 </nc:data>
</nc:rpc-reply>
]]>]]>

Example 3 – Show Version

<?xml version="1.0"?>
   <nc:rpc message-id="1" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0"
     xmlns="http://www.cisco.com/nxos:1.0:sysmgrcli">
     <nc:get>
       <nc:filter type="subtree">
         <show>
             <version>
             </version>
         </show>
       </nc:filter>
     </nc:get>
</nc:rpc>]]>]]>

<?xml version="1.0" encoding="ISO-8859-1"?>
<nc:rpc-reply xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns="http://www.cisco.com/nxos:1.0:sysmgrcli" message-id="1">
 <nc:data>
  <show>
   <version>
    <__XML__OPT_Cmd_sysmgr_show_version___readonly__>
     <__readonly__>
      <header_str>Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Documents: http://www.cisco.com/en/US/products/ps9372/tsd_products_support_series_home.html
Copyright (c) 2002-2010, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
</header_str>
      <loader_ver_str>N/A</loader_ver_str>
      <kickstart_ver_str>5.1(2) [gdb]</kickstart_ver_str>
      <sys_ver_str>5.1(2) [gdb]</sys_ver_str>
      <kick_file_name>bootflash:/titanium-d1-kickstart.5.1.2.gbin</kick_file_name>
      <kick_cmpl_time> 12/25/2020 12:00:00</kick_cmpl_time>
      <kick_tmstmp>12/18/2010 09:53:29</kick_tmstmp>
      <isan_file_name>bootflash:/titanium-d1.5.1.2.gbin</isan_file_name>
      <isan_cmpl_time> 11/29/2010 12:00:00</isan_cmpl_time>
      <isan_tmstmp>12/18/2010 11:47:03</isan_tmstmp>
      <chassis_id>Unknown MDS Chassis</chassis_id>
      <module_id>Unknown Module</module_id>
      <cpu_name>Intel(R) Core(TM) i5-3450 CP</cpu_name>
      <memory>2066644</memory>
      <mem_type>kB</mem_type>
      <proc_board_id>T0C29978A3B</proc_board_id>
      <host_name>n7k</host_name>
      <bootflash_size>0</bootflash_size>
      <kern_uptm_days>0</kern_uptm_days>
      <kern_uptm_hrs>1</kern_uptm_hrs>
      <kern_uptm_mins>56</kern_uptm_mins>
      <kern_uptm_secs>5</kern_uptm_secs>
     </__readonly__>
    </__XML__OPT_Cmd_sysmgr_show_version___readonly__>
   </version>
  </show>
 </nc:data>
</nc:rpc-reply>
]]>]]>

Example 4 – Show Running Configuration

<?xml version="1.0"?>
   <nc:rpc message-id="1" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0"
     xmlns="http://www.cisco.com/nxos:1.0:sysmgrcli">
     <nc:get>
       <nc:filter type="subtree">
         <show>
             <running-config>
             </running-config>
         </show>
       </nc:filter>
     </nc:get>
</nc:rpc>]]>]]>


<?xml version="1.0"?>
<nc:rpc-reply xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns="http://www.cisco.com/nxos:1.0:sysmgrcli" message-id="1">
  <nc:data>
!Command: show running-config
!Time: Sat May 10 16:34:25 2014

version 5.1(2)
license grace-period

hostname n7k
vdc n7k id 1
  limit-resource vlan minimum 16 maximum 4094
  limit-resource vrf minimum 2 maximum 1000
  limit-resource port-channel minimum 0 maximum 768
  limit-resource u4route-mem minimum 96 maximum 96
  limit-resource u6route-mem minimum 24 maximum 24
  limit-resource m4route-mem minimum 58 maximum 58
  limit-resource m6route-mem minimum 8 maximum 8
feature ospf
feature hsrp
feature vtp

username adminbackup password 5 !  role network-operator
username admin password 5 $1$ek7G4QLQ$YqLUwOCmeIaQFjFRPaznZ0  role network-admin
username all password 5 !!  role network-operator

banner motd .
*****************
 Username: admin
 Password: cisco
*****************

ip domain-lookup
vlan dot1Q tag native
system default switchport
system jumbomtu 0
no logging event trunk-status enable
snmp-server user all  engineID 128:0:0:9:3:0:80:86:159:0:13
snmp-server user admin auth md5 0x1c4527bd2809f91d57d71d49e3871168 priv 0x1c4527bd2809f91d57d71d49e3871168 localizedkey engineID 128:0:0:9:3:0:80:86:159:0:13
rmon event 1 log trap public description FATAL(1) owner PMON@FATAL
rmon event 2 log trap public description CRITICAL(2) owner PMON@CRITICAL
rmon event 3 log trap public description ERROR(3) owner PMON@ERROR
rmon event 4 log trap public description WARNING(4) owner PMON@WARNING
rmon event 5 log trap public description INFORMATION(5) owner PMON@INFO
snmp-server enable traps link

vrf context management
  ip route 0.0.0.0/0 192.168.1.1

interface Ethernet2/1
  shutdown
  no switchport

interface Ethernet2/2
  shutdown
  no switchport

interface Ethernet2/3
  shutdown
  no switchport

interface Ethernet2/4
  shutdown
  no switchport

interface Ethernet2/5
  shutdown
  no switchport

interface Ethernet2/6
  shutdown
  no switchport

interface Ethernet2/7
  shutdown
  no switchport

interface Ethernet2/8
  shutdown
  no switchport

interface Ethernet2/9
  shutdown
  no switchport

interface mgmt0
  vrf member management
  ip address 192.168.100.10/24
line console
line vty
boot kickstart bootflash:/titanium-d1-kickstart.5.1.2.gbin
boot system bootflash:/titanium-d1.5.1.2.gbin
ip route 0.0.0.0/0 192.168.100.1
no system default switchport shutdown

</nc:data>
</nc:rpc-reply>
]]>]]>

Example 5 – Error Message

<?xml version="1.0"?>
   <nc:rpc message-id="1" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0"
     xmlns="http://www.cisco.com/nxos:1.0:sysmgrcli">
     <nc:get>
       <nc:filter type="subtree">
         <show>
             <murphy />
         </show>
       </nc:filter>
     </nc:get>
</nc:rpc>]]>]]>


<?xml version="1.0"?>
<nc:rpc-reply xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns="http://www.cisco.com/nxos:1.0:sysmgrcli" message-id="1">
  <nc:rpc-error>
    <nc:error-type>application</nc:error-type>
    <nc:error-tag>invalid-value</nc:error-tag>
    <nc:error-severity>error</nc:error-severity>
    <nc:error-message>Syntax error while parsing 'show murphy '</nc:error-message>
    <nc:error-info>
      <nc:bad-element>show</nc:bad-element>
    </nc:error-info>
  </nc:rpc-error>
</nc:rpc-reply>
]]>]]>

Example 6 – Retrieve SSH Keys

<?xml version="1.0"?>
<nc:rpc message-id="1" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0"
  xmlns="http://www.cisco.com/nxos:1.0:security_tree">
  <nc:get>
    <nc:filter type="subtree">
      <show>
        <ssh>
             <key />
        </ssh>
      </show>
    </nc:filter>
  </nc:get>
</nc:rpc>]]>]]>

<?xml version="1.0"?>
<nc:rpc-reply xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns="http://www.cisco.com/nxos:1.0:security_tree" message-id="1">
  <nc:data>**************************************
rsa Keys generated:Sat May 10 13:53:00 2014

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC8leN2v8FrXVwxCbgOt4l64Ch5Zty7rkc8DOa4twNzP04DdsP0YE1UWRWOeFlY5WMI1KRR62ermxGVxVYUvl+RMZMBejRvTzvmAFpGjxihdfN6fvCLceRyPV4+G3lg1CIfH2bbl1CmN2kCh+cTc+eFT9jcdwrvncR+ABwpggYHzQ==

bitcount:1024
fingerprint:
44:9a:02:62:11:60:b2:15:e9:2b:36:08:1e:1c:eb:a5
**************************************
could not retrieve dsa key information
**************************************
</nc:data>
</nc:rpc-reply>
]]>]]>

Example 7 – Configure Interface

<?xml version="1.0"?>
<nc:rpc message-id="16" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0"
  xmlns="http://www.cisco.com/nxos:1.0:if_manager">
  <nc:edit-config>
    <nc:target>
      <nc:running/>
    </nc:target>
    <nc:config>
      <configure>
        <__XML__MODE__exec_configure>
          <interface>
            <ethernet>
              <interface>2/1</interface>
              <__XML__MODE_if-ethernet>
                <__XML__MODE_if-eth-base>
                  <ip>
                     <address>
                        <ip_addr>192.168.100.11 255.255.255.0</ip_addr>
                     </address>
                  </ip>
                  <description>
                    <desc_line>Configured by NETCONF</desc_line>
                  </description>
                  <no>
                     <shutdown/>
                  </no>
                </__XML__MODE_if-eth-base>
              </__XML__MODE_if-ethernet>
            </ethernet>
          </interface>
        </__XML__MODE__exec_configure>
      </configure>
    </nc:config>
  </nc:edit-config>
</nc:rpc>]]>]]>

<nf:rpc-reply xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:nxos="http://www.cisco.com/nxos:1.0" message-id="110">
  <nf:data/>
</nf:rpc-reply>
]]>]]>

Example 7 – Configure Interface Using Cisco NETCONF Extension

Cisco NX-OS supports an RPC operation named exec-command. The operation allows client applications to send CLI configuration and show commands and to receive responses to those commands as XML tags.

<?xml version="1.0"?>
<nf:rpc xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0"
xmlns:nxos="http://www.cisco.com/nxos:1.0" message-id="110">
<nxos:exec-command>
<nxos:cmd>configure terminal ;
        interface ethernet 2/1 ;
        ip address 192.168.100.15 255.255.255.0 ;
        no shutdown </nxos:cmd>
</nxos:exec-command>
</nf:rpc>]]>]]>

<?xml version="1.0"?>
<nf:rpc-reply xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:nxos="http://www.cisco.com/nxos:1.0" message-id="110">
  <nf:data/>
</nf:rpc-reply>
]]>]]>

Example 7 – Show Interface Brief Using Cisco NETCONF Extension

<?xml version="1.0"?>
<nf:rpc xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0"
   xmlns:nxos="http://www.cisco.com/nxos:1.0" message-id="110">
    <nxos:exec-command>
      <nxos:cmd>show interface brief</nxos:cmd>
    </nxos:exec-command>
</nf:rpc>]]>]]>

<?xml version="1.0"?>
<nf:rpc-reply xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:nxos="http://www.cisco.com/nxos:1.0" message-id="110">
  <nf:data>
--------------------------------------------------------------------------------
Port   VRF          Status IP Address                              Speed    MTU
--------------------------------------------------------------------------------
mgmt0  --           up     192.168.100.10                          --       1500

--------------------------------------------------------------------------------
Ethernet      VLAN    Type Mode   Status  Reason                   Speed     Port
Interface                                                                    Ch #
--------------------------------------------------------------------------------
Eth2/1        --      eth  routed up      none                       1000(D) --
Eth2/2        --      eth  routed down    Administratively down      auto(D) --
Eth2/3        --      eth  routed down    Administratively down      auto(D) --
Eth2/4        --      eth  routed down    Administratively down      auto(D) --
Eth2/5        --      eth  routed down    Administratively down      auto(D) --
Eth2/6        --      eth  routed down    Administratively down      auto(D) --
Eth2/7        --      eth  routed down    Administratively down      auto(D) --
Eth2/8        --      eth  routed down    Administratively down      auto(D) --
Eth2/9        --      eth  routed down    Administratively down      auto(D) --
</nf:data>
</nf:rpc-reply>
]]>]]>

You may think that NETCONF is some exotic network device configuration protocol. That was true a number of years ago. However NETCONF is becoming quite popular and is supported by most network equipment vendors nowadays. Network Function Virtualization (NFV) is an emerging operational model where service providers want to virtualize entire classes of network node functions into building blocks that may be connected, or chained, together to create communication services. NFV is built around a very strong assumption of deep automation. This deep automation aligns directly with NETCONF with its standardized protocols and models, Another area where NETCONF is actively being used is with Software Defined Networking (SDN).

Enjoy!

Comments are closed.