Procedures to Install and Configure

NETCONF Protocol and YANG

Modeling on Linux-based
management systems and Cisco
devices.

August 16, 2019 NETCONF & YANG Installation procedures

Page 2 of 18
Contents
CONTENTS ................................................................................................................................................... 3
LIST OF FIGURES AND TABLES............................................................................................................... 4
1 INTRODUCTION ....................................................................................................................................... 5
1.1 DOCUMENT PURPOSE .................................................................................................................................... 5
1.2 PREFACE ........................................................................................................................................................ 5
1.3 SCOPE AND REQUIREMENTS .......................................................................................................................... 5
1.4 RELATED DOCUMENTS .................................................................................................................................. 5
1.5 TERMINOLOGY .............................................................................................................................................. 6
2 INSTALLATION AND CONFIGURATION OF NETCONF AND YANG MODELLING ..................... 7
2.1 PROCEDURE TO INSTALL YANG MODELING KIT (YDK) ON LINUX PLATFORMS ............................................ 7
2.1.1 Ubuntu (Debian-based) ......................................................................................................................... 7
2.1.2 CentOS (Fedora-based) ......................................................................................................................... 7
2.1.3 MacOS ................................................................................................................................................... 8
2.1.4 Windows................................................................................................................................................. 8
2.1.5 Python Requirements ............................................................................................................................. 8
2.2 PROCEDURE TO CONFIGURE NETCONF/YANG ON CISCO PLATFORMS ........................................................................ 8
2.2.1 Enabling NETCONF and YANG on Cisco IOS-XR Platforms ..................................................................... 8
2.2.2 Enabling NETCONF and YANG Support on Cisco XE platforms .............................................................. 9
2.2.3 Enabling NETCONF and YANG on the Cisco Nexus platforms ......................................................... 10
2.3 RUNNING YANG DEVELOPMENT KIT (YDK) ........................................................................................................... 17
2.3.1 How to use YDK Sample Applications? ............................................................................................... 17
2.3.2 Running multiple versions of YDK ....................................................................................................... 18

August 16, 2019 NETCONF & YANG Installation procedures

Page 3 of 18
List of Figures and Tables
No table of figures entries found.

TABLE 1 ENABLING XML ANS SSH SUPPORT ON NX-OS ..................................................................................... 12

TABLE 2 NETCONF OPERATIONS ........................................................................................................................ 16

August 16, 2019 NETCONF & YANG Installation procedures

Page 4 of 18
1 Introduction

1.1 Document Purpose

The purpose of this document is to provide the installation procedures of NETCONF protocol and YANG
modelling on Cisco devices and on the Centralized Management Servers.

NETCONF is a remote configuration protocol that provides the mechanisms to install, manipulate and
delete the configurations of network devices. It is defined on RFC6241.

YANG is a data modelling language used to model configuration data, state data, Remote Procedure
Calls, and notifications for network management protocols. It is defined as a standard by RFC7950. It is
used by NETCONF to define objects or data in requests and replies.

1.2 Preface
The document outlines the steps to install and run NETCONF and YANG in the network management
environment. The document is a how-to for network engineering and operations teams. The content of
this document is based on the lessons learned during the testing of these technologies and the
feedbacks from Cisco NETCONF and YDK Development teams. . The design is limited to Cisco products.

1.3 Scope and Requirements

The scope of this document is to describe the installation procedure for NETCONF/OPENCONFIG and
YANG Modelling. The scope of the document is also limited to Cisco devices routers. Although the
procedure might be extended to support third-party devices which will not be covered in this document.

1.4 Related Documents

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-
x/programmability/guide/b_Cisco_Nexus_9000_Series_NX-
OS_Programmability_Guide_7x/b_Cisco_Nexus_9000_Series_NX-
OS_Programmability_Guide_7x_chapter_010011.html

https://developer.cisco.com/media/b_OSC_Install_Guide-
ciscotopichtml/t_Config_NETCONF_Supp_Cis_ASR_and_IOS_Routers.html

http://ydk.cisco.com

August 16, 2019 NETCONF & YANG Installation procedures

Page 5 of 18
1.5 Terminology

YDK YANG Development Kit

NETCONF Network Configuration

NX-OS Nexus Operating System

IOS-XR

IOS-XE

IOS Internet Operating Systems

August 16, 2019 NETCONF & YANG Installation procedures

Page 6 of 18
2 Installation and Configuration of NETCONF and YANG
Modelling

2.1 Procedure to install Yang Modeling Kit (YDK) on Linux

platforms
2.1.1 Ubuntu (Debian-based)
1. First of all make sure the system requirements are met through the following steps:
a. Install prebuilt libydk binary ( https://github.com/CiscoDevNet/ydk-gen)
i. You may have to install gdebi before hands : sudo apt-get install
gdebi-core
ii. sudo apt-get install gdebi-core python3-dev python-dev
libtool-bin
iii. wget https://devhub.cisco.com/artifactory/debian-
ydk/0.6.0/libydk_0.6.0-1_amd64.deb
iv. sudo gdebi libydk_0.6.0-1_amd64.deb

b. To build from the source you can use the following command:
i. sudo apt-get install libcurl4-openssl-dev libpcre3-dev
libssh-dev libxml2-dev libxslt1-dev libtool-bin cmake
python3-dev python-dev
c. You may need to install Cmake before installing YDK
i. sudo apt-get install cmake
d. Check the requirements for YDK installation through the command
i. pip list

2. Installation of Yang Modeling Kit (YDK) - You can install the latest model packages from the
Python package index:
a. pip install ydk-models-cisco-ios-xr
b. pip install ydk-models-cisco-ios-xe

2.1.2 CentOS (Fedora-based)

The following packages must be present in your system before installing YDK-Py:
1. sudo yum install epel-release libssh-devel gcc-c++
2. sudo yum install https://devhub.cisco.com/artifactory/rpm-
ydk/0.6.0/libydk-0.6.0-1.x86_64.rpm

August 16, 2019 NETCONF & YANG Installation procedures

Page 7 of 18
 3. sudo ln –fs /usr/bin/cmake3 /usr/bin/cmake && export
PATH=/usr/bin:$PATH

2.1.3 MacOS
It is required to install Xcode command line tools, homebrew and the following homebrew packages on
your system before installing YDK-Py:
1. xcode-select –install
2. /usr/bin/ruby -e "$(curl -fsSL
https://raw.githubusercontent.com/Homebrew/install/master/instal
l)"
3. brew install python pkg-config libssh xml2 curl pcre cmake
4. curl -O https://devhub.cisco.com/artifactory/osx-
ydk/0.6.0/libydk-0.6.0-Darwin.pkg
5. sudo installer -pkg libydk-0.6.0-Darwin.pkg -target /

2.1.4 Windows
Currently, YDK-Py from release 0.6.0 onwards is not supported on Windows.

2.1.5 Python Requirements

Both Python 2 and 3 are supported. At least Python2.7 or Python 3.4 must be installed in your system.

2.2 Procedure to configure NETCONF/YANG on Cisco

platforms
2.2.1 Enabling NETCONF and YANG on Cisco IOS-XR Platforms

1. Configure NETCONF and YANG on Cisco IOS-XR platforms

a. Configuring NETCONF and YANG Support on Cisco ASR 9000 Series and IOS XRv
Routers

Step 1 Verify that the Cisco IOS XR software installed on your device supports
both NETCONF and YANG.
Step 2 Activate crypto keys by opening a shell and entering the following
command: crypto key generate dsa

Step 3 Configure NETCONF over SSH:

 ssh server v2
 ssh server netconf ipv4 access-lists
<ACL_FOR_NETCONF_SERVERS>

August 16, 2019 NETCONF & YANG Installation procedures

Page 8 of 18
  ssh server netconf port 830
 ssh timeout 120
 netconf-yang agent ssh

b. Open a shell on the controller virtual machine and enter the following command to confirm
that the routers have been configured properly to support NETCONF: ssh -p
830 username@router-IP-address -s netconf

2.2.2 Enabling NETCONF and YANG Support on Cisco XE platforms

1. The following outlines the basic configuration of a Catalyst 3850 Running IOS-XE 16.3.3 Software
to Support NETCONF and YANG Data Modeling
a. netconf-yang - Enable NETCONF/YANG globally. It may take up to 90 seconds to
initialize
b. username <username> privilege 15 password 0 <password> - Enable
globally Username/password used for NETCONF-SSH access
c. aaa new-model
d. aaa authorization exec default local - Required for NETCONF-SSH
connectivity and edit-config operations

2. The following is the additional (Optional) Configuration to Allow NETCONF/YANG Syslog and
SNMP Event Monitoring
a. These snmp-server configurations must be present in order to enable the generation of
NETCONF notifications (RFC 5277) for Syslog messages and for any configured SNMP
traps to also generate NETCONF notifications.
i. snmp-server community public RW - SNMP gateway in DMI requires
community public in 16.3.1 (a future software release should allow a configurable
community string)
ii. snmp-server trap link ietf - enable traps for IETF link up/down
iii. snmp-server enable traps snmp authentication linkdown
linkup - enable traps for link up/down
iv. snmp-server enable traps syslog - enable traps for Syslog so
notifications will be generated.
v. snmp-server manager - enable snmp-server

b. For SNMP traps, this configuration is required to generate NETCONF notifications. In IOS-
XE 16.3.1 software a maximum of 10 SNMP traps can be configured to generate NETCONF
notifications but this restriction will be removed in a future release. Notification generation
for SNMP traps is enabled by default. To disable generating SNMP trap notifications use this
CLI “no netconf-yang cisco-ia snmp-trap-control global-
forwarding”.
i. netconf-yang cisco-ia snmp-trap-control trap-list
1.3.6.1.6.3.1.1.5.3 - LinkDown trap

August 16, 2019 NETCONF & YANG Installation procedures

Page 9 of 18
 ii. netconf-yang cisco-ia snmp-trap-control trap-list
1.3.6.1.6.3.1.1.5.4 - LinkUp trap
iii. netconf-yang cisco-ia snmp-trap-control trap-list
1.3.6.1.4.1.9.9.41.2.0.1 - Syslog generated notification trap

c. For Syslog, this configuration must be present for the Data Model Interface (DMI) on the
Catalyst 3850 to have the ability to generate NETCONF notifications defined in RFC 5277
when IOSd on the Catalyst 3850 generates Syslog messages.
i. logging history debugging - required for the generation of any
NETCONF notification messages for Syslog
ii. logging snmp-trap emergencies - configure 1 or more of the following
to control which levels of Syslog messages are returned as notifications
iii. logging snmp-trap alerts
iv. logging snmp-trap critical
v. logging snmp-trap errors
vi. logging snmp-trap warnings
vii. logging snmp-trap notifications
viii. logging snmp-trap informational
ix. logging snmp-trap debugging

3. Verify NETCONF/YANG on the Catalyst 3850

a. From the Command Line Interface (CLI) of the Catalyst 3850, this command can be used to
ensure that the software processes required to support the Data Model Interface (DMI) on the
Catalyst 3850 run once netconf-yang is configured.
3850-1# show platform software yang-management
process

confd : Running
nesd : Running
syncfd : Running
ncsshd : Running
dmiauthd : Running
vtyserverutild : Running
opdatamgrd : Running
ngnix : Running

b. Verify SSH connectivity to the Catalyst 3850 from the centralized management platform
(laptop) with the username and password (username/password) from the above Catalyst 3850
configuration. The response will be a long list of NETCONF capabilities from the Catalyst
3850 followed by a hello message. TCP port 830 = netconf-ssh.
$ ssh -s username@router-IP-address -p 830 netconf

2.2.3 Enabling NETCONF and YANG on the Cisco Nexus platforms

The Cisco NX-OS implementation of NETCONF requires you to use a Secure Shell (SSH) session for
communication with the device.

August 16, 2019 NETCONF & YANG Installation procedures

Page 10 of 18
NETCONF is implemented with an XML Schema (XSD) that allows you to enclose device configuration
elements within a remote procedure call (RPC) message.
From within an RPC message, you select one of the NETCONF operations that matches the type of
command that you want the device to execute

Step 1 configure terminal

Enters global configuration mode.

Step 2 show xml server status

(Optional) Displays information about XML server
settings and active XML server sessions. You can
find session numbers in the command output.

Step 3 xml server validate all

Causes validation of XML documents for the
specified server session.

Step 4 xml server terminate

session Terminates the specified XML server session.

Step 5 no feature ssh

(Optional) Disables the SSH server so that you can
generate keys.
For information about generating keys, see
the Configuring SSH and the XML Server Options

Step 6 feature ssh

Enables the SSH server. The default is enabled.

Step 7 show ssh server

(Optional) Displays the status of the SSH server.

Step 8 xml server max-

sessionsessions Sets the number of allowed XML server sessions.
The default is 8. The range is from 1 to 8.

August 16, 2019 NETCONF & YANG Installation procedures

Page 11 of 18
Step 9 xml server timeoutseconds
Sets the number of seconds after which the XML
server session is terminated.
The default is 1200 seconds. The range is from 1 to
1200.

Step 10 show xml server status

(Optional) Displays information about the XML
server settings and active XML server sessions.

Step 11 copy running-config startup-

config (Optional) Saves the running configuration to the
startup configuration.
Table 1 Enabling XML ans SSH support on NX-OS

The following example shows how to configure SSH and XML server options through the CLI on Nexus
7000 Series:
switch# configure terminal
switch(config)# xml server validate all
switch(config)# xml server terminate 8665
switch(config)# no feature ssh
switch(config)# feature ssh server
switch(config)# xml server max-session 2
switch(config)# xml server timeout 2400
switch(config)# copy running-config startup-config
show xml server status

2.2.3.1 Cisco recommendation

In case of a DoS (Denial of Service) attack on Netconf, wherein, Netconf receives numerous requests in a
short span of time, the router may become irresponsive if Netconf consumes most of the bandwidth or
CPU processing time. This can be prevented, by limiting the traffic directed at the Netconf agent (max-
sessions)
You can start an SSHv2 session on a client PC with the ssh2 command similar to the following:
ssh2 username@ip-address -s xmlagent

August 16, 2019 NETCONF & YANG Installation procedures

Page 12 of 18
The Nexus 7000 Series also supports the XMLIN tool to convert CLI commands to the Network
Configuration (NETCONF) protocol format: XMLIN 6.2(2) This feature was introduced

switch# xmlin
******************************************
Loading the xmlin tool. Please be patient.
******************************************
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright ©) 2002-2013, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php

Notice this as a get operation = show commands

switch(xmlin)# show interface ethernet 2/1
<?xml version="1.0"?>
<nf:rpc xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0"
xmlns="http://www.cisco.com/nxos:6.2.2.:if_manager" message-id="1">
<nf:get>
<nf:filter type="subtree">
<show>
<interface>
August 16, 2019 NETCONF & YANG Installation procedures

Page 13 of 18
 <__XML__PARAM__ifeth>
<__XML__value>Ethernet2/1</__XML__value>
</__XML__PARAM__ifeth>
</interface>
</show>
</nf:filter>
</nf:get>
</nf:rpc>
]]>]]>
switch(xmlin)# exit
switch#

The following example shows how you can convert the output of the show interface brief command to
XML.
switch# show interface brief | xmlin
<?xml version="1.0"?>
<nf:rpc xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0"
xmlns="http://www.cisco.com/nxos:6.2.2.:if_manager"

message-id="1">
<nf:get>
<nf:filter type="subtree">
<show>
<interface>
<brief/>
</interface>
</show>
</nf:filter>
</nf:get>
</nf:rpc>
August 16, 2019 NETCONF & YANG Installation procedures

Page 14 of 18
]]>]]>

NETCONF Description Example

Operation
NETCONF Close
close- Closes the current XML server session. Session Instance
session
NETCONF Commit
commit Sets the running configuration to current contents of Instance - Candidate
candidate configuration. Configuration
Capability

NETCONF
confirmed- Provides parameters to commit the configuration for a Confirmed-commit
commit specified period of time. If this operation is not followed by Instance
commit operation within confirm-timeout period, the
configuration will be reverted to the state prior to the
confirmed-commit operation.
NETCONF copy-
copy-config Copies the content of source configuration datastore to the config Instance
target datastore.

delete- Operation not supported. —

config
NETCONF edit-
edit-config Configures features in the running configuration of the config
device. You use this operation for configuration commands. Instance NETCONF
rollback-on-error
Starting Release 7.3(0)D1(1), support is added for actions - Instance
create, delete and merge; rollback-on-error, continue-on-
error, stop-on-error.

Receives configuration information from the device. You Creating

get NETCONF XML
use this operation for show commands. The source of the Instances
data is the running configuration.
NETCONF get-
get-config Retrieves all or part of a configuration config Instance

NETCONF Kill-
kill-session Closes the specified XML server session. You cannot close session Instance
your own session. See the close-session NETCONF
operation.

August 16, 2019 NETCONF & YANG Installation procedures

Page 15 of 18
NETCONF Description Example
Operation
NETCONF Lock
lock Allows the client to lock the configuration system of a Instance
device.
NETCONF unlock
unlock Releases the configuration lock issued by the session earlier. Instance

NETCONF validate
validate Checks a candidate configuration for syntactical and Capability Instance
semantic errors before applying the configuration to the
device.
Table 2 NETCONF Operations

2.2.3.2 NETCONF edit-config Instance example

The following example shows the use of NETCONF edit-config operation

<?xml version="1.0"?>
<nc:rpc message-id="16"
xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0"
xmlns="http://www.cisco.com/nxos:1.0:if_manager">
<nc:edit-config>
<nc:target>
<nc:running/>
</nc:target>
<nc:config>
<configure>
<__XML__MODE__exec_configure>
<interface>
<ethernet>
<interface>2/30</interface>
<__XML__MODE_if-ethernet>
<__XML__MODE_if-eth-base>
<description>

August 16, 2019 NETCONF & YANG Installation procedures

Page 16 of 18
<desc_line>Marketing Network</desc_line>
</description>
</__XML__MODE_if-eth-base>
</__XML__MODE_if-ethernet>
</ethernet>
</interface>
</__XML__MODE__exec_configure>
</configure>
</nc:config>
</nc:edit-config>
</nc:rpc>]]>]]>

2.3 Running Yang Development Kit (YDK)

Before running YDK on your local central management computer, you have to download the YDK sample
applications. The procedure to download the sample applications is outlined below:
1. sudo apt-get install git
2. git clone https://github.com/CiscoDevNet/ydk-py-
samples.git

2.3.1 How to use YDK Sample Applications?

2.3.1.1 Basic YDK-Py Apps

These apps illustrate simple examples of using YDK-Py to program a network device. They do not
require significant model or programming experience. Apps are grouped in separate directories by service
(e.g. CRUD, Codec, Netconf, Executor). Within each service, each app uses a single model and they
reside in a specific directory corresponding to the Python module path they use. For instance, applications
using the OpenConfig BGP model need to import the ydk.models.openconfig Python module. You will
find all the OpenConfig BGP sample apps that use the CRUD service under the
crud/models/openconfig/openconfig-bgp directory. Similarly, you will find all the OpenConfig BGP
samples apps that use the Codec service under the codec/models/openconfig/openconfig-bgp directory.

2.3.1.2 Naming Convention

The application file names follow the following general structure:

August 16, 2019 NETCONF & YANG Installation procedures

Page 17 of 18
<prefix>-<model>-<index>-ydk.py

Where
<prefix> - provider and service operation
<model> - YANG model name (generally, abbreviated)
<index> - relative complexity level of the application. A higher number indicates higher complexity.

For instance, an application with file name nc-read-xr-ip-ntp-oper-10-ydk.py represents a

very basic app using NETCONF protocol to read NTP state based on the Cisco-IOS-XR-ip-ntp-
oper model. Apps may have one or more accompanying files with the same app base name, but different
extensions. These files capture the data (configuration or operational) that the app handles. Data may be
in CLI or XML format.

2.3.1.3 Boilerplate Apps for Model Specific Apps

Applications with an index of 10 are boilerplates that can be used to create custom apps. Most boilerplate
applications have a placeholder function to act on the top object. When a model specifies configuration
data, there will be four separate boilerplate apps for the CRUD service (create, read, update and delete)
and one for the Codec service (encode). If a model specifies only operational data, there will be a single
boilerplate app for the CRUD service (read) and a single boilerplate for the Codec service (encode). The
boilerplate apps can be executed, but have no effect on the networking device. The service operation is
commented out.

2.3.1.4 Running a Sample App

Unless specified by the app, all basic apps take two command line arguments. An optional argument (-v
| --verbose) to enable logging and a mandatory argument in URL format that describes the connection
details to the networking device (ssh://user:password@device:port):
$ ./nc-read-xr-ip-ntp-oper-10-ydk.py ssh://admin:admin@device-ip

2.3.1.4.1 Example of YDK Sample Application

One you complete the download then from the folder you can:
1. Update the python script hello-ydk.py with your details (IP Address, username/password
and possibly port protocol).
2. Then run the following command to check if YDK has been properly installed: python
hello-ydk.py

2.3.2 Running multiple versions of YDK

It's recommended to setup a virtual environment in case you want to run multiple versions of YDK.

1. Setting up the environment

a. pip install virtualenv virtualenvwrapper
August 16, 2019 NETCONF & YANG Installation procedures

Page 18 of 18
 b. source /usr/local/bin/virtualenvwrapper.sh

2. At this point, create a new virtual environment

a. export PATH=/usr/local/bin:$PATH
b. mkvirtualenv -p python2.7 [virtual-environment]

August 16, 2019 NETCONF & YANG Installation procedures

Page 19 of 18