NETCONF (Network Configuration Protocol) is a modern protocol developed to address the limitations of older network management protocols like SNMP, especially for configuration management. It provides a robust, scalable, and secure method for managing network devices, supporting both configuration and operational data retrieval. NETCONF is widely used in modern networking environments, where automation, programmability, and fine-grained control are essential. Lets explore the NETCONF protocol, its architecture, advantages, use cases, security, and when to use it.
What Is NETCONF?
NETCONF (defined in RFC 6241) is a network management protocol that allows network administrators to install, manipulate, and delete the configuration of network devices. Unlike SNMP, which is predominantly used for monitoring, NETCONF focuses on configuration management and supports advanced features like transactional changes and candidate configuration models.
Key Features:
- Transaction-based Configuration: NETCONF allows administrators to make changes to network device configurations in a transactional manner, ensuring either full success or rollback in case of failure.
- Data Model Driven: NETCONF uses YANG (Yet Another Next Generation) as a data modeling language to define configuration and state data for network devices.
- Extensible and Secure: NETCONF is transport-independent and typically uses SSH (over port 830) to provide secure communication.
- Structured Data: NETCONF exchanges data in a structured XML format, ensuring clear, programmable access to network configurations and state information.
How NETCONF Works
NETCONF operates in a client-server architecture where the NETCONF client (usually a network management tool or controller) interacts with the NETCONF server (a network device) over a secure transport layer (commonly SSH). NETCONF performs operations like configuration retrieval, validation, modification, and state monitoring using a well-defined set of Remote Procedure Calls (RPCs).
NETCONF Workflow:
- Establish Session: The NETCONF client establishes a secure session with the device (NETCONF server), usually over SSH.
- Retrieve/Change Configuration: The client sends a <get-config> or <edit-config> RPC to retrieve or modify the device’s configuration.
- Transaction and Validation: NETCONF allows the use of a candidate configuration, where changes are made to a candidate datastore before committing to the running configuration, ensuring the changes are validated before they take effect.
- Apply Changes: Once validated, changes can be committed to the running configuration. If errors occur during the process, the transaction can be rolled back to a stable state.
- Close Session: After configuration changes are made or operational data is retrieved, the session can be closed securely.
NETCONF Operations
NETCONF supports a range of operations, defined as RPCs (Remote Procedure Calls), including:
- <get>: Retrieve device state information.
- <get-config>: Retrieve configuration data from a specific datastore (e.g., running, startup).
- <edit-config>: Modify the configuration data of a device.
- <copy-config>: Copy configuration data from one datastore to another.
- <delete-config>: Remove configuration data from a datastore.
- <commit>: Apply changes made in the candidate configuration to the running configuration.
- <lock> / <unlock>: Lock or unlock a configuration datastore to prevent conflicting changes.
These RPC operations allow network administrators to efficiently retrieve, modify, validate, and deploy configuration changes.
NETCONF Datastores
NETCONF supports different datastores for storing device configurations. The most common datastores are:
- Running Configuration: The current active configuration of the device.
- Startup Configuration: The configuration that is loaded when the device boots.
- Candidate Configuration: A working configuration area where changes can be tested before committing them to the running configuration.
The candidate configuration model provides a critical advantage over SNMP by enabling validation and rollback mechanisms before applying changes to the running state.
NETCONF and YANG
One of the key advantages of NETCONF is its tight integration with YANG, a data modeling language that defines the data structures used by network devices. YANG models provide a standardized way to represent device configurations and state information, ensuring interoperability between different devices and vendors.
YANG is essential for defining the structure of data that NETCONF manages, and it supports hierarchical data models that allow for more sophisticated and programmable interactions with network devices.
Security in NETCONF
NETCONF is typically transported over SSH (port 830), providing strong encryption and authentication for secure network device management. This is a significant improvement over SNMPv1 and SNMPv2c, which lack encryption and rely on clear-text community strings.
In addition to SSH, NETCONF can also be used with TLS (Transport Layer Security) or other secure transport layers, making it adaptable to high-security environments.
Advantages of NETCONF
NETCONF offers several advantages over legacy protocols like SNMP, particularly in the context of configuration management and network automation:
- Transaction-Based Configuration: NETCONF ensures that changes are applied in a transactional manner, reducing the risk of partial or incorrect configuration updates.
- YANG Model Integration: The use of YANG data models ensures structured, vendor-neutral device configuration, making automation easier and more reliable.
- Security: NETCONF uses secure transport protocols (SSH, TLS), protecting network management traffic from unauthorized access.
- Efficient Management: With support for retrieving and manipulating large configuration datasets in a structured format, NETCONF is highly efficient for managing modern, large-scale networks.
- Programmability: The structured XML or JSON data format and support for standardized YANG models make NETCONF highly programmable, ideal for software-defined networking (SDN) and network automation.
Disadvantages of NETCONF
Despite its many advantages, NETCONF does have some limitations:
- Complexity: NETCONF is more complex than SNMP, requiring an understanding of XML data structures and YANG models.
- Heavy Resource Usage: XML data exchanges are more verbose than SNMP’s simple GET/SET operations, potentially using more network and processing resources.
- Limited in Legacy Devices: Not all legacy devices support NETCONF, meaning a mix of protocols may need to be managed in hybrid environments.
When to Use NETCONF
NETCONF is best suited for large, modern networks where programmability, automation, and transactional configuration changes are required. Key use cases include:
- Network Automation: NETCONF is a foundational protocol for automating network configuration changes in software-defined networking (SDN) environments.
- Data Center Networks: Highly scalable and automated networks benefit from NETCONF’s structured configuration management.
- Cloud and Service Provider Networks: NETCONF is well-suited for multi-vendor environments where standardization and automation are necessary.
NETCONF vs. SNMP: A Quick Comparison
NETCONF Implementation Steps
Here is a general step-by-step process to implement NETCONF in a network:
Step 1: Enable NETCONF on Devices
Ensure that your network devices (routers, switches) support NETCONF and have it enabled. For example, on Cisco devices, this can be done with:
netconf sshStep 2: Install a NETCONF Client
To interact with devices, install a NETCONF client (e.g., ncclient in Python or Ansible modules that support NETCONF).
Step 3: Define the YANG Models
Identify the YANG models that are relevant to your device configurations. These models define the data structures NETCONF will manipulate.
Step 4: Retrieve or Edit Configuration
Use the <get-config> or <edit-config> RPCs to retrieve or modify device configurations. An example RPC call using Python’s ncclient might look like this:
from ncclient import manager
with manager.connect(host="192.168.1.1", port=830, username="admin", password="admin", hostkey_verify=False) as m:
config = m.get_config(source='running')
print(config)Step 5: Validate and Commit Changes
Before applying changes, validate the configuration using <validate>, then commit it using <commit>.
Summary
NETCONF is a powerful, secure, and highly structured protocol for managing and automating network device configurations. Its tight integration with YANG data models and support for transactional configuration changes make it an essential tool for modern networks, particularly in environments where programmability and automation are critical. While more complex than SNMP, NETCONF provides the advanced capabilities necessary to manage large, scalable, and secure networks effectively.
