Configuring and Verifying NETCONF and RESTCONF on Cisco IOS XE for CCNP 350-401 ENCOR
1. Introduction to Model-Driven Programmability in ENCOR
For CCNP 350-401 ENCOR, NETCONF and RESTCONF aren’t just bonus topics tucked in the corner. They’re Cisco’s way of saying, “Please stop scraping CLI like it’s 2008.” Instead of wrestling human-readable output into submission, you work with structured data. SNMP doesn’t vanish. CLI doesn’t turn to dust. But modern automation keeps drifting toward cleaner schemas, explicit APIs, and responses that don’t require guesswork.
The exam wants you to keep three ideas separate, no blending, no fuzzy edges: YANG is the model, NETCONF and RESTCONF are the protocols, and XML/JSON are encodings. You also need to know how these services are turned on, how to prove they’re actually alive, and how to tell whether something broke because of transport, login, authorization, media type, a mangled path, or a model that simply doesn’t do what you hoped.
2. YANG, Standards, and Core Architecture
YANG is the data modeling language behind both NETCONF and RESTCONF. It describes how configuration and operational data are shaped. NETCONF and RESTCONF then give you standardized ways to reach in and work with that data.
Useful YANG terms for ENCOR:
- module: the YANG file defining a schema
- namespace: unique identifier used in XML and model references
- revision: model version
- container: grouping of related nodes
- list: repeated keyed entries
- leaf: single value
- leaf-list: repeated scalar values
- choice: mutually exclusive branches
- augment: adds data to an existing model
- rpc/action: executable operation
- notification: event data, supported through specific capabilities or subscriptions
The big practical split is configuration data versus operational state. Some YANG nodes are writable; some are read-only; some sit in that awkward “depends what you’re asking for” zone. That changes the operation you use and the answer you should expect. Hostname? Configuration. Interface status? That’s state. Different beast.
On IOS XE, you may run into both Cisco native models and OpenConfig/IETF models. Native models tend to show Cisco features sooner, and often in fuller detail. Standards-based models are nicer for portability, but support varies. Always does. Release, feature set, platform... the usual suspects.
3. NETCONF and RESTCONF at a Glance
| Category | NETCONF | RESTCONF |
|---|---|---|
| Transport | SSH | HTTPS |
| Default port | TCP 830 | TCP 443 |
| Encoding | XML | JSON or XML |
| Model | YANG | YANG |
| Access style | RPC/session based | URI/resource based |
| Common reads | <get>, <get-config> | GET |
| Common writes | <edit-config> | POST, PUT, PATCH, DELETE |
Memory hook: NETCONF = SSH + TCP 830 + XML + RPCs. RESTCONF = HTTPS + TCP 443 + JSON/XML + URIs. And YANG is the blueprint, not the pipe.
4. NETCONF Fundamentals and IOS XE Caveats
NETCONF opens an SSH session, usually on TCP 830, and then talks through the SSH netconf subsystem. Client and server trade <hello> messages and advertise capabilities like base version, candidate support, validate support, or XPath filtering. A little handshake, a little boasting.
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <capabilities> <capability>urn:ietf:params:netconf:base:1.0</capability> <capability>urn:ietf:params:netconf:base:1.1</capability> <capability>urn:ietf:params:netconf:capability:validate:1.1</capability> </capabilities> </hello>
Common NETCONF operations include get, get-config, edit-config, copy-config, delete-config, lock, unlock, validate, close-session, and kill-session. Optional operations such as commit or discard-changes are capability-dependent. Sometimes they’re there, sometimes they’re not. Welcome to networking.
Datastore details matter. NETCONF conceptually includes running, candidate, and startup, but on IOS XE the running datastore is the main one in many everyday workflows. Don’t just assume candidate or commit are available. Check the capabilities first. That’s not just good practice; it’s an exam booby trap with a smile on its face.
Also keep the read split straight:
- <get-config>: configuration datastore retrieval
- <get>: operational data and, depending on request or model, configuration plus state
5. RESTCONF Fundamentals, Resource Paths, and Discovery
RESTCONF exposes YANG-modeled data over HTTPS. The main entry points are:
- /restconf/data for datastore resources
- /restconf/operations for RPCs and actions
Media types are one of those tiny details that love to ruin your afternoon. For JSON use application/yang-data+json. For XML use application/yang-data+xml. Accept tells the server what you want back. Content-Type tells it what you’re sending. Easy in theory. In practice... well, you know.
HTTP method semantics:
- GET: read resource
- POST: create under a parent resource or invoke an operation
- PUT: replace target resource
- PATCH: partial modification
- DELETE: remove target resource
RESTCONF paths have to line up exactly with the implemented YANG model. For keyed lists, the URI carries the key value. Example using an IETF-style interface entry:
/restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet1
And yes, that sort of path is a classic face-plant zone. Wrong prefix, wrong key, wrong hierarchy... hello, 404 Not Found.
6. Configuring NETCONF and RESTCONF on IOS XE
Minimal NETCONF lab setup:
hostname R1 ip domain-name example.local username apiuser privilege 15 secret <PASSWORD> crypto key generate rsa modulus 2048 ip ssh version 2 line vty 0 4 login local transport input ssh netconf-yang
Minimal RESTCONF lab setup:
hostname R1 ip domain-name example.local username apiuser privilege 15 secret <PASSWORD> ip http secure-server restconf
One thing to keep straight: SSH settings matter for NETCONF, not for RESTCONF. RESTCONF rides on HTTPS and TLS. In labs, that often means a self-signed cert or a default trustpoint. In production, that’s not the whole story. You want actual certificate management and hostname validation, not “eh, close enough.”
Production-minded hardening should also include AAA integration, RBAC or privilege review, a dedicated management interface or VRF where possible, and ACLs restricting TCP 830 and TCP 443 to automation hosts.
ip access-list standard MGMT-API-HOSTS permit 10.10.10.50 permit 10.10.10.51 line vty 0 4 access-class MGMT-API-HOSTS in
7. Verification Workflow That Actually Proves Service Health
Don’t stop at “it’s enabled.” That’s how people convince themselves things work right up until they don’t. Use a layered workflow:
- Reachability: can the automation host reach the management IP?
- Port test: TCP 830 for NETCONF, TCP 443 for RESTCONF
- Service config: confirm
netconf-yang,restconf, and HTTPS settings - Authentication/AAA: verify the account can log in and is authorized
- Discovery: confirm capabilities or available resources and models
- Read test: perform a valid GET or RPC read
- Write test: make a controlled change and confirm resulting state
Useful device-side checks include:
show running-config | section netconf|restconf|ip http|ssh show ip http server status show netconf-yang sessions
Command availability changes from one IOS XE release to another, so treat outputs as platform-specific. And show ssh can help with SSH details, sure — but by itself it doesn’t prove NETCONF is actually listening on TCP 830. That’s a separate creature.
For RESTCONF, root discovery is a strong first test. A basic HTTPS request to the RESTCONF data root should return the available top-level resources in the format you asked for.
For model discovery, query the YANG library resource supported by the release instead of making up paths and hoping the device is in a forgiving mood.
8. Practical Read and Write Examples
NETCONF read of running configuration:
<rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <get-config> <source><running/></source> </get-config> </rpc>
NETCONF write of hostname:
<rpc message-id="102" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <edit-config> <target><running/></target> <config> <native xmlns="urn:cisco:params:xml:ns:yang:Cisco-IOS-XE-native"> <hostname>R2</hostname> </native> </config> </edit-config> </rpc> <rpc-reply message-id="102" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <ok/> </rpc-reply>
RESTCONF read of hostname:
A typical RESTCONF hostname read targets the native model hostname resource and asks for JSON using the proper YANG media type.
GET /restconf/data/Cisco-IOS-XE-native:native/hostname Accept: application/yang-data+json Authorization: Basic credentials-for-apiuser
RESTCONF partial update using a model-specific path. Exact support and payload shape depend on the implemented model and release, so check the discovered schema first. Don’t freestyle it.
PATCH /restconf/data/Cisco-IOS-XE-native:native Content-Type: application/yang-data+json Accept: application/yang-data+json {"Cisco-IOS-XE-native:hostname":"R2"}
That example is just that — an example. The safe rule is boring but solid: match the resource and payload exactly to the supported YANG model.
Operational state example should use an operational model rather than a config-oriented native example. Conceptually:
/restconf/data/ietf-interfaces:interfaces-state/interface=GigabitEthernet1
Whether that exact path exists depends on release and model support, which is why discovery matters instead of guesswork.
9. Error Handling and Diagnostics
A transport session that succeeds doesn’t mean the operation itself will. Read the error body. That’s where the real story lives.
NETCONF rpc-error example:
<rpc-reply message-id="103" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <rpc-error> <error-type>application</error-type> <error-tag>unknown-element</error-tag> <error-severity>error</error-severity> <error-path>/native/hostnme</error-path> <error-message>unknown element: hostnme</error-message> </rpc-error> </rpc-reply>
RESTCONF JSON error example:
{ "errors": { "error": [ { "error-type": "protocol", "error-tag": "invalid-value", "error-message": "malformed resource path" } ] } }
| Symptom | Likely cause | Fix |
|---|---|---|
| NETCONF cannot connect | TCP 830 blocked, SSH or AAA issue, service not enabled | Check reachability, ACLs, netconf-yang, and authentication policy |
| RESTCONF 401 | Bad credentials | Correct authentication |
| RESTCONF 403 | User authenticated but not authorized | Review AAA or RBAC mapping |
| RESTCONF 404 | Wrong URI, namespace, or key | Validate model path through discovery |
| RESTCONF 405 | Wrong HTTP method | Use GET, POST, PUT, PATCH, or DELETE correctly |
| RESTCONF 415 | Wrong media type | Use correct Accept and Content-Type |
10. Tooling and Automation Examples
For labs and real automation, common choices are ncclient for NETCONF and Python requests for RESTCONF.
from ncclient import manager with manager.connect(host="10.10.10.1", port=830, username="apiuser", password="password", hostkey_verify=False) as m: print(m.get_config("running").xml) import requests api_path = "/restconf/data/Cisco-IOS-XE-native:native/hostname" headers = {"Accept": "application/yang-data+json"} r = requests.get("device-api-endpoint" + api_path, headers=headers, auth=("apiuser", "password"), verify=False) print(r.status_code, r.text)
Ansible can work through NETCONF-capable or HTTPAPI-based workflows depending on module support. The exam is more likely to test recognition than playbook syntax, but the design instinct stays the same: discover supported models first, then build idempotent reads and writes against those models.
11. Security and Production Deployment Considerations
Secure management APIs the same way you secure CLI access:
- Use AAA, not just a hardcoded local admin account
- Apply least privilege and verify authorization behavior
- Restrict access with ACLs and preferably a management VRF or out-of-band path
- Use trusted certificates for HTTPS in production
- Do not leave unnecessary HTTP services enabled
- Log and audit API access
- Avoid embedding secrets directly in scripts
A common production headache is TLS validation failure caused by a self-signed certificate or hostname mismatch. That’s why disabling certificate checks can be fine in a lab, but not as a standing practice. Convenience is a slippery little thing.
12. Exam Traps, Recognition Cues, and Final Review
Common exam traps:
- YANG is not a transport protocol
- RESTCONF does not use SSH
- NETCONF does not use HTTP verbs
- NETCONF commonly uses TCP 830, not generic HTTPS port 443
- RESTCONF commonly uses TCP 443, not NETCONF port 830
commitis not universally relevant unless candidate support exists- Configuration data and operational state are not the same thing
Quick recognition cues:
- SSH + XML + <rpc> means NETCONF
- HTTPS + JSON + /restconf/data means RESTCONF
- 200/201/204/401/403/404/415 suggests RESTCONF troubleshooting
- <hello> capability exchange suggests NETCONF session setup
- Module prefix in path suggests YANG-modeled RESTCONF resource addressing
ENCOR quick facts:
- NETCONF: SSH, TCP 830, XML, RPC, capability exchange
- RESTCONF: HTTPS, TCP 443, JSON/XML, URIs, HTTP methods
- YANG: schema or model used by both
- Enable NETCONF:
netconf-yang - Enable RESTCONF:
ip http secure-serverandrestconf
If you want the right mental flow for this ENCOR topic, use this sequence: discover the model, confirm the transport and port, verify authentication and authorization, test a read, test a write, then confirm resulting state. That’s how you answer exam questions correctly. Also how you avoid embarrassing assumptions in production.