Date created: Thursday, May 12, 2016 9:42:25 AM. Last modified: Friday, January 13, 2017 12:18:51 PM
NETCONF on IOS-XR Setup
Basic IOS-XR config on ASR9000 for NETCONF, IOS-XRv 6.1.1:
control-plane
management-plane
out-of-band
interface MgmtEth0/RSP0/CPU0/0
allow SSH
allow SNMP
allow NETCONF
!
interface MgmtEth0/RSP1/CPU0/0
allow SSH
allow SNMP
allow NETCONF
!
!
!
!
ssh server v2
ssh server netconf port 830
ssh server netconf vrf default
netconf agent tty
!
netconf-yang agent ssh
commit
exit
!
crypto key generate rsa
Send a basic XML RPC hello:
<?xml version="1.0" encoding="UTF-8"?>
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<capabilities>
<capability>urn:ietf:params:netconf:base:1.0</capability>
<capability>urn:ietf:params:netconf:base:1.1</capability>
<capability>urn:ietf:params:netconf:capability:writeable-running:1.0</capability>
<capability>urn:ietf:params:netconf:capability:startup:1.0</capability>
<capability>urn:ietf:params:netconf:capability:url:1.0</capability>
<capability>urn:cisco:params:netconf:capability:pi-data-model:1.0</capability>
<capability>urn:cisco:params:netconf:capability:notification:1.0</capability>
</capabilities>
</hello>]]>]]>
A full IOS-XR 6.1.1 config template for NETCONF lab work:
!! IOS XR Configuration 6.1.1
!! Last configuration change at Sun Oct 2 11:08:32 2016 by cisco
!
control-plane
management-plane
inband
interface GigabitEthernet0/0/0/0
allow all
!
!
!
!
interface Loopback0
ipv4 address 1.1.0.10 255.255.255.255
!
interface MgmtEth0/0/CPU0/0
ipv4 address 192.168.58.10 255.255.255.0
!
interface GigabitEthernet0/0/0/0
description Link to iBGP domain
ipv4 address 1.0.0.10 255.255.255.0
!
interface GigabitEthernet0/0/0/1
shutdown
!
interface GigabitEthernet0/0/0/2
shutdown
!
community-set public_ipv4_prefixes
65001:4
end-set
!
community-set public_ipv6_prefixes
65001:6
end-set
!
community-set peering_ipv4_prefixes
65001:44
end-set
!
community-set peering_ipv6_prefixes
65001:66
end-set
!
route-policy public_v4_peering
if community matches-any public_ipv4_prefixes then
pass
else
drop
endif
# Permit prefix with public IPv4 community only
end-policy
!
route-policy public_v6_peering
if community matches-any public_ipv6_prefixes then
pass
else
drop
endif
# Permit prefix with public IPv6 community only
end-policy
!
route-policy public_v4_peering_ingress
set community peering_ipv4_prefixes
# Tag ingress public peering v4 prefixes
end-policy
!
route-policy public_v6_peering_ingress
set community peering_ipv6_prefixes
# Tag ingress public peering v6 prefixes
end-policy
!
router bgp 65001
bgp router-id 10.1.0.10
address-family ipv4 unicast
!
neighbor-group public_v4_peers
address-family ipv4 unicast
route-policy public_v4_peering_ingress in
route-policy public_v4_peering out
!
!
neighbor-group public_v6_peers
address-family ipv6 unicast
route-policy public_v6_peering_ingress in
route-policy public_v6_peering out
!
!
!
xml agent
!
netconf agent tty
!
netconf-yang agent
ssh
!
ssh server v2
ssh server vrf default
ssh server netconf vrf default
end
Basic NC client to pull the above config over XML RPC:
#!/usr/bin/python
from ncclient import manager
with manager.connect(host="192.168.58.10", port=830, username="cisco", password="cisco", hostkey_verify=False) as nc_conn:
nc_config = nc_conn.get_config(source='running').data_xml
print nc_config
XML formatted running-config returned:
bensley@ubuntu-laptop:~/Python$ ./ncclient_example.py
<?xml version="1.0" encoding="UTF-8"?><data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
<aaa xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-aaa-locald-admin-cfg">
<usernames>
<username>
<name>bensley</name>
<usergroup-under-usernames>
<usergroup-under-username>
<name>root-system</name>
</usergroup-under-username>
</usergroup-under-usernames>
<secret>$1$F4FF$EetBVKZmK2njztvTTfvle/</secret>
</username>
</usernames>
</aaa>
<crypto xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-crypto-sam-cfg">
<ssh xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-crypto-ssh-cfg">
<server>
<v2/>
<vrf-table>
<vrf>
<vrf-name>default</vrf-name>
<enable/>
</vrf>
</vrf-table>
<netconf-vrf-table>
<vrf>
<vrf-name>default</vrf-name>
<enable/>
</vrf>
</netconf-vrf-table>
</server>
</ssh>
</crypto>
<interface-configurations xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-ifmgr-cfg">
<interface-configuration>
<active>act</active>
<interface-name>Loopback0</interface-name>
<interface-virtual/>
<ipv4-network xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-ipv4-io-cfg">
<addresses>
<primary>
<address>1.1.0.10</address>
<netmask>255.255.255.255</netmask>
</primary>
</addresses>
</ipv4-network>
</interface-configuration>
<interface-configuration>
<active>act</active>
<interface-name>MgmtEth0/0/CPU0/0</interface-name>
<ipv4-network xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-ipv4-io-cfg">
<addresses>
<primary>
<address>192.168.58.10</address>
<netmask>255.255.255.0</netmask>
</primary>
</addresses>
</ipv4-network>
</interface-configuration>
<interface-configuration>
<active>act</active>
<interface-name>GigabitEthernet0/0/0/0</interface-name>
<description>Link to iBGP domain</description>
<ipv4-network xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-ipv4-io-cfg">
<addresses>
<primary>
<address>1.0.0.10</address>
<netmask>255.255.255.0</netmask>
</primary>
</addresses>
</ipv4-network>
</interface-configuration>
<interface-configuration>
<active>act</active>
<interface-name>GigabitEthernet0/0/0/1</interface-name>
<shutdown/>
</interface-configuration>
<interface-configuration>
<active>act</active>
<interface-name>GigabitEthernet0/0/0/2</interface-name>
<shutdown/>
</interface-configuration>
</interface-configurations>
<bgp xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-ipv4-bgp-cfg">
<instance>
<instance-name>default</instance-name>
<instance-as>
<as>0</as>
<four-byte-as>
<as>65001</as>
<bgp-running/>
<default-vrf>
<global>
<router-id>10.1.0.10</router-id>
<global-afs>
<global-af>
<af-name>ipv4-unicast</af-name>
<enable/>
</global-af>
</global-afs>
</global>
<bgp-entity>
<neighbor-groups>
<neighbor-group>
<neighbor-group-name>public_v4_peers</neighbor-group-name>
<create/>
<neighbor-group-afs>
<neighbor-group-af>
<af-name>ipv4-unicast</af-name>
<activate/>
<route-policy-in>public_v4_peering_ingress</route-policy-in>
<route-policy-out>public_v4_peering</route-policy-out>
</neighbor-group-af>
</neighbor-group-afs>
</neighbor-group>
<neighbor-group>
<neighbor-group-name>public_v6_peers</neighbor-group-name>
<create/>
<neighbor-group-afs>
<neighbor-group-af>
<af-name>ipv6-unicast</af-name>
<activate/>
<route-policy-in>public_v6_peering_ingress</route-policy-in>
<route-policy-out>public_v6_peering</route-policy-out>
</neighbor-group-af>
</neighbor-group-afs>
</neighbor-group>
</neighbor-groups>
</bgp-entity>
</default-vrf>
</four-byte-as>
</instance-as>
</instance>
</bgp>
<bgp xmlns="http://openconfig.net/yang/bgp">
<global>
<config>
<as>65001</as>
<router-id>10.1.0.10</router-id>
</config>
<afi-safis>
<afi-safi>
<afi-safi-name xmlns:idx="http://openconfig.net/yang/bgp-types">idx:ipv4-unicast</afi-safi-name>
<config>
<afi-safi-name xmlns:idx="http://openconfig.net/yang/bgp-types">idx:ipv4-unicast</afi-safi-name>
<enabled>true</enabled>
</config>
</afi-safi>
</afi-safis>
</global>
<peer-groups>
<peer-group>
<peer-group-name>public_v4_peers</peer-group-name>
<config>
<peer-group-name>public_v4_peers</peer-group-name>
</config>
<afi-safis>
<afi-safi>
<afi-safi-name xmlns:idx="http://openconfig.net/yang/bgp-types">idx:ipv4-unicast</afi-safi-name>
<config>
<afi-safi-name xmlns:idx="http://openconfig.net/yang/bgp-types">idx:ipv4-unicast</afi-safi-name>
<enabled>true</enabled>
</config>
<apply-policy>
<config>
<import-policy>public_v4_peering_ingress</import-policy>
<export-policy>public_v4_peering</export-policy>
</config>
</apply-policy>
</afi-safi>
</afi-safis>
</peer-group>
<peer-group>
<peer-group-name>public_v6_peers</peer-group-name>
<config>
<peer-group-name>public_v6_peers</peer-group-name>
</config>
<afi-safis>
<afi-safi>
<afi-safi-name xmlns:idx="http://openconfig.net/yang/bgp-types">idx:ipv6-unicast</afi-safi-name>
<config>
<afi-safi-name xmlns:idx="http://openconfig.net/yang/bgp-types">idx:ipv6-unicast</afi-safi-name>
<enabled>true</enabled>
</config>
<apply-policy>
<config>
<import-policy>public_v6_peering_ingress</import-policy>
<export-policy>public_v6_peering</export-policy>
</config>
</apply-policy>
</afi-safi>
</afi-safis>
</peer-group>
</peer-groups>
</bgp>
<control-plane xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-lib-mpp-cfg">
<management-plane-protection>
<inband>
<interface-selection>
<interfaces>
<interface>
<interface-name>GigabitEthernet0/0/0/0</interface-name>
<all-protocols>
<peer-class>
<peer-all/>
</peer-class>
</all-protocols>
</interface>
</interfaces>
</interface-selection>
</inband>
</management-plane-protection>
</control-plane>
<netconf-yang xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-man-netconf-cfg">
<agent>
<ssh>
<enable/>
</ssh>
</agent>
</netconf-yang>
<xr-xml xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-man-xml-ttyagent-cfg">
<agent>
<default>
<enable/>
</default>
</agent>
</xr-xml>
<netconf xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-man-xml-ttyagent-cfg">
<agent>
<tty>
<enable/>
</tty>
</agent>
</netconf>
<routing-policy xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-policy-repository-cfg">
<sets>
<community-sets>
<community-set>
<set-name>public_ipv4_prefixes</set-name>
<rpl-community-set>community-set public_ipv4_prefixes
65001:4
end-set
</rpl-community-set>
</community-set>
<community-set>
<set-name>public_ipv6_prefixes</set-name>
<rpl-community-set>community-set public_ipv6_prefixes
65001:6
end-set
</rpl-community-set>
</community-set>
<community-set>
<set-name>peering_ipv4_prefixes</set-name>
<rpl-community-set>community-set peering_ipv4_prefixes
65001:44
end-set
</rpl-community-set>
</community-set>
<community-set>
<set-name>peering_ipv6_prefixes</set-name>
<rpl-community-set>community-set peering_ipv6_prefixes
65001:66
end-set
</rpl-community-set>
</community-set>
</community-sets>
</sets>
<route-policies>
<route-policy>
<route-policy-name>public_v4_peering</route-policy-name>
<rpl-route-policy>route-policy public_v4_peering
if community matches-any public_ipv4_prefixes then
pass
else
drop
endif
# Permit prefix with public IPv4 community only
end-policy
</rpl-route-policy>
</route-policy>
<route-policy>
<route-policy-name>public_v6_peering</route-policy-name>
<rpl-route-policy>route-policy public_v6_peering
if community matches-any public_ipv6_prefixes then
pass
else
drop
endif
# Permit prefix with public IPv6 community only
end-policy
</rpl-route-policy>
</route-policy>
<route-policy>
<route-policy-name>public_v4_peering_ingress</route-policy-name>
<rpl-route-policy>route-policy public_v4_peering_ingress
set community peering_ipv4_prefixes
# Tag ingress public peering v4 prefixes
end-policy
</rpl-route-policy>
</route-policy>
<route-policy>
<route-policy-name>public_v6_peering_ingress</route-policy-name>
<rpl-route-policy>route-policy public_v6_peering_ingress
set community peering_ipv6_prefixes
# Tag ingress public peering v6 prefixes
end-policy
</rpl-route-policy>
</route-policy>
</route-policies>
</routing-policy>
<interfaces xmlns="http://openconfig.net/yang/interfaces">
<interface>
<name>Loopback0</name>
<config>
<name>Loopback0</name>
<type xmlns:idx="urn:ietf:params:xml:ns:yang:iana-if-type">idx:softwareLoopback</type>
<enabled>true</enabled>
</config>
<subinterfaces>
<subinterface>
<index>0</index>
<ipv4 xmlns="http://openconfig.net/yang/interfaces/ip">
<address>
<ip>1.1.0.10</ip>
<config>
<ip>1.1.0.10</ip>
<prefix-length>32</prefix-length>
</config>
</address>
</ipv4>
</subinterface>
</subinterfaces>
</interface>
<interface>
<name>MgmtEth0/0/CPU0/0</name>
<config>
<name>MgmtEth0/0/CPU0/0</name>
<type xmlns:idx="urn:ietf:params:xml:ns:yang:iana-if-type">idx:ethernetCsmacd</type>
<enabled>true</enabled>
</config>
<ethernet xmlns="http://openconfig.net/yang/interfaces/ethernet">
<config>
<auto-negotiate>false</auto-negotiate>
</config>
</ethernet>
<subinterfaces>
<subinterface>
<index>0</index>
<ipv4 xmlns="http://openconfig.net/yang/interfaces/ip">
<address>
<ip>192.168.58.10</ip>
<config>
<ip>192.168.58.10</ip>
<prefix-length>24</prefix-length>
</config>
</address>
</ipv4>
</subinterface>
</subinterfaces>
</interface>
<interface>
<name>GigabitEthernet0/0/0/0</name>
<config>
<name>GigabitEthernet0/0/0/0</name>
<type xmlns:idx="urn:ietf:params:xml:ns:yang:iana-if-type">idx:ethernetCsmacd</type>
<enabled>true</enabled>
<description>Link to iBGP domain</description>
</config>
<ethernet xmlns="http://openconfig.net/yang/interfaces/ethernet">
<config>
<auto-negotiate>false</auto-negotiate>
</config>
</ethernet>
<subinterfaces>
<subinterface>
<index>0</index>
<ipv4 xmlns="http://openconfig.net/yang/interfaces/ip">
<address>
<ip>1.0.0.10</ip>
<config>
<ip>1.0.0.10</ip>
<prefix-length>24</prefix-length>
</config>
</address>
</ipv4>
</subinterface>
</subinterfaces>
</interface>
<interface>
<name>GigabitEthernet0/0/0/1</name>
<config>
<name>GigabitEthernet0/0/0/1</name>
<type xmlns:idx="urn:ietf:params:xml:ns:yang:iana-if-type">idx:ethernetCsmacd</type>
<enabled>false</enabled>
</config>
<ethernet xmlns="http://openconfig.net/yang/interfaces/ethernet">
<config>
<auto-negotiate>false</auto-negotiate>
</config>
</ethernet>
</interface>
<interface>
<name>GigabitEthernet0/0/0/2</name>
<config>
<name>GigabitEthernet0/0/0/2</name>
<type xmlns:idx="urn:ietf:params:xml:ns:yang:iana-if-type">idx:ethernetCsmacd</type>
<enabled>false</enabled>
</config>
<ethernet xmlns="http://openconfig.net/yang/interfaces/ethernet">
<config>
<auto-negotiate>false</auto-negotiate>
</config>
</ethernet>
</interface>
</interfaces>
<routing-policy xmlns="http://openconfig.net/yang/routing-policy">
<defined-sets>
<bgp-defined-sets xmlns="http://openconfig.net/yang/bgp-policy">
<community-sets>
<community-set>
<community-set-name>public_ipv4_prefixes</community-set-name>
<community-member>65001:4</community-member>
</community-set>
<community-set>
<community-set-name>public_ipv6_prefixes</community-set-name>
<community-member>65001:6</community-member>
</community-set>
<community-set>
<community-set-name>peering_ipv4_prefixes</community-set-name>
<community-member>65001:44</community-member>
</community-set>
<community-set>
<community-set-name>peering_ipv6_prefixes</community-set-name>
<community-member>65001:66</community-member>
</community-set>
</community-sets>
</bgp-defined-sets>
</defined-sets>
<policy-definitions>
<policy-definition>
<name>public_v4_peering</name>
</policy-definition>
<policy-definition>
<name>public_v6_peering</name>
</policy-definition>
<policy-definition>
<name>public_v4_peering_ingress</name>
</policy-definition>
<policy-definition>
<name>public_v6_peering_ingress</name>
</policy-definition>
</policy-definitions>
</routing-policy>
</data>
Previous page: gRPC on IOS-XR Setup
Next page: napalm_with_ssh_tunnel.py