Date created: Thursday, May 12, 2016 9:42:25 AM. Last modified: Friday, January 13, 2017 12:18:51 PM

NETCONF on IOS-XR Setup

Basic IOS-XR config on ASR9000 for NETCONF, IOS-XRv 6.1.1:

control-plane
 management-plane
  out-of-band
   interface MgmtEth0/RSP0/CPU0/0
    allow SSH
    allow SNMP
    allow NETCONF
   !
   interface MgmtEth0/RSP1/CPU0/0
    allow SSH
    allow SNMP
    allow NETCONF
   !
  !
 !
!
ssh server v2
ssh server netconf port 830
ssh server netconf vrf default
netconf agent tty
!
netconf-yang agent ssh
commit
exit
!
crypto key generate rsa

Send a basic XML RPC hello:

<?xml version="1.0" encoding="UTF-8"?>
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<capabilities>
<capability>urn:ietf:params:netconf:base:1.0</capability>
<capability>urn:ietf:params:netconf:base:1.1</capability>
<capability>urn:ietf:params:netconf:capability:writeable-running:1.0</capability>
<capability>urn:ietf:params:netconf:capability:startup:1.0</capability>
<capability>urn:ietf:params:netconf:capability:url:1.0</capability>
<capability>urn:cisco:params:netconf:capability:pi-data-model:1.0</capability>
<capability>urn:cisco:params:netconf:capability:notification:1.0</capability>
</capabilities>
</hello>]]>]]>

A full IOS-XR 6.1.1 config template for NETCONF lab work:

!! IOS XR Configuration 6.1.1
!! Last configuration change at Sun Oct  2 11:08:32 2016 by cisco
!
control-plane
 management-plane
  inband
   interface GigabitEthernet0/0/0/0
    allow all
   !
  !
 !
!
interface Loopback0
 ipv4 address 1.1.0.10 255.255.255.255
!
interface MgmtEth0/0/CPU0/0
 ipv4 address 192.168.58.10 255.255.255.0
!
interface GigabitEthernet0/0/0/0
 description Link to iBGP domain
 ipv4 address 1.0.0.10 255.255.255.0
!
interface GigabitEthernet0/0/0/1
 shutdown
!
interface GigabitEthernet0/0/0/2
 shutdown
!
community-set public_ipv4_prefixes
  65001:4
end-set
!
community-set public_ipv6_prefixes
  65001:6
end-set
!
community-set peering_ipv4_prefixes
  65001:44
end-set
!
community-set peering_ipv6_prefixes
  65001:66
end-set
!
route-policy public_v4_peering
  if community matches-any public_ipv4_prefixes then
    pass
  else
    drop
  endif
  # Permit prefix with public IPv4 community only
end-policy
!
route-policy public_v6_peering
  if community matches-any public_ipv6_prefixes then
    pass
  else
    drop
  endif
  # Permit prefix with public IPv6 community only
end-policy
!
route-policy public_v4_peering_ingress
  set community peering_ipv4_prefixes
  # Tag ingress public peering v4 prefixes
end-policy
!
route-policy public_v6_peering_ingress
  set community peering_ipv6_prefixes
  # Tag ingress public peering v6 prefixes
end-policy
!
router bgp 65001
 bgp router-id 10.1.0.10
 address-family ipv4 unicast
 !
 neighbor-group public_v4_peers
  address-family ipv4 unicast
   route-policy public_v4_peering_ingress in
   route-policy public_v4_peering out
  !
 !
 neighbor-group public_v6_peers
  address-family ipv6 unicast
   route-policy public_v6_peering_ingress in
   route-policy public_v6_peering out
  !
 !
!
xml agent
!
netconf agent tty
!
netconf-yang agent
 ssh
!
ssh server v2
ssh server vrf default
ssh server netconf vrf default
end

Basic NC client to pull the above config over XML RPC:

#!/usr/bin/python

from ncclient import manager

with manager.connect(host="192.168.58.10", port=830, username="cisco", password="cisco", hostkey_verify=False) as nc_conn:
   nc_config = nc_conn.get_config(source='running').data_xml
   print nc_config

XML formatted running-config returned:

bensley@ubuntu-laptop:~/Python$ ./ncclient_example.py 
<?xml version="1.0" encoding="UTF-8"?><data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
  <aaa xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-aaa-locald-admin-cfg">
   <usernames>
    <username>
     <name>bensley</name>
     <usergroup-under-usernames>
      <usergroup-under-username>
       <name>root-system</name>
      </usergroup-under-username>
     </usergroup-under-usernames>
     <secret>$1$F4FF$EetBVKZmK2njztvTTfvle/</secret>
    </username>
   </usernames>
  </aaa>
  <crypto xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-crypto-sam-cfg">
   <ssh xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-crypto-ssh-cfg">
    <server>
     <v2/>
     <vrf-table>
      <vrf>
       <vrf-name>default</vrf-name>
       <enable/>
      </vrf>
     </vrf-table>
     <netconf-vrf-table>
      <vrf>
       <vrf-name>default</vrf-name>
       <enable/>
      </vrf>
     </netconf-vrf-table>
    </server>
   </ssh>
  </crypto>
  <interface-configurations xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-ifmgr-cfg">
   <interface-configuration>
    <active>act</active>
    <interface-name>Loopback0</interface-name>
    <interface-virtual/>
    <ipv4-network xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-ipv4-io-cfg">
     <addresses>
      <primary>
       <address>1.1.0.10</address>
       <netmask>255.255.255.255</netmask>
      </primary>
     </addresses>
    </ipv4-network>
   </interface-configuration>
   <interface-configuration>
    <active>act</active>
    <interface-name>MgmtEth0/0/CPU0/0</interface-name>
    <ipv4-network xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-ipv4-io-cfg">
     <addresses>
      <primary>
       <address>192.168.58.10</address>
       <netmask>255.255.255.0</netmask>
      </primary>
     </addresses>
    </ipv4-network>
   </interface-configuration>
   <interface-configuration>
    <active>act</active>
    <interface-name>GigabitEthernet0/0/0/0</interface-name>
    <description>Link to iBGP domain</description>
    <ipv4-network xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-ipv4-io-cfg">
     <addresses>
      <primary>
       <address>1.0.0.10</address>
       <netmask>255.255.255.0</netmask>
      </primary>
     </addresses>
    </ipv4-network>
   </interface-configuration>
   <interface-configuration>
    <active>act</active>
    <interface-name>GigabitEthernet0/0/0/1</interface-name>
    <shutdown/>
   </interface-configuration>
   <interface-configuration>
    <active>act</active>
    <interface-name>GigabitEthernet0/0/0/2</interface-name>
    <shutdown/>
   </interface-configuration>
  </interface-configurations>
  <bgp xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-ipv4-bgp-cfg">
   <instance>
    <instance-name>default</instance-name>
    <instance-as>
     <as>0</as>
     <four-byte-as>
      <as>65001</as>
      <bgp-running/>
      <default-vrf>
       <global>
        <router-id>10.1.0.10</router-id>
        <global-afs>
         <global-af>
          <af-name>ipv4-unicast</af-name>
          <enable/>
         </global-af>
        </global-afs>
       </global>
       <bgp-entity>
        <neighbor-groups>
         <neighbor-group>
          <neighbor-group-name>public_v4_peers</neighbor-group-name>
          <create/>
          <neighbor-group-afs>
           <neighbor-group-af>
            <af-name>ipv4-unicast</af-name>
            <activate/>
            <route-policy-in>public_v4_peering_ingress</route-policy-in>
            <route-policy-out>public_v4_peering</route-policy-out>
           </neighbor-group-af>
          </neighbor-group-afs>
         </neighbor-group>
         <neighbor-group>
          <neighbor-group-name>public_v6_peers</neighbor-group-name>
          <create/>
          <neighbor-group-afs>
           <neighbor-group-af>
            <af-name>ipv6-unicast</af-name>
            <activate/>
            <route-policy-in>public_v6_peering_ingress</route-policy-in>
            <route-policy-out>public_v6_peering</route-policy-out>
           </neighbor-group-af>
          </neighbor-group-afs>
         </neighbor-group>
        </neighbor-groups>
       </bgp-entity>
      </default-vrf>
     </four-byte-as>
    </instance-as>
   </instance>
  </bgp>
  <bgp xmlns="http://openconfig.net/yang/bgp">
   <global>
    <config>
     <as>65001</as>
     <router-id>10.1.0.10</router-id>
    </config>
    <afi-safis>
     <afi-safi>
      <afi-safi-name xmlns:idx="http://openconfig.net/yang/bgp-types">idx:ipv4-unicast</afi-safi-name>
      <config>
       <afi-safi-name xmlns:idx="http://openconfig.net/yang/bgp-types">idx:ipv4-unicast</afi-safi-name>
       <enabled>true</enabled>
      </config>
     </afi-safi>
    </afi-safis>
   </global>
   <peer-groups>
    <peer-group>
     <peer-group-name>public_v4_peers</peer-group-name>
     <config>
      <peer-group-name>public_v4_peers</peer-group-name>
     </config>
     <afi-safis>
      <afi-safi>
       <afi-safi-name xmlns:idx="http://openconfig.net/yang/bgp-types">idx:ipv4-unicast</afi-safi-name>
       <config>
        <afi-safi-name xmlns:idx="http://openconfig.net/yang/bgp-types">idx:ipv4-unicast</afi-safi-name>
        <enabled>true</enabled>
       </config>
       <apply-policy>
        <config>
         <import-policy>public_v4_peering_ingress</import-policy>
         <export-policy>public_v4_peering</export-policy>
        </config>
       </apply-policy>
      </afi-safi>
     </afi-safis>
    </peer-group>
    <peer-group>
     <peer-group-name>public_v6_peers</peer-group-name>
     <config>
      <peer-group-name>public_v6_peers</peer-group-name>
     </config>
     <afi-safis>
      <afi-safi>
       <afi-safi-name xmlns:idx="http://openconfig.net/yang/bgp-types">idx:ipv6-unicast</afi-safi-name>
       <config>
        <afi-safi-name xmlns:idx="http://openconfig.net/yang/bgp-types">idx:ipv6-unicast</afi-safi-name>
        <enabled>true</enabled>
       </config>
       <apply-policy>
        <config>
         <import-policy>public_v6_peering_ingress</import-policy>
         <export-policy>public_v6_peering</export-policy>
        </config>
       </apply-policy>
      </afi-safi>
     </afi-safis>
    </peer-group>
   </peer-groups>
  </bgp>
  <control-plane xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-lib-mpp-cfg">
   <management-plane-protection>
    <inband>
     <interface-selection>
      <interfaces>
       <interface>
        <interface-name>GigabitEthernet0/0/0/0</interface-name>
        <all-protocols>
         <peer-class>
          <peer-all/>
         </peer-class>
        </all-protocols>
       </interface>
      </interfaces>
     </interface-selection>
    </inband>
   </management-plane-protection>
  </control-plane>
  <netconf-yang xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-man-netconf-cfg">
   <agent>
    <ssh>
     <enable/>
    </ssh>
   </agent>
  </netconf-yang>
  <xr-xml xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-man-xml-ttyagent-cfg">
   <agent>
    <default>
     <enable/>
    </default>
   </agent>
  </xr-xml>
  <netconf xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-man-xml-ttyagent-cfg">
   <agent>
    <tty>
     <enable/>
    </tty>
   </agent>
  </netconf>
  <routing-policy xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-policy-repository-cfg">
   <sets>
    <community-sets>
     <community-set>
      <set-name>public_ipv4_prefixes</set-name>
      <rpl-community-set>community-set public_ipv4_prefixes
  65001:4
end-set
</rpl-community-set>
     </community-set>
     <community-set>
      <set-name>public_ipv6_prefixes</set-name>
      <rpl-community-set>community-set public_ipv6_prefixes
  65001:6
end-set
</rpl-community-set>
     </community-set>
     <community-set>
      <set-name>peering_ipv4_prefixes</set-name>
      <rpl-community-set>community-set peering_ipv4_prefixes
  65001:44
end-set
</rpl-community-set>
     </community-set>
     <community-set>
      <set-name>peering_ipv6_prefixes</set-name>
      <rpl-community-set>community-set peering_ipv6_prefixes
  65001:66
end-set
</rpl-community-set>
     </community-set>
    </community-sets>
   </sets>
   <route-policies>
    <route-policy>
     <route-policy-name>public_v4_peering</route-policy-name>
     <rpl-route-policy>route-policy public_v4_peering
  if community matches-any public_ipv4_prefixes then
    pass
  else
    drop
  endif
  # Permit prefix with public IPv4 community only
end-policy
</rpl-route-policy>
    </route-policy>
    <route-policy>
     <route-policy-name>public_v6_peering</route-policy-name>
     <rpl-route-policy>route-policy public_v6_peering
  if community matches-any public_ipv6_prefixes then
    pass
  else
    drop
  endif
  # Permit prefix with public IPv6 community only
end-policy
</rpl-route-policy>
    </route-policy>
    <route-policy>
     <route-policy-name>public_v4_peering_ingress</route-policy-name>
     <rpl-route-policy>route-policy public_v4_peering_ingress
  set community peering_ipv4_prefixes
  # Tag ingress public peering v4 prefixes
end-policy
</rpl-route-policy>
    </route-policy>
    <route-policy>
     <route-policy-name>public_v6_peering_ingress</route-policy-name>
     <rpl-route-policy>route-policy public_v6_peering_ingress
  set community peering_ipv6_prefixes
  # Tag ingress public peering v6 prefixes
end-policy
</rpl-route-policy>
    </route-policy>
   </route-policies>
  </routing-policy>
  <interfaces xmlns="http://openconfig.net/yang/interfaces">
   <interface>
    <name>Loopback0</name>
    <config>
     <name>Loopback0</name>
     <type xmlns:idx="urn:ietf:params:xml:ns:yang:iana-if-type">idx:softwareLoopback</type>
     <enabled>true</enabled>
    </config>
    <subinterfaces>
     <subinterface>
      <index>0</index>
      <ipv4 xmlns="http://openconfig.net/yang/interfaces/ip">
       <address>
        <ip>1.1.0.10</ip>
        <config>
         <ip>1.1.0.10</ip>
         <prefix-length>32</prefix-length>
        </config>
       </address>
      </ipv4>
     </subinterface>
    </subinterfaces>
   </interface>
   <interface>
    <name>MgmtEth0/0/CPU0/0</name>
    <config>
     <name>MgmtEth0/0/CPU0/0</name>
     <type xmlns:idx="urn:ietf:params:xml:ns:yang:iana-if-type">idx:ethernetCsmacd</type>
     <enabled>true</enabled>
    </config>
    <ethernet xmlns="http://openconfig.net/yang/interfaces/ethernet">
     <config>
      <auto-negotiate>false</auto-negotiate>
     </config>
    </ethernet>
    <subinterfaces>
     <subinterface>
      <index>0</index>
      <ipv4 xmlns="http://openconfig.net/yang/interfaces/ip">
       <address>
        <ip>192.168.58.10</ip>
        <config>
         <ip>192.168.58.10</ip>
         <prefix-length>24</prefix-length>
        </config>
       </address>
      </ipv4>
     </subinterface>
    </subinterfaces>
   </interface>
   <interface>
    <name>GigabitEthernet0/0/0/0</name>
    <config>
     <name>GigabitEthernet0/0/0/0</name>
     <type xmlns:idx="urn:ietf:params:xml:ns:yang:iana-if-type">idx:ethernetCsmacd</type>
     <enabled>true</enabled>
     <description>Link to iBGP domain</description>
    </config>
    <ethernet xmlns="http://openconfig.net/yang/interfaces/ethernet">
     <config>
      <auto-negotiate>false</auto-negotiate>
     </config>
    </ethernet>
    <subinterfaces>
     <subinterface>
      <index>0</index>
      <ipv4 xmlns="http://openconfig.net/yang/interfaces/ip">
       <address>
        <ip>1.0.0.10</ip>
        <config>
         <ip>1.0.0.10</ip>
         <prefix-length>24</prefix-length>
        </config>
       </address>
      </ipv4>
     </subinterface>
    </subinterfaces>
   </interface>
   <interface>
    <name>GigabitEthernet0/0/0/1</name>
    <config>
     <name>GigabitEthernet0/0/0/1</name>
     <type xmlns:idx="urn:ietf:params:xml:ns:yang:iana-if-type">idx:ethernetCsmacd</type>
     <enabled>false</enabled>
    </config>
    <ethernet xmlns="http://openconfig.net/yang/interfaces/ethernet">
     <config>
      <auto-negotiate>false</auto-negotiate>
     </config>
    </ethernet>
   </interface>
   <interface>
    <name>GigabitEthernet0/0/0/2</name>
    <config>
     <name>GigabitEthernet0/0/0/2</name>
     <type xmlns:idx="urn:ietf:params:xml:ns:yang:iana-if-type">idx:ethernetCsmacd</type>
     <enabled>false</enabled>
    </config>
    <ethernet xmlns="http://openconfig.net/yang/interfaces/ethernet">
     <config>
      <auto-negotiate>false</auto-negotiate>
     </config>
    </ethernet>
   </interface>
  </interfaces>
  <routing-policy xmlns="http://openconfig.net/yang/routing-policy">
   <defined-sets>
    <bgp-defined-sets xmlns="http://openconfig.net/yang/bgp-policy">
     <community-sets>
      <community-set>
       <community-set-name>public_ipv4_prefixes</community-set-name>
       <community-member>65001:4</community-member>
      </community-set>
      <community-set>
       <community-set-name>public_ipv6_prefixes</community-set-name>
       <community-member>65001:6</community-member>
      </community-set>
      <community-set>
       <community-set-name>peering_ipv4_prefixes</community-set-name>
       <community-member>65001:44</community-member>
      </community-set>
      <community-set>
       <community-set-name>peering_ipv6_prefixes</community-set-name>
       <community-member>65001:66</community-member>
      </community-set>
     </community-sets>
    </bgp-defined-sets>
   </defined-sets>
   <policy-definitions>
    <policy-definition>
     <name>public_v4_peering</name>
    </policy-definition>
    <policy-definition>
     <name>public_v6_peering</name>
    </policy-definition>
    <policy-definition>
     <name>public_v4_peering_ingress</name>
    </policy-definition>
    <policy-definition>
     <name>public_v6_peering_ingress</name>
    </policy-definition>
   </policy-definitions>
  </routing-policy>
 </data>