CiscoCCNPEnterprise NetworkingIntermediate21 min read

What Is NETCONF Protocol in Networking?

Also known as: NETCONF, NETCONF protocol, Cisco automation, CCNP ENCOR, YANG

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

NETCONF is a way for network administrators to talk to routers, switches, and other devices using a structured language called XML. Instead of typing commands one by one, you can send a single, well-formed document that tells the device exactly what to do. It makes network automation more reliable and easier to scale across many devices.

Must Know for Exams

NETCONF is a critical topic in the Cisco CCNP Enterprise certification, particularly in the ENCOR (350-401) exam. The exam blueprint includes sections on network assurance and automation, where NETCONF and YANG are explicitly listed. Learners must understand the difference between NETCONF and other management protocols like SNMP and RESTCONF.

Exam questions often ask about the transport protocol used by NETCONF (SSH or TLS), the data encoding format (XML), and the data modeling language (YANG). Another common area is the concept of datastores. You may be asked to identify which datastore holds the active configuration (running) versus a working copy (candidate).

The commit operation is frequently tested, with questions about how changes are applied atomically. Also, the exam covers NETCONF operations like <get-config> and <edit-config>. You might need to interpret a simple XML snippet to determine what configuration change it is making.

For example, a question could present an <edit-config> operation that adds a new interface IP and ask what the result will be. Understanding the structure of NETCONF messages and YANG modules is essential. The ENCOR exam also tests the ability to compare NETCONF with RESTCONF.

For instance, NETCONF uses XML and SSH or TLS, while RESTCONF uses HTTP/HTTPS and supports both XML and JSON. Learners might be asked which protocol is more suitable for a given scenario. Additionally, the exam may cover how NETCONF integrates with Cisco automation tools like Cisco DNA Center and Ansible.

For the newer CCNP and CCIE exams, knowledge of model-driven telemetry and how NETCONF can be used to subscribe to streaming data is becoming more important. Overall, NETCONF appears in both conceptual questions and practical configuration scenarios, and mastering it is essential for passing the automation and programmability sections of the exam.

Simple Meaning

Imagine you are the manager of a large office building, and you need to give every employee a new access badge that works on specific floors. If you had to walk to each employee’s desk, hand them a badge, and explain the rules one person at a time, it would take forever and you would likely make mistakes. That is how traditional command-line interface (CLI) management works for network devices.

Now imagine you could write one memo with a list of employees and their floor permissions, put it in a sealed envelope, and hand it to a central security office that processes it for everyone at once. That memo is like a NETCONF message. It is a structured, machine-readable document that tells the network device exactly what configuration to apply, without you needing to type individual commands.

NETCONF uses a special language called XML (Extensible Markup Language) to structure the message, so the device can read it clearly. The protocol also has built-in error checking and can tell you whether the configuration was applied successfully. This is much more reliable than sending a stream of commands and hoping they all worked.

Think of it like a post office sorting facility. Instead of handing each letter to a different mail carrier, you bundle all letters for one neighborhood together with a clear address list. The sorting system reads the list and delivers everything correctly.

NETCONF does the same for network configurations. It allows you to send a whole set of changes at once, verify them, and even roll them back if something goes wrong. This is why NETCONF is a key part of modern network automation and is widely used in enterprise networks, especially those that use Cisco devices and software-defined networking.

Full Technical Definition

NETCONF, defined in RFC 6241, is a network management protocol developed by the IETF. It provides mechanisms to install, manipulate, and delete the configuration of network devices. NETCONF uses an XML-based data encoding for both the configuration data and the protocol messages.

The protocol operates over a secure transport layer, typically SSH (using the netconf-ssh subsystem) or TLS. The key architectural components of NETCONF include sessions, capabilities, message layers, and datastores. A NETCONF session is a persistent connection between a client (often a network management system or automation script) and a server (the network device).

The client and server exchange capabilities during session initialization to agree on supported features. The protocol defines three message layers: the transport layer (usually SSH), the message layer, and the operations layer. The message layer handles the encoding of remote procedure calls (RPCs) and notifications.

The operations layer defines specific operations such as <get>, <get-config>, <edit-config>, <copy-config>, <delete-config>, <lock>, <unlock>, <close-session>, and <kill-session>. NETCONF uses the concept of datastores. The most common datastores are the running configuration, the candidate configuration, and the startup configuration.

The candidate datastore is a working copy that can be modified without affecting the current running configuration. Changes are applied using the <commit> operation, which makes the candidate configuration the new running configuration. This allows for safe configuration changes with the ability to roll back if needed.

NETCONF also supports event notifications via the <notification> element, allowing devices to send asynchronous updates to management systems. YANG (Yet Another Next Generation) is a data modeling language used to define the structure and constraints of the configuration and state data. YANG models are used alongside NETCONF to provide a consistent, machine-readable schema for the data.

In practice, a network engineer or automation tool sends an XML document that conforms to a YANG model, which defines what parameters are valid and what their relationships are. Cisco devices, especially those running IOS XE, NX-OS, and IOS XR, support NETCONF. The protocol is a cornerstone of Cisco’s automation strategy, enabling tools like Ansible, Python scripts (using ncclient), and Cisco DNA Center to manage devices programmatically.

Real-Life Example

Think about how a modern hotel works. When a guest checks in, the front desk staff needs to give them a key card that works only for their room and for certain floors, like the pool or the gym. In an old hotel, the front desk would have to manually program a physical key for each door.

That is slow and error-prone, like configuring network devices by hand. Now imagine a smart hotel where the front desk uses a central computer system. The staff types the guest’s name, room number, and check-out date into a form.

The computer system automatically sends a signal to every door lock and elevator reader, updating them instantly. When the guest presents their card, the door reads the card and checks the central system to see if access is allowed. This system is like NETCONF.

The central computer acts as the NETCONF client, and each door lock or elevator reader acts as a NETCONF server. The form the staff fills out is like the XML message that contains the configuration data. Instead of having to walk to each door and manually change its settings, the central system sends a single, structured message over the network.

The door lock receives the message, understands it because it knows the same data format (like YANG models), and updates its internal list of allowed cards. If the front desk makes a mistake, like giving access to the wrong room, the central system can send a new message to correct it or even roll back the change. This example maps directly to NETCONF: the hotel management system is the network management tool, the key card data is the configuration, the door locks are network devices, and the central messaging protocol is NETCONF.

In a real network, a router receives a NETCONF message that says, for instance, create a VLAN 10 with IP address 192.168.1.1 and enable it on interface GigabitEthernet0/1. The router processes the XML, validates it against the YANG model, applies the change, and sends back a success message.

If another device needs the same change, the management tool simply sends the same XML to that device. This is why NETCONF is so powerful for managing large networks reliably.

Why This Term Matters

NETCONF matters because it replaces error-prone, manual command-line configuration with a structured, automated approach. In real IT work, network administrators manage hundreds or thousands of devices. Making a single typo on a CLI command can cause an outage that affects thousands of users.

NETCONF reduces this risk because the configuration data is structured and validated against a model before it is applied. For example, if you try to set an IP address that conflicts with another device, the NETCONF server can reject the change immediately instead of applying it and breaking connectivity. NETCONF also enables configuration auditing and compliance.

Because the configuration is structured as XML, you can compare the current state of a device against a desired state defined in a YANG model. This is crucial for security and compliance requirements in industries like finance or healthcare. Additionally, NETCONF supports transaction-like behavior.

You can make multiple changes to the candidate configuration and then commit them all at once. If any part of the change fails, you can roll back the entire transaction. This atomicity is impossible with traditional CLI.

NETCONF is also essential for network automation frameworks like Ansible, Salt, and Cisco’s own APIs. Without NETCONF, automation tools would have to rely on screen-scraping or vendor-specific APIs, which are brittle and hard to maintain. Moreover, NETCONF is a standard protocol, not tied to a single vendor.

A network engineer who learns NETCONF can manage devices from Cisco, Juniper, Huawei, and others with a consistent approach. This interoperability is increasingly important in multi-vendor environments. Finally, as networks become more software-defined, NETCONF provides the programmable interface that allows controllers like Cisco DNA Center to push configurations dynamically based on policy.

It is a foundational protocol for intent-based networking and automation.

How It Appears in Exam Questions

In certification exams, NETCONF appears in several distinct question formats. Scenario questions might describe a network team that wants to automate the deployment of a new VLAN across 500 switches. The question asks which protocol is best suited for this task, and the correct answer is NETCONF because it supports structured data and transaction-based commits.

Configuration questions might present a partial NETCONF XML message and ask the learner to identify the missing element, such as the target datastore or the operation type. For example, a question could show: <rpc><edit-config><target><running/></target><config>...</config></edit-config></rpc> and ask what is wrong.

The answer might be that editing the running datastore directly is not recommended; the candidate should be used instead. Troubleshooting questions often involve a situation where a NETCONF session fails to start. The question might ask for the most likely cause, such as SSH not being enabled on the device, or the netconf-ssh subsystem not being configured.

Architecture questions ask learners to compare NETCONF with RESTCONF or SNMP. For instance, a question might list the features of each protocol and ask which one uses YANG models and XML. Another common pattern is multiple-choice questions that ask about the default port for NETCONF over SSH, which is port 830.

Learners should also be ready for drag-and-drop questions where they match NETCONF operations (like <get>, <edit-config>, <commit>) to their definitions. Additionally, exam questions may require interpretation of a YANG model snippet to understand what configuration parameters are available. For example, a YANG model might define an interface with a name, description, and IP address.

A question then asks which NETCONF operation would retrieve the current state of an interface. Another pattern involves understanding the role of capabilities. A question could say that two NETCONF servers exchange capabilities during session setup.

The learner must know that this is to agree on supported features and data models. Finally, some questions test knowledge of error handling. If a NETCONF <edit-config> operation fails due to a validation error, the correct response is to send an <rpc-error> message.

Learners may be asked to identify the correct error element.

Study encor

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Acme Corp has a network of 200 switches spread across five floors. The network team needs to add a new management VLAN with ID 999 and IP address 10.10.10.1/24 on all switches. The junior engineer proposes logging into each switch via SSH and typing the commands one by one.

The senior engineer says that will take hours and risks typos. Instead, they decide to use NETCONF. The senior engineer writes a Python script that uses the ncclient library to connect to each switch over SSH on port 830.

The script constructs an XML message that contains an <edit-config> operation targeting the candidate datastore. Inside the XML, the script specifies the VLAN creation and the interface IP configuration according to a YANG model. The script sends the XML to each switch.

The switch validates the XML against the YANG model, ensuring that VLAN 999 does not conflict with existing VLANs and that the IP address is not already in use. If the validation passes, the switch applies the change to the candidate configuration. The script then sends a <commit> operation to make the change active.

Finally, the script sends a <get-config> operation to retrieve the updated running configuration and verify the change. The entire process takes under two minutes for all 200 switches. If any switch returns an error, the script logs the error and does not commit on that device, leaving the old configuration intact.

This scenario demonstrates the power of NETCONF: structured, automated, and safe configuration management at scale.

Common Mistakes

Assuming NETCONF uses JSON by default.

NETCONF uses XML as its native data encoding format. While some implementations may support JSON, the standard defined in RFC 6241 specifies XML. JSON is used by RESTCONF, not NETCONF.

Remember that NETCONF always uses XML. If you see JSON, think RESTCONF.

Thinking NETCONF runs over HTTP or HTTPS.

NETCONF typically runs over SSH (port 830) or TLS. It does not use HTTP. RESTCONF is the protocol that uses HTTP/HTTPS.

Associate NETCONF with SSH and TLS ports, not HTTP.

Believing you can edit the running configuration directly without using a candidate datastore.

While NETCONF allows editing the running datastore directly, best practice is to use the candidate datastore to stage changes and then commit. Many exam questions emphasize the use of candidate for safe configuration management.

Always consider the candidate datastore the safe way to make changes, then commit them.

Confusing NETCONF operations like <get> and <get-config>.

<get> retrieves both configuration and state data, while <get-config> retrieves only configuration data from a specific datastore. Using the wrong operation can return too much or too little data.

Use <get-config> when you only need configuration settings. Use <get> when you need operational state as well.

Assuming NETCONF is only for Cisco devices.

NETCONF is an IETF standard (RFC 6241) supported by many vendors including Juniper, Arista, Huawei, and others. It is not Cisco-proprietary.

Think of NETCONF as a multi-vendor standard protocol for network management.

Exam Trap — Don't Get Fooled

In an exam question, you are asked which protocol uses YANG models and operates over HTTP. The options include NETCONF and RESTCONF. A learner might choose NETCONF because they know it uses YANG, forgetting that NETCONF does not use HTTP.

Always read the entire question carefully. If the question mentions HTTP or HTTPS, immediately think RESTCONF. NETCONF uses SSH or TLS, not HTTP. Remember the ports: NETCONF over SSH uses 830, while RESTCONF uses 443.

Commonly Confused With

NETCONF ProtocolvsRESTCONF

RESTCONF is a simpler protocol that uses HTTP methods (GET, POST, PUT, DELETE) and can use either XML or JSON. NETCONF uses SSH or TLS and only XML. RESTCONF is designed for web-based APIs, while NETCONF is more feature-rich for transactional changes.

If you want to quickly fetch the current interface status using a web browser, you would use RESTCONF. If you need to make multiple related changes and commit them atomically, you would use NETCONF.

NETCONF ProtocolvsSNMP

SNMP is an older protocol that uses a flat MIB structure and is primarily used for monitoring and simple configuration. NETCONF uses hierarchical YANG models and is designed for full configuration management with transaction support. SNMP is simpler but less powerful for automation.

SNMP is like a thermometer that tells you the temperature; NETCONF is like a thermostat that you can program to change the temperature and also monitor it.

NETCONF ProtocolvsCLI scripting

CLI scripting sends text commands one at a time and relies on parsing the output. NETCONF sends structured XML and receives structured responses, making it more reliable and easier to automate. CLI scripting can break if output format changes; NETCONF is versioned and stable.

CLI scripting is like reading a menu and shouting a list of items to the chef. NETCONF is like filling out an order form in a standard format that the chef can read automatically.

NETCONF ProtocolvsgRPC

gRPC is a modern high-performance protocol that uses Protocol Buffers for data serialization and HTTP/2 for transport. NETCONF uses XML and SSH or TLS. gRPC is often used for telemetry streaming, while NETCONF is more focused on configuration management.

If you need to stream real-time interface statistics to a monitoring system, gRPC might be a better fit. If you need to push a configuration change to a device, NETCONF is the standard choice.

Step-by-Step Breakdown

1

Session Establishment

A NETCONF client (like an automation script) opens an SSH connection to the NETCONF server (the network device) on port 830. The client and server exchange hello messages that list their capabilities, including supported YANG models and operations. This step ensures both sides agree on what features are available.

2

Capability Exchange

In the hello message, each side sends a list of its capabilities. For example, the server might announce that it supports the candidate datastore and the commit operation. The client notes these capabilities and will only use features the server supports.

3

Locking the Datastore (Optional)

To prevent conflicts, the client can lock a datastore, such as the candidate or running datastore, using the <lock> operation. This ensures that no other NETCONF session can modify the same datastore until the lock is released.

4

Configuration Operations

The client sends operations like <get-config>, <edit-config>, or <copy-config>. For example, <edit-config> can add, modify, or delete configuration data in a specified datastore. The XML payload defines exactly what changes to make, following the structure defined in YANG models.

5

Commit (if using candidate datastore)

If the client made changes to the candidate datastore, it sends the <commit> operation to apply those changes to the running configuration. The commit is atomic: either all changes are applied successfully, or none are. If validation fails, the commit is rejected and the running configuration remains unchanged.

6

Validation and Error Handling

The NETCONF server validates the incoming XML against the YANG models. It checks for required fields, correct data types, and range constraints. If validation fails, the server returns an <rpc-error> message that includes an error code and description. The client can then correct the data and retry.

7

Retrieving Results

After the commit, the client can issue a <get> or <get-config> operation to verify the new configuration is in place. The server returns the relevant data in XML format. This step provides confidence that the changes were applied correctly.

8

Unlocking the Datastore

If the client previously locked a datastore, it must unlock it using the <unlock> operation. This allows other management sessions to make changes. Failure to unlock can cause administrative deadlocks.

9

Closing the Session

The client sends a <close-session> operation to gracefully terminate the NETCONF session. The server acknowledges and closes the underlying SSH connection. This cleans up resources on both sides.

Practical Mini-Lesson

NETCONF is a protocol that changes how network engineers think about configuration management. Instead of treating each device as an independent box that needs individual attention, NETCONF allows engineers to treat the whole network as a programmable system. To use NETCONF in practice, you first need to ensure your network devices support it.

On Cisco IOS XE devices, you enable NETCONF with the command 'netconf-yang'. This activates the NETCONF server on port 830. Once enabled, you can use a Python library called 'ncclient' to write scripts.

A typical script will: connect to the device using SSH with username and password or key, then send an <edit-config> operation with an XML string that represents the desired configuration. The XML must conform to a YANG model. For example, if you want to configure an interface, you need to know the YANG model for interfaces on that platform.

Cisco provides YANG models that you can download or view on the device itself. After you send the XML, you should always check the response. If the response contains an <rpc-error>, you need to inspect the error-tag and error-message to understand what went wrong.

Common errors include invalid data, missing mandatory fields, or datastore locks held by another session. Another practical consideration is that NETCONF sessions are stateful and persistent. If your script crashes, you might leave a lock on the datastore.

To avoid this, always release locks in a 'finally' block in your code. For production, you should use a robust management framework like Ansible, which has NETCONF modules that handle session management and error handling. When deploying changes at scale, consider using a configuration management database (CMDB) to store the desired state, and then use NETCONF to reconcile each device with that state.

This is the foundation of intent-based networking. A common mistake in practice is to assume that NETCONF is a silver bullet. It is powerful, but it requires good YANG models and careful design.

Also, not all configurations are easily expressed via YANG. Some legacy features may not be modeled. In those cases, you may need to fall back to CLI or use a combination of NETCONF and other tools.

Finally, always test NETCONF scripts in a lab environment first. Misapplying a configuration via NETCONF can cause an outage just as quickly as a CLI mistake, but because it is automated, the impact can be larger. Use features like candidate datastore and commit to stage changes and validate them before making them active.

Memory Tip

NETCONF: Network Configuration. Think of the 'C' in NETCONF as 'Candidate' and 'Commit' — always use the candidate datastore before committing changes.

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

What port does NETCONF use?

NETCONF over SSH uses TCP port 830. NETCONF over TLS uses port 6513.

Is NETCONF only for Cisco devices?

No, NETCONF is an IETF standard supported by many vendors including Juniper, Arista, Huawei, and others.

What is the difference between NETCONF and SNMP?

NETCONF is designed for configuration management with structured data, transaction support, and rollback. SNMP is older and primarily used for monitoring, with a flat data model and limited configuration capabilities.

Do I need to know XML to use NETCONF?

Yes, NETCONF uses XML for all messages. You need a basic understanding of XML syntax to read and write NETCONF operations.

What is a YANG model?

YANG is a data modeling language used to define the structure and constraints of configuration and state data. NETCONF uses YANG models to validate and understand the data it receives.

Can NETCONF be used for real-time monitoring?

Yes, NETCONF supports notifications for streaming telemetry, but for high-frequency monitoring, gRPC or model-driven telemetry may be more efficient.

How do I enable NETCONF on a Cisco IOS XE device?

Use the command 'netconf-yang' in global configuration mode. This enables the NETCONF server on port 830.

What is the candidate datastore?

The candidate datastore is a working copy of the configuration. Changes are made to it, and then the <commit> operation applies them to the running configuration, allowing atomic changes and rollback.

Summary

NETCONF is a powerful network management protocol that replaces manual command-line configuration with structured, automated, and reliable interactions. It uses XML over SSH or TLS, and relies on YANG models to define and validate configuration data. For IT certification exams like Cisco CCNP ENCOR, understanding NETCONF is essential for the automation and programmability objectives.

You need to know its transport, data encoding, operations, datastores, and how it differs from protocols like RESTCONF and SNMP. Key concepts include the candidate datastore, the commit operation, and the use of capabilities. In real-world IT, NETCONF enables scalable, multi-vendor network automation, reduces configuration errors, and supports compliance auditing.

When studying, focus on the step-by-step flow of a NETCONF session, common operations, and the role of YANG. Avoid confusing NETCONF with RESTCONF regarding transport and data format. Remember the port 830, the use of XML, and the importance of transactional commits.

Mastering NETCONF will serve you well in both certification exams and practical network engineering.