CiscoCCNPEnterprise NetworkingIntermediate21 min read

What Is REST API for Network Devices in Networking?

Also known as: REST API, network devices, Cisco automation, CCNP ENCOR, RESTCONF

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

A REST API for network devices lets you control and manage networking equipment using simple web requests, similar to how a website retrieves data from a server. Instead of logging into a device through a command line, you send a message over the network to ask the device for information or to change a configuration. This approach makes automation much easier because programming languages like Python can send these requests, enabling network engineers to manage hundreds of devices from a single script.

Must Know for Exams

The CCNP ENCOR exam (350-401) includes a dedicated section on automation and programmability, and REST APIs are a major part of that. The exam objectives explicitly mention understanding REST API concepts, including HTTP methods, data formats, authentication, and status codes. Candidates are expected to know how to interpret API documentation and construct basic API calls to retrieve or modify network device configurations.

Beyond ENCOR, REST APIs appear in the CCNA exam at a foundational level, where candidates learn about the role of APIs in network management. For CCNP Security or CCNP Data Center, REST APIs are used in the context of controlling firewalls and data centre switches. Cisco's DevNet certification, which runs parallel to the traditional CCNP track, focuses heavily on REST APIs and YANG models.

In the exam, you might see a question that presents a JSON response from a GET request and asks what interface or IP address is represented. Another question might ask which HTTP method should be used to change the VLAN assignment on a switch port. You could also be asked to identify the correct URI for a specific resource. Understanding the difference between GET and POST, or knowing that PUT is idempotent while POST is not, can be the key to answering correctly.

The exam also tests your understanding of RESTCONF versus NETCONF. RESTCONF is simpler and uses HTTP directly, while NETCONF uses RPCs and XML. The exam may ask which protocol is more suitable for a given scenario, such as one requiring transactional rollback. Knowing that NETCONF supports confirmed commits is important. Additionally, you may be asked about authentication methods, with basic authentication and token-based authentication being the most common choices.

To prepare, you should practice using a free Cisco sandbox or a simulator that supports REST API calls. Run GET requests to retrieve device information and then try modifying a configuration. This hands-on experience is invaluable for understanding how the API behaves and for building confidence in the exam.

Simple Meaning

Imagine you have a house with many doors, and each door has a lock that can only be opened with a specific key. Normally, you walk up to each door, insert the key, and turn it to lock or unlock. This is how traditional network management works, where an engineer logs in to each device one by one using a command line. Now, imagine instead that every door has a small mailbox next to it. If you want to lock a door, you don't need to walk over with a key. You write a note that says lock the front door, drop it into the mailbox from anywhere in the house, and the door locks itself. The mailbox is the REST API. It accepts a message, reads it, and performs the action for you.

In technical terms, a REST API uses the same technology that powers the web. When you visit a website, your browser sends an HTTP request to a server, and the server responds with a webpage. With a REST API for network devices, instead of a webpage, the server responds with data in a structured format like JSON or XML. The network device acts as the server. Your script or application is the client. You send a request to the device's IP address over HTTPS, telling it what you want to do. The device processes the request and sends back an answer. For example, you could send a GET request to retrieve the current configuration of a router, or a POST request to apply a new VLAN setup.

This method of communication is standardized, meaning it works the same way across different vendors, though the exact details may vary. Cisco, for instance, provides a REST API on some of its switches and routers through features like IOS XE's RESTCONF or the Cisco DNA Center platform. The key idea is that you are using web protocols, which are lightweight and widely understood, to manage network hardware. This allows you to automate repetitive tasks, integrate network management into larger software systems, and reduce human error.

Full Technical Definition

A REST API, or Representational State Transfer Application Programming Interface, is an architectural style that uses standard HTTP methods to perform operations on resources. In the context of network devices, the resources are things like interfaces, VLANs, routing tables, ACLs, and device configurations. Each resource is identified by a unique Uniform Resource Identifier (URI), similar to a web address. For example, a URI like https://192.168.1.1/restconf/data/Cisco-IOS-XE-native:native/interface/GigabitEthernet might represent a specific interface on a Cisco router.

The HTTP methods map to CRUD operations: GET retrieves a resource, POST creates a new resource, PUT replaces an existing resource, PATCH modifies part of a resource, and DELETE removes a resource. When a client sends a request, it includes headers that specify the format of the data it can accept, typically application/json or application/xml. The network device processes the request, authenticates the client using credentials or certificates, and then executes the requested operation on its internal configuration database.

Cisco implements REST APIs primarily through two main protocols: NETCONF and RESTCONF. RESTCONF is the more RESTful of the two, using HTTP methods directly and supporting both JSON and XML data formats. It runs over HTTPS on port 443 and uses YANG (Yet Another Next Generation) data models to define the structure of the data. YANG models are standardized by the IETF and provide a consistent way to describe network configurations and state data. For example, the Cisco-IOS-XE-native YANG model defines all the configuration elements available on a device running IOS XE.

To use a REST API on a Cisco device, the device must have the necessary feature enabled, such as netconf-yang or restconf. The engineer must also configure authentication, often using HTTP basic authentication or token-based authentication with a username and password. Once configured, tools like Postman, curl, or Python libraries such as requests can be used to interact with the API. The device sends back HTTP status codes to indicate success or failure: 200 OK for a successful GET, 201 Created for a successful POST, 204 No Content for a successful DELETE, and 4xx or 5xx codes for errors.

Implementing REST APIs in real IT environments reduces configuration drift because changes are made programmatically and can be version-controlled. They also enable integration with orchestration tools like Ansible, SaltStack, or custom Python scripts. For exam purposes, the CCNP ENCOR exam covers REST APIs as part of the automation and programmability section, requiring candidates to understand how to construct API calls, interpret responses, and use YANG models.

Real-Life Example

Think of a large library with thousands of books. In the old system, if you wanted to know where a book was, you had to walk to a catalogue, flip through cards, find the shelf number, then go to the shelf and physically look for the book. This is like traditional network management where you log in to a device, run commands, and parse the output. Now, the library installs a digital kiosk system. You walk up to a screen, type the name of the book, and the system instantly tells you the exact shelf, whether the book is checked out, and even lets you reserve it. The kiosk is the REST API.

Behind the scenes, the kiosk sends a request to the library's central computer: a GET request asking for information about that specific book. The central computer looks up its database and sends back a JSON response with the book's status. If you want to check out the book, you use the kiosk to send a POST request, which tells the system to mark the book as borrowed under your name. The library staff does not need to manually update a ledger; the API does it instantly.

Mapping this to network devices: the library's central computer is the network device, like a router. The database is the device's running configuration. The GET request is like asking the router to show its current IP address on an interface. The POST request is like adding a new VLAN to the switch. The JSON response is the structured answer that a script can understand and use. This is exactly how a network automation engineer uses a REST API to manage hundreds of devices without ever touching a command line.

Why This Term Matters

REST APIs matter because they are the foundation of modern network automation and programmability. In today's IT environments, networks have grown too large and complex to manage by logging into each device individually. A medium-sized enterprise might have hundreds of switches and routers. A large data centre could have thousands. Manually configuring each device is slow, error-prone, and inconsistent. A REST API allows an engineer to write a single script that applies the same configuration to every device in seconds, ensuring uniformity and reducing the risk of misconfiguration.

From a cybersecurity perspective, REST APIs can be integrated with monitoring systems to automatically respond to threats. For example, if a security tool detects an attack from a certain IP address, it can send a POST request to a firewall's REST API to block that IP instantly, without waiting for a human to react. This is called automated threat mitigation and is a key capability in modern security operations centres.

In cloud and hybrid environments, REST APIs enable Infrastructure as Code (IaC). Network configuration can be stored in files, version-controlled with Git, and deployed automatically through CI/CD pipelines. This aligns networking with software development practices, making networks more agile and reliable. For system administrators, being able to use Python or PowerShell to interact with network devices alongside servers and cloud resources means they can manage the entire infrastructure from a single set of scripts.

Finally, REST APIs are vendor-agnostic in concept, which means skills learned on Cisco devices transfer to Juniper, Arista, or cloud providers like AWS and Azure. The core concepts of HTTP methods, URIs, and JSON remain the same. This makes REST API knowledge a career-long asset.

How It Appears in Exam Questions

In certification exams, REST API questions appear in several forms. Scenario questions present a network automation requirement and ask which HTTP method or URI to use. For example: 'A network engineer needs to retrieve the current OSPF configuration from a router using RESTCONF. Which HTTP method should be used?' The answer is GET. Another scenario might describe adding a new VLAN to a switch, asking for the correct method, which would be POST.

Configuration questions might show a YANG model snippet and ask which field contains the interface name. Or they might provide a JSON response and ask what the current operational status of an interface is. These questions test your ability to read structured data. Troubleshooting questions often present an API call that failed and ask why, based on the HTTP status code returned. For instance, a 401 Unauthorized response indicates an authentication problem, while a 404 Not Found means the resource URI is incorrect.

Architecture questions compare RESTCONF with NETCONF, asking which one uses HTTP methods directly or which one supports transactional rollback. You might see a table listing features of each protocol and be asked to mark which ones apply. Another pattern is to ask about the role of YANG models in REST APIs, such as 'What is the purpose of a YANG model?' with answers like defining the structure of data.

Some questions are code-based, showing a short Python script that uses the requests library to interact with a device. They may ask what the script does, what output to expect, or what error might occur. For example: 'Given this code snippet, what does the response.status_code of 204 indicate?' The answer is that the DELETE operation was successful and there is no content to return.

Finally, there are multiple-choice questions about authentication. 'Which of the following is a security concern when using HTTP basic authentication with REST APIs?' The answer is that credentials are sent in base64-encoded form, which is not encrypted unless HTTPS is used. This reinforces the need for HTTPS.

Study encor

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A mid-sized company, TechCorp, has 50 Cisco switches across three floors of an office building. The network team needs to update the VLAN configuration on all switches to support a new department. In the past, the engineer would have used SSH to log in to each switch, one at a time, and manually enter the VLAN commands. This would take several hours and risked typing errors.

Instead, the company has enabled the REST API on each switch. The engineer writes a Python script that loops through a list of switch IP addresses. For each switch, the script sends an HTTPS POST request to the URI that represents the VLAN database, with a JSON body containing the new VLAN ID and name. The script also sends a PUT request to assign the VLAN to a specific interface. The entire process takes less than a minute, and the script logs the HTTP status codes from each device to confirm success.

This scenario shows how a REST API transforms a tedious manual task into a fast, repeatable, and auditable automation process. The engineer can now focus on more strategic work, like network design or security, while the scripts handle the routine changes.

Common Mistakes

Thinking that REST APIs are only for web servers and not for network devices

Network devices like routers and switches can run web servers that host REST APIs. Cisco IOS XE, for example, includes a RESTCONF server that listens for API calls on port 443.

Understand that any device with an IP address and a web server can offer a REST API. This includes network hardware from Cisco, Juniper, Arista, and others.

Confusing HTTP methods, especially using GET instead of POST to create a new resource

GET is used only to retrieve data, not to create or modify it. Using GET to try to create a VLAN will result in an error because the API expects POST or PUT.

Remember the CRUD mapping: Create = POST, Read = GET, Update = PUT/PATCH, Delete = DELETE. Use a cheat sheet if necessary until it becomes automatic.

Ignoring the need for HTTPS and using plain HTTP

Plain HTTP sends all data, including authentication credentials, unencrypted. This is a major security risk on a production network.

Always use HTTPS in API requests. Most network devices enforce HTTPS by default for REST APIs. Check the device configuration to ensure HTTPS is enabled.

Assuming that a successful HTTP status code means the configuration was applied correctly

A 200 OK response from a device might mean the request was received and processed, but the actual configuration change could have been rejected by internal validation logic. The device may return a 200 but include an error message in the response body.

Always inspect the response body after receiving a status code. Look for JSON fields like errors or warnings. Do not trust only the status code.

Exam Trap — Don't Get Fooled

An exam question asks: 'Which HTTP method should be used to update only the description of an interface on a Cisco switch using RESTCONF?' and offers options including PUT and PATCH. Many learners choose PUT because they think of update as PUT.

Remember that PUT is for full replacement, like replacing a whole document. PATCH is for partial changes, like fixing a typo. If the question asks to update only the description, PATCH is correct.

If it asks to replace the entire interface configuration, PUT is correct.

Commonly Confused With

REST API for Network DevicesvsNETCONF

NETCONF is a protocol that uses XML and Remote Procedure Calls (RPCs) to manage devices, while REST API (RESTCONF) uses standard HTTP methods and supports both JSON and XML. NETCONF is more complex but supports transactional rollback and confirmed commits.

If you need to make a configuration change and want the ability to automatically roll back if something fails, you would use NETCONF. For a simple one-off change like adding a VLAN, RESTCONF is easier.

REST API for Network DevicesvsSNMP

SNMP is a very old protocol for monitoring and managing network devices. It uses a pull-based model where a manager polls devices for data. REST APIs are newer, more flexible, and allow both reading and writing data in structured formats like JSON. REST APIs are easier to use in automation scripts.

SNMP might tell you the current bandwidth usage on an interface, but it is difficult to change a configuration with SNMP. With a REST API, you can easily read the bandwidth and then change the interface speed with a single PUT request.

REST API for Network DevicesvsSSH with CLI scripting

SSH allows you to send commands to a device manually or through scripts. REST API is a different approach that uses web protocols and structured data. CLI scripting can be brittle because it relies on parsing text output, which can change with software versions. REST API responses are structured, making parsing more reliable.

Using expect scripts with SSH is like reading a printed report and highlighting the numbers you need. Using a REST API is like getting a CSV file with the exact numbers already organized in columns.

Step-by-Step Breakdown

1

Enable the REST API on the network device

The device must be configured to host a REST API server. On Cisco IOS XE, this is done by enabling the restconf service under the global configuration. A username and password with appropriate privileges must also be created for authentication.

2

Identify the resource URI

Every piece of data on the device, such as an interface or a VLAN, has a unique URI. This URI is defined by a YANG model. For example, the URI for the native interface configuration might be /restconf/data/Cisco-IOS-XE-native:native/interface/. You find this by reading the device's API documentation.

3

Construct the HTTP request

Decide what action you want to perform. Choose the correct HTTP method: GET to retrieve, POST to create, PUT to replace, PATCH to modify, or DELETE to remove. Add headers to specify the data format, such as Accept: application/json, and include authentication credentials.

4

Send the request over HTTPS

Use a tool like Postman, curl, or a Python script to send the request to the device's IP address. The device must be reachable over the network on port 443. Ensure that the device's HTTPS certificate is trusted by your client or that you accept it.

5

Process the HTTP response

The device sends back an HTTP status code and a response body. Check the status code to see if the request succeeded. Then parse the response body, which is usually in JSON or XML, to extract the data you need or to verify that the change was applied.

6

Handle errors and verify

If the status code indicates an error (4xx or 5xx), examine the response body for details. Common errors include authentication failure (401), resource not found (404), or invalid data (400). After a successful write operation, it is good practice to send a GET request to confirm the change was applied correctly.

Practical Mini-Lesson

To work effectively with REST APIs for network devices, you need a solid understanding of HTTP, JSON, and the specific YANG models used by the device. Start by enabling the RESTCONF service on a lab device. On a Cisco IOS XE router, the configuration looks like this: restconf and then netconf-yang (both are usually needed). You also need to create a local user, for example, username cisco privilege 15 secret cisco. The privilege level must be high enough to allow configuration changes.

Once configured, open Postman or use curl from a command line. A simple GET request might look like: curl -k -u cisco:cisco https://192.168.1.1/restconf/data/Cisco-IOS-XE-native:native/interface/GigabitEthernet1. The -k flag bypasses SSL certificate verification for a lab environment. The -u flag provides the username and password. The response will be a large JSON document detailing the configuration of that interface. From there, you can explore other URIs.

To change a configuration, you would use PUT or PATCH. For example, to change the description of an interface, you would send a PATCH request with a JSON body like {"Cisco-IOS-XE-native:description": "Link to core switch"}. The response should be a 204 No Content for success. If you get a 400 Bad Request, check that the JSON syntax is correct and that the field names match the YANG model exactly.

One common challenge is that YANG models can be deep and hierarchical. Finding the exact URI for a resource can take time. Cisco provides an API documentation page on the device itself, accessible via a browser by going to https://device-ip/restconf/doc. This page lists all available resources and their URIs. Use it as your reference.

What can go wrong? A frequent issue is using the wrong Content-Type header. For PATCH requests, you must set Content-Type to application/yang-data+json. Another issue is forgetting that PUT replaces the entire resource, so if you send a PUT request with only a description field, you might delete other fields like the IP address. Always prefer PATCH for partial updates.

In a professional environment, never use basic authentication over plain HTTP. Always enforce HTTPS. For production, consider using token-based authentication or certificates. Also, be careful about rate limits or device CPU usage; sending too many API calls in a short time can degrade device performance.

This skill connects directly to the broader concept of Infrastructure as Code. By writing Python scripts that call REST APIs, you can store device configurations in Git, review changes before applying them, and even integrate with CI/CD pipelines. This is the future of network engineering, and mastering REST APIs is essential for any modern network professional.

Memory Tip

Remember the REST method map: GET to get, POST to post (create), PUT for full replace, PATCH for partial update, DELETE to delete. Use the word GetPostPutPatchDelete as a mnemonic.

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

Do I need to install software on the network device to use a REST API?

No, the REST API is a built-in feature on many modern Cisco devices running IOS XE or IOS XR. You only need to enable it in the configuration with commands like restconf.

Can I use a REST API to manage devices that are behind a firewall?

Yes, as long as the firewall allows HTTPS traffic on port 443 to the device. You need to ensure the client can reach the device's IP address over the network.

Is JSON the only data format supported by Cisco REST APIs?

No, Cisco supports both JSON and XML. JSON is more common because it is easier to work with in scripting languages like Python. The format is specified in the Accept and Content-Type headers.

What is the difference between RESTCONF and NETCONF?

RESTCONF uses standard HTTP methods and is simpler. NETCONF uses RPCs and XML, and supports transactional operations like confirmed commits. RESTCONF is lighter, while NETCONF is more powerful for complex changes.

Can a REST API call crash a network device?

It is possible if you send a malformed request that causes a software bug, but this is rare. In practice, sending a large number of rapid requests could overload the device's CPU. It is best to implement rate limiting in your scripts.

Do I need to know Python to use a REST API?

No, you can use tools like Postman or curl to test API calls. However, Python is highly recommended for automating multiple devices because you can write loops and error handling logic.

Summary

A REST API for network devices allows you to control routers, switches, and firewalls using standard web protocols. Instead of logging in through a command line, you send HTTP requests such as GET, POST, PUT, PATCH, and DELETE to specific URIs that represent device resources like interfaces and VLANs. The device responds with structured data in JSON or XML, which is easy for scripts to parse. This approach is foundational for network automation, enabling you to manage hundreds of devices quickly and consistently. It reduces human error, supports Infrastructure as Code, and integrates with security tools for automated threat mitigation.

For certification exams, especially CCNP ENCOR, you need to understand HTTP methods, status codes, authentication, and the difference between RESTCONF and NETCONF. Practice making API calls in a lab environment to solidify your knowledge. Avoid common mistakes like using plain HTTP instead of HTTPS, confusing GET with POST, or trusting status codes without checking the response body. Remember the memory tip for HTTP methods, and use the YANG model documentation on the device to find the correct URIs. Mastering REST APIs will not only help you pass exams but also prepare you for the modern, automated network environments that employers demand.