NETCONF Get Filter Returning Wrong Data Set
Presenting Symptom
A NETCONF client receives incorrect or incomplete data when applying an XML filter to retrieve interface configurations.
Network Context
The network is a small enterprise branch office with a Cisco CSR1000v running IOS-XE 17.3. The engineer uses a Python script with ncclient to retrieve interface configurations via NETCONF. The filter is intended to retrieve only GigabitEthernet interfaces, but the response includes all interfaces or incorrect interface data.
Diagnostic Steps
Verify NETCONF connectivity and capabilities
show netconf-yang sessions | include <session-id>Session ID: 12345, Transport: SSH, Username: admin, Source IP: 10.1.1.1, Status: Active
Confirms the NETCONF session is active. If no session or status is not active, check SSH and authentication.
Capture the exact NETCONF RPC and response
debug netconf-yang allNETCONF: Received RPC: <rpc><get><filter type="subtree"><interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces"><interface><name>GigabitEthernet*</name></interface></interfaces></filter></get></rpc>
Check the filter syntax. The filter uses a wildcard pattern which is not supported in subtree filtering. The correct filter should use exact names or xpath.
Test with a simple filter without wildcards
Use ncclient with filter: <filter><interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces"><interface><name>GigabitEthernet1</name></interface></interfaces></filter>Returns only GigabitEthernet1 configuration.
If this works, the issue is the wildcard pattern. Subtree filters do not support wildcards; they require exact node names.
Check if the YANG model supports xpath filtering
show netconf-yang schemas | include ietf-interfacesietf-interfaces: 2018-02-20
If the device supports xpath, use xpath filter instead. Otherwise, must retrieve all interfaces and filter client-side.
Root Cause
The NETCONF client used a subtree filter with a wildcard pattern (e.g., 'GigabitEthernet*') which is not supported by the YANG subtree filtering mechanism. Subtree filters only match exact node names; wildcards are not allowed. The device either returns all interfaces or an error, leading to incorrect data.
Resolution
Verification
Run the corrected NETCONF get operation and verify the response contains only the desired interfaces. Example output snippet: ```xml <data> <interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces"> <interface> <name>GigabitEthernet1</name> <type>iana-if-type:ethernetCsmacd</type> <enabled>true</enabled> <ipv4>...</ipv4> </interface> </interfaces> </data> ``` Confirm no other interfaces are present.
Prevention
["Always use exact interface names in subtree filters; avoid wildcards.","If filtering by pattern is needed, use xpath filters (if supported) and test the xpath expression.","Validate NETCONF filter syntax using tools like yang-explorer or pyang before deploying scripts."]
CCNA Exam Relevance
On the CCNA 200-301 exam, this scenario may appear as a troubleshooting multiple-choice question about NETCONF filters. The exam tests understanding of subtree vs xpath filtering and that subtree filters do not support wildcards. A candidate must know that subtree filters require exact node names.
Exam Tips
Remember: Subtree filters match exact node names only; wildcards are not allowed.
If you need pattern matching, use xpath filters with the 'type' attribute set to 'xpath'.
Know that the 'filter' element in NETCONF <get> can be of type 'subtree' (default) or 'xpath'.
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions