NETCONF & RESTCONF Overview

1. Why Programmable Interfaces Were Needed

For decades, network engineers configured devices one at a time using the CLI (Command Line Interface) — typing commands into a terminal session, reading back free-form text output, and manually verifying changes. This approach works fine for a handful of devices but becomes a serious bottleneck as networks grow. Managing hundreds or thousands of routers, switches, and firewalls via CLI introduces human error, inconsistency, and slow change cycles. See Python Netmiko for the CLI-automation bridge before moving to NETCONF/RESTCONF.

NETCONF and RESTCONF are programmatic network management interfaces — they expose device configuration and operational state as structured, machine-readable data. Automation tools (Python scripts, Ansible, Terraform, CI/CD pipelines) can read and modify device configuration reliably, at scale, and without the fragility of screen-scraping CLI text output.

Characteristic	CLI (SSH/Telnet)	NETCONF	RESTCONF
Protocol	SSH / Telnet	SSH (port 830)	HTTPS (port 443)
Data format	Unstructured free-form text	XML (structured)	JSON or XML (structured). See JSON, XML & YANG.
Data model	Vendor-specific, undocumented	YANG (standardised)	YANG (standardised)
Machine-readable?	No — requires text parsing / screen-scraping	Yes — structured XML	Yes — structured JSON/XML
Transactional?	No — each command applied immediately	Yes — candidate datastore + commit	Partial — no native candidate/commit
Error handling	Implicit — must parse output for error keywords	Explicit — structured error messages	Explicit — HTTP status codes + error payloads
Typical user	Human engineer at a terminal	Automation tools, controllers, orchestrators	REST API clients, web apps, simple scripts
RFC	—	RFC 6241	RFC 8040

2. YANG — The Data Modelling Language

YANG (Yet Another Next Generation), defined in RFC 7950, is the data modelling language that underpins both NETCONF and RESTCONF. Before you can understand how these protocols work, you need to understand what YANG does — it provides a precise, vendor-neutral schema that describes exactly what data a device has (its configuration and state), what values are valid, and how everything is structured. See JSON, XML & YANG for a complete guide.

Think of YANG as the grammar and NETCONF/RESTCONF as the transport that carries data conforming to that grammar. Without YANG models, NETCONF and RESTCONF would just be arbitrary XML or JSON — YANG gives the data its meaning.

  YANG model → data → transport relationship:

  ┌──────────────────────────────────────────────────────────────────┐
  │  YANG Model (schema)                                             │
  │  Defines: what data exists, data types, valid values,            │
  │           hierarchy, relationships, constraints                  │
  │  Example: ietf-interfaces YANG module defines how interfaces     │
  │           are structured (name, type, IP address, etc.)          │
  └───────────────────────────┬──────────────────────────────────────┘
                              │ Validates and structures
                              ▼
  ┌──────────────────────────────────────────────────────────────────┐
  │  Data Instance                                                   │
  │  Actual device data conforming to the YANG model:               │
  │  { "name": "GigabitEthernet1", "ip": "192.168.1.1/24" }        │
  └───────────────────────────┬──────────────────────────────────────┘
                              │ Carried by
                        ┌─────┴─────┐
                        ▼           ▼
               NETCONF (XML)    RESTCONF (JSON/XML)

YANG Model Types

Model Type	Description	Examples
IETF Standard Models	Vendor-neutral models defined by the IETF. Consistent across all vendors that implement them.	`ietf-interfaces`, `ietf-ip`, `ietf-routing`, `ietf-ospf`
OpenConfig Models	Vendor-neutral models developed by a consortium of network operators (Google, AT&T, etc.) focused on operational simplicity and device configurability.	`openconfig-interfaces`, `openconfig-bgp`, `openconfig-vlan`
Vendor-Native Models	Device-specific models published by vendors for features not covered by IETF or OpenConfig standards. Not portable across vendors.	`Cisco-IOS-XE-native`, `Cisco-IOS-XE-ospf`, Juniper YANG models

YANG Data Node Types

  Key YANG statement types:

  container  — Groups related nodes. Like a folder.
               Example: interfaces/interface/config

  list       — Ordered or unordered set of entries with a key.
               Example: interface[name=GigE1], bgp/neighbors/neighbor[address=10.0.0.1]

  leaf       — A single value (string, integer, boolean, etc.)
               Example: interface/name = "GigabitEthernet1"

  leaf-list  — A list of single values (like a set).
               Example: dns-servers = [8.8.8.8, 8.8.4.4]

  rpc        — Defines a Remote Procedure Call (action on the device).
               Example: rpc close-session, rpc commit

  notification — Device-generated event pushed to the management system.

  typedef    — Reusable type definitions (like int32 with constraints).

  grouping   — Reusable schema fragments referenced with 'uses'.

  YANG path notation (similar to XPath):
  /interfaces/interface[name='GigabitEthernet1']/config/ip-address

3. NETCONF — Network Configuration Protocol

NETCONF (Network Configuration Protocol), defined in RFC 6241, is a standards-based protocol for installing, manipulating, and deleting the configuration of network devices. It uses XML to encode all data and operations, and runs over SSH on port 830. NETCONF was designed from the ground up as a programmatic interface — it is never used interactively by humans (unlike CLI).

NETCONF Architecture

  NETCONF architecture — manager and agent:

  ┌─────────────────────────────────────────────────────────┐
  │  NETCONF Manager (Client)                                │
  │  Python/ncclient, Ansible, NSO, Cisco DNA Centre         │
  │  → Sends RPC requests in XML                             │
  │  → Parses XML responses                                  │
  └─────────────────────────┬───────────────────────────────┘
                            │  SSH (TCP port 830)
                            │  XML-encoded RPC messages
                            ▼
  ┌─────────────────────────────────────────────────────────┐
  │  NETCONF Agent (Server) — the network device            │
  │  Cisco IOS XE, IOS XR, NX-OS, Junos, etc.               │
  │  → Maintains datastores (running, candidate, startup)   │
  │  → Processes RPC requests and returns responses         │
  │  → Validates changes against YANG models                │
  └─────────────────────────────────────────────────────────┘

  NETCONF session establishment:
  1. SSH connection to device port 830
  2. Device sends hello message with list of capabilities
     (YANG modules it supports, NETCONF features)
  3. Client sends its own hello
  4. NETCONF session is established
  5. Client sends RPCs; device responds
  6. Client sends close-session RPC to terminate

NETCONF Datastores

NETCONF introduces the concept of datastores — named repositories of device configuration. This is fundamentally different from CLI where there is only one running configuration. NETCONF defines up to three datastores:

Datastore	Description	Key Behaviour
running	The currently active configuration — what the device is operating with right now. Equivalent to `show running-config`.	Changes to running take effect immediately. Not all devices support direct editing of running (some require candidate)
candidate	A staging area — changes are made here first, then atomically committed to running with the `commit` operation.	Enables transactional changes — multiple edits can be staged and applied atomically. If the commit fails, the device rolls back to previous state. Only available if device advertises `:candidate` capability.
startup	The configuration loaded at boot — equivalent to `show startup-config`. Not all devices implement this as a separate datastore.	Must be explicitly copied from running/candidate to persist across reloads (on devices that support it)

  Candidate datastore workflow (safe transactional change):

  ┌─────────────────────────────────────┐
  │  Current running config (active)    │
  └───────────────────────┬─────────────┘
                          │ copy-config or implicit
                          ▼
  ┌─────────────────────────────────────┐
  │  Candidate datastore (staging)      │
  │  → Make changes here (edit-config)  │
  │  → Review with get-config           │
  │  → Validate (validate RPC)          │
  └───────────────────────┬─────────────┘
                          │ commit (atomic)
                          ▼
  ┌─────────────────────────────────────┐
  │  Running datastore (updated)        │
  │  All changes applied atomically     │
  │  If any change fails → full rollback│
  └─────────────────────────────────────┘

4. NETCONF Operations — RPC Methods

NETCONF uses RPC (Remote Procedure Call) messages wrapped in XML to perform operations on the device. Every NETCONF request is an <rpc> element containing an operation, and every response is an <rpc-reply> element containing the result or an error.

NETCONF Operation	Purpose	Equivalent CLI Action
<get-config>	Retrieve configuration from a specified datastore (running, candidate, or startup). Can filter to retrieve only specific subtrees.	`show running-config` (or a section of it)
<edit-config>	Modify configuration in a datastore. Supports multiple operations per request: merge, replace, create, delete, or remove.	Entering config commands (e.g., `interface`, `ip address`)
<get>	Retrieve both configuration AND operational state data from the device (e.g., interface counters, routing table, BGP neighbours).	`show interfaces`, `show ip route`, etc.
<commit>	Atomically apply the candidate datastore to the running datastore. All changes succeed or all roll back.	`copy running-config startup-config` (conceptually — but more powerful: it's atomic)
<discard-changes>	Discard all staged edits in the candidate datastore and revert to the current running configuration.	`reload` (similar effect but not equivalent)
<lock> / <unlock>	Lock a datastore to prevent concurrent modifications by other managers during a change window.	No direct CLI equivalent
<copy-config>	Copy an entire datastore to another (e.g., copy running to startup).	`copy running-config startup-config`
<delete-config>	Delete an entire datastore (only candidate or startup — never running).	`erase startup-config`
<validate>	Validate the candidate datastore against YANG constraints without committing. Check for errors before applying.	No direct equivalent
<close-session>	Gracefully terminate the NETCONF session.	`exit` / closing the SSH session

NETCONF XML Example — Reading an Interface

  NETCONF get-config request (client → device):
  ─────────────────────────────────────────────
  <?xml version="1.0" encoding="UTF-8"?>
  <rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
    <get-config>
      <source>
        <running/>
      </source>
      <filter type="subtree">
        <interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces">
          <interface>
            <name>GigabitEthernet1</name>
          </interface>
        </interfaces>
      </filter>
    </get-config>
  </rpc>

  NETCONF rpc-reply response (device → client):
  ──────────────────────────────────────────────
  <rpc-reply message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
    <data>
      <interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces">
        <interface>
          <name>GigabitEthernet1</name>
          <type>ianaift:ethernetCsmacd</type>
          <enabled>true</enabled>
          <ipv4 xmlns="urn:ietf:params:xml:ns:yang:ietf-ip">
            <address>
              <ip>192.168.1.1</ip>
              <prefix-length>24</prefix-length>
            </address>
          </ipv4>
        </interface>
      </interfaces>
    </data>
  </rpc-reply>

NETCONF XML Example — Configuring an Interface

  NETCONF edit-config request (setting an IP address):
  ──────────────────────────────────────────────────────
  <?xml version="1.0" encoding="UTF-8"?>
  <rpc message-id="2" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
    <edit-config>
      <target>
        <candidate/>        <!-- write to candidate, not running -->
      </target>
      <config>
        <interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces">
          <interface>
            <name>GigabitEthernet2</name>
            <enabled>true</enabled>
            <ipv4 xmlns="urn:ietf:params:xml:ns:yang:ietf-ip">
              <address>
                <ip>10.0.0.1</ip>
                <prefix-length>30</prefix-length>
              </address>
            </ipv4>
          </interface>
        </interfaces>
      </config>
    </edit-config>
  </rpc>

  Then commit:
  <rpc message-id="3" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
    <commit/>
  </rpc>

  Success response:
  <rpc-reply message-id="3" ...>
    <ok/>
  </rpc-reply>

5. Enabling and Using NETCONF on Cisco IOS XE

  ! Enable NETCONF on a Cisco IOS XE device:
  Router(config)# netconf-yang
  ! This single command enables NETCONF (port 830) and YANG processing
  ! The device must have SSH configured (version 2 recommended)

  ! Verify NETCONF is enabled and listening:
  Router# show platform software yang-management process
  Router# show netconf-yang sessions
  Router# show netconf-yang statistics

  ! NETCONF also requires AAA and local/RADIUS authentication:
  Router(config)# aaa new-model
  Router(config)# aaa authentication login default local
  Router(config)# username admin privilege 15 secret Cisco123

  ! SSH must be configured (NETCONF uses SSH transport):
  Router(config)# ip domain-name lab.local
  Router(config)# crypto key generate rsa modulus 2048
  Router(config)# ip ssh version 2

  ! View supported YANG capabilities on the device:
  Router# show netconf-yang capabilities
  ! Returns a list of YANG modules the device supports

NETCONF requires SSH version 2 to be configured on the device. See SSH & Telnet Security for hardening SSH before enabling NETCONF. AAA must also be configured — see RADIUS vs TACACS+ for authentication options.

Using NETCONF with Python (ncclient)

  # Python ncclient — NETCONF client library
  # Install: pip install ncclient

  from ncclient import manager

  # Connect to device via NETCONF (SSH port 830)
  with manager.connect(
      host       = "192.168.1.1",
      port       = 830,
      username   = "admin",
      password   = "Cisco123",
      hostkey_verify = False    # In production, verify host keys!
  ) as m:

      # Get the running config for all interfaces (filtered):
      filter = """
      <interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces">
      </interfaces>
      """
      result = m.get_config(source="running", filter=("subtree", filter))
      print(result)  # Returns XML string

      # Edit config — add IP address to GigabitEthernet2:
      config_payload = """
      <config>
        <interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces">
          <interface>
            <name>GigabitEthernet2</name>
            <enabled>true</enabled>
            <ipv4 xmlns="urn:ietf:params:xml:ns:yang:ietf-ip">
              <address>
                <ip>10.0.0.1</ip>
                <prefix-length>30</prefix-length>
              </address>
            </ipv4>
          </interface>
        </interfaces>
      </config>
      """
      m.edit_config(target="candidate", config=config_payload)
      m.commit()  # Apply changes atomically
      print("Configuration committed successfully")

See full detail: NETCONF with ncclient Python Lab | Python for Networking

6. RESTCONF — REST API for Network Devices

RESTCONF, defined in RFC 8040, is a lighter-weight alternative to NETCONF that exposes the same YANG-modelled data through a standard HTTP/HTTPS REST API. If you are familiar with REST APIs for web services, RESTCONF will feel immediately familiar — it uses standard HTTP methods (GET, POST, PUT, PATCH, DELETE) and returns data in JSON or XML. See JSON, XML & YANG and REST API Methods.

RESTCONF is designed for simplicity and ease of use — it is stateless, requires no session establishment, and can be accessed from any HTTP client (curl, Postman, Python requests, web browser). The trade-off is that RESTCONF does not support the full transactional capabilities of NETCONF (no candidate datastore or atomic commit).

  RESTCONF URL structure:

  https://<device-ip>/restconf/data/<yang-module>:<path>

  Examples:
  GET all interfaces:
  https://192.168.1.1/restconf/data/ietf-interfaces:interfaces

  GET a specific interface:
  https://192.168.1.1/restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet1

  GET Cisco-native interface config:
  https://192.168.1.1/restconf/data/Cisco-IOS-XE-native:native/interface/GigabitEthernet

  RESTCONF root path (shows supported YANG modules):
  https://192.168.1.1/restconf/data/

  RESTCONF Yang Library (discover available modules):
  https://192.168.1.1/restconf/data/ietf-yang-library:modules-state

RESTCONF HTTP Methods

HTTP Method	RESTCONF Operation	NETCONF Equivalent	Description
GET	Retrieve data	`<get-config>` / `<get>`	Read configuration or operational state. Returns JSON or XML based on Accept header.
POST	Create a new resource	`<edit-config>` operation=create	Creates a new data node. Fails if it already exists (unlike PUT which replaces).
PUT	Create or replace a resource	`<edit-config>` operation=replace	Creates the resource if it does not exist; completely replaces it if it does. The entire resource must be supplied.
PATCH	Merge / partial update	`<edit-config>` operation=merge	Merges supplied data into the existing resource. Only changed fields need to be included — omitted fields are unchanged.
DELETE	Remove a resource	`<edit-config>` operation=delete	Removes the specified data node from the configuration.

See REST API Methods for a full explanation of HTTP verbs and how they map to CRUD operations.

7. RESTCONF Examples — JSON Requests and Responses

7.1 GET — Read an Interface Configuration

  HTTP Request:
  GET /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet1
  Host: 192.168.1.1
  Accept: application/yang-data+json
  Authorization: Basic YWRtaW46Q2lzY28xMjM=  (admin:Cisco123 base64)

  HTTP Response: 200 OK
  Content-Type: application/yang-data+json

  {
    "ietf-interfaces:interface": {
      "name": "GigabitEthernet1",
      "type": "iana-if-type:ethernetCsmacd",
      "enabled": true,
      "ietf-ip:ipv4": {
        "address": [
          {
            "ip": "192.168.1.1",
            "prefix-length": 24
          }
        ]
      }
    }
  }

7.2 PUT — Configure an Interface IP Address

  HTTP Request:
  PUT /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet2
  Host: 192.168.1.1
  Content-Type: application/yang-data+json
  Accept: application/yang-data+json
  Authorization: Basic YWRtaW46Q2lzY28xMjM=

  Request body (JSON):
  {
    "ietf-interfaces:interface": {
      "name": "GigabitEthernet2",
      "type": "iana-if-type:ethernetCsmacd",
      "enabled": true,
      "ietf-ip:ipv4": {
        "address": [
          {
            "ip": "10.0.0.1",
            "prefix-length": 30
          }
        ]
      }
    }
  }

  HTTP Response: 204 No Content
  (Success — no response body; the resource was created/replaced)

7.3 PATCH — Change Only One Field

  HTTP Request:
  PATCH /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet2
  Host: 192.168.1.1
  Content-Type: application/yang-data+json

  Request body (only the field being changed):
  {
    "ietf-interfaces:interface": {
      "name": "GigabitEthernet2",
      "enabled": false
    }
  }

  HTTP Response: 204 No Content
  (Only the 'enabled' field was changed; IP address unchanged)

7.4 DELETE — Remove a Configuration

  HTTP Request:
  DELETE /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet2
  Host: 192.168.1.1
  Authorization: Basic YWRtaW46Q2lzY28xMjM=

  HTTP Response: 204 No Content
  (Interface configuration deleted)

7.5 HTTP Status Codes in RESTCONF

HTTP Status Code	Meaning in RESTCONF
200 OK	GET request succeeded — response body contains data
201 Created	POST request created a new resource
204 No Content	PUT, PATCH, or DELETE succeeded — no response body
400 Bad Request	Malformed JSON/XML or invalid YANG data in the request
401 Unauthorized	Authentication failed — wrong credentials. See AAA Authentication.
403 Forbidden	Authenticated but not authorised for this operation. Check RADIUS/AAA privilege level.
404 Not Found	The requested YANG path or resource does not exist
409 Conflict	POST failed because the resource already exists (use PUT to replace)
500 Internal Server Error	Device-side error processing the request

8. Enabling and Using RESTCONF on Cisco IOS XE

  ! Enable RESTCONF on Cisco IOS XE:
  Router(config)# restconf
  ! This enables the RESTCONF API server (HTTPS port 443)

  ! RESTCONF also requires netconf-yang to be enabled:
  Router(config)# netconf-yang

  ! AAA authentication required (same as NETCONF):
  Router(config)# aaa new-model
  Router(config)# aaa authentication login default local
  Router(config)# username admin privilege 15 secret Cisco123

  ! HTTPS must be enabled (RESTCONF uses HTTPS):
  Router(config)# ip http secure-server
  Router(config)# ip http authentication local

  ! Verify RESTCONF is running:
  Router# show platform software yang-management process

RESTCONF requires AAA to be configured. See RADIUS vs TACACS+ for enterprise authentication options, and SSH & Telnet Security for securing the underlying transport.

Using RESTCONF with Python (requests library)

  import requests
  import json

  # Disable SSL warnings for lab environments (DO NOT use in production):
  requests.packages.urllib3.disable_warnings()

  BASE_URL  = "https://192.168.1.1/restconf/data"
  AUTH      = ("admin", "Cisco123")
  HEADERS   = {
      "Content-Type": "application/yang-data+json",
      "Accept":       "application/yang-data+json"
  }

  # GET — Read GigabitEthernet1 configuration:
  url = f"{BASE_URL}/ietf-interfaces:interfaces/interface=GigabitEthernet1"
  response = requests.get(url, auth=AUTH, headers=HEADERS, verify=False)
  print(f"Status: {response.status_code}")
  print(json.dumps(response.json(), indent=2))

  # PUT — Set IP address on GigabitEthernet2:
  url = f"{BASE_URL}/ietf-interfaces:interfaces/interface=GigabitEthernet2"
  payload = {
      "ietf-interfaces:interface": {
          "name":    "GigabitEthernet2",
          "type":    "iana-if-type:ethernetCsmacd",
          "enabled": True,
          "ietf-ip:ipv4": {
              "address": [{"ip": "10.0.0.1", "prefix-length": 30}]
          }
      }
  }
  response = requests.put(url, auth=AUTH, headers=HEADERS,
                          json=payload, verify=False)
  print(f"PUT Status: {response.status_code}")  # 204 = success

  # DELETE — Remove GigabitEthernet2 configuration:
  response = requests.delete(url, auth=AUTH, headers=HEADERS, verify=False)
  print(f"DELETE Status: {response.status_code}")  # 204 = success

See full detail: RESTCONF Basics Lab | Python for Networking

9. NETCONF vs RESTCONF — When to Use Each

Feature	NETCONF (RFC 6241)	RESTCONF (RFC 8040)
Transport	SSH (port 830)	HTTPS (port 443)
Data encoding	XML only	JSON (preferred) or XML. See JSON, XML & YANG.
Data model	YANG	YANG
Transactions	Yes — candidate datastore + atomic commit. Changes staged, validated, applied atomically.	No — each HTTP operation applied immediately to running config (no candidate)
Session state	Stateful — persistent SSH session with session ID, lock/unlock, multiple RPCs per session	Stateless — each HTTP request is independent; no session concept
Locking	Yes — <lock> prevents concurrent edits during a change window	No — no locking mechanism
Operational data	Full — <get> retrieves config + operational state together. Equivalent to show interfaces, show ip route, etc.	Yes — GET on operational paths returns live data
Notifications / events	Yes — device can push event notifications to a subscribed manager	Limited — basic notification streams only
Ease of use	Complex — XML-heavy, requires ncclient or similar. See Python for Networking.	Simple — any HTTP client works (curl, Postman, Python requests)
Best for	Mission-critical transactional config changes; complex multi-step orchestration; network controllers (NSO, DNA Centre)	Quick automation scripts; simple read/write ops; web-based dashboards; learning/testing

  Decision guide — which protocol to use?

  Need transactional config changes (all-or-nothing commit)?
  → Use NETCONF (candidate datastore + commit)

  Building a network controller or orchestration platform?
  → Use NETCONF (full feature set, event notifications)

  Quick script to read or change a few device settings?
  → Use RESTCONF (simpler, any HTTP client)

  Team more familiar with REST APIs (web developers)?
  → Start with RESTCONF, JSON encoding

  Need to push event-driven notifications from device to manager?
  → Use NETCONF (native subscription support)

  Both NETCONF and RESTCONF use the same YANG models —
  the data is the same, only the transport and encoding differ.

10. NETCONF & RESTCONF in the Broader Automation Landscape

NETCONF and RESTCONF are two of several southbound interfaces that automation tools and network controllers use to communicate with network devices. Understanding where they fit in the broader automation ecosystem is essential for the CCNA DevNet associate track and modern network engineering. See Northbound & Southbound APIs for the full API architecture picture.

  Network automation stack:

  ┌────────────────────────────────────────────────────────────────┐
  │  Human / Business Layer                                        │
  │  Network operator → writes policy in plain language            │
  │  "All branch VoIP traffic should use the MPLS path"            │
  └────────────────────────────────┬───────────────────────────────┘
                                   │
  ┌────────────────────────────────▼───────────────────────────────┐
  │  Orchestration / Automation Tools (Northbound)                 │
  │  Ansible, Terraform, Python scripts, Cisco NSO,                │
  │  Cisco DNA Centre, ServiceNow                                  │
  └────────────────────────────────┬───────────────────────────────┘
                                   │  Northbound APIs (REST, NETCONF)
  ┌────────────────────────────────▼───────────────────────────────┐
  │  Network Controller (optional layer)                           │
  │  Cisco DNA Centre, Cisco vManage (SD-WAN), APIC (ACI)          │
  └────────────────────────────────┬───────────────────────────────┘
                                   │  Southbound APIs
                     ┌─────────────┼────────────────┐
                     ▼             ▼                 ▼
               NETCONF/YANG   RESTCONF/YANG     OpenConfig
               (RFC 6241)     (RFC 8040)        (Protobuf/gNMI)
                     │             │                 │
  ┌──────────────────▼─────────────▼─────────────────▼────────────┐
  │  Network Devices (routers, switches, firewalls)                │
  │  Cisco IOS XE, IOS XR, NX-OS, Junos, Arista EOS               │
  └────────────────────────────────────────────────────────────────┘

Interface	Protocol/Format	Use Case
CLI (SSH/Telnet)	Text over SSH	Human administration; simple scripts (paramiko, netmiko). See Python Netmiko Lab.
NETCONF	XML over SSH (port 830)	Transactional config; network controllers; complex orchestration
RESTCONF	JSON/XML over HTTPS (port 443)	Simple automation; web apps; quick scripts. See REST API Overview.
gNMI / gRPC	Protocol Buffers over gRPC	High-frequency streaming telemetry; modern cloud-native automation
SNMP	UDP (ports 161/162)	Legacy monitoring and basic config; being replaced by NETCONF/gNMI for new deployments

CCNA DevNet exam perspective: For the CCNA, focus on understanding the conceptual differences: NETCONF uses SSH + XML, RESTCONF uses HTTPS + JSON/XML, both use YANG data models. Know that NETCONF has datastores (running, candidate) and supports atomic commits, while RESTCONF is stateless and uses standard HTTP methods. Hands-on experience with RESTCONF (using curl or Python requests) is the most accessible starting point. Use Ansible for multi-device automation that sits above these protocols.

Test Your Knowledge — NETCONF & RESTCONF Quiz

1. What fundamental problem with CLI-based network management do NETCONF and RESTCONF solve?

A. CLI is not encrypted — NETCONF and RESTCONF provide encryption. (Note: SSH already encrypts CLI.) B. CLI produces unstructured free-form text that requires fragile screen-scraping to process programmatically; NETCONF and RESTCONF expose configuration as structured, machine-readable data (XML/JSON) based on YANG models, enabling reliable automation at scale C. CLI is too slow for large-scale deployments — NETCONF sends commands 100 times faster D. CLI requires physical console access — NETCONF and RESTCONF work remotely

Correct answer is B. The core limitation of CLI for automation is that its output is unstructured text designed for human reading. Parsing "GigabitEthernet1 is up, line protocol is up" requires brittle regex patterns that break whenever the output format changes. NETCONF and RESTCONF return structured XML or JSON data conforming to YANG schemas — automation tools can reliably navigate and extract values without parsing text, and can send changes as structured data that the device validates against the same YANG model. See: Network Automation | Python Netmiko Lab

2. What is YANG, and what role does it play in NETCONF and RESTCONF?

A. YANG is a transport protocol that carries XML messages between the manager and the device B. YANG is Cisco's proprietary configuration language, replacing IOS CLI syntax C. YANG is a data modelling language (RFC 7950) that defines the structure, data types, and constraints of network device configuration and operational data. NETCONF and RESTCONF both use YANG models as the schema for the data they carry — YANG gives the data its meaning and structure D. YANG is the JSON encoding format used by RESTCONF

Correct answer is C. YANG (Yet Another Next Generation), defined in RFC 7950, is the data modelling language that describes what data a network device has, what values are valid, and how the data is structured. Think of YANG as the grammar and NETCONF/RESTCONF as the transport. Both protocols carry data instances that conform to YANG models — without YANG, the XML and JSON payloads would have no standardised meaning. YANG models can be IETF standard (vendor-neutral), OpenConfig, or vendor-native. See: JSON, XML & YANG

3. What is the NETCONF candidate datastore, and why is it important for automation?

A. The candidate datastore is a staging area where configuration changes are accumulated before being atomically committed to the running datastore — if any change fails, the entire commit rolls back, ensuring the device is never left in a partially-configured state B. The candidate datastore stores proposed configurations from multiple engineers for peer review before approval C. The candidate datastore is NETCONF's equivalent of the startup-config that loads at boot D. The candidate datastore is only available in RESTCONF, not NETCONF

Correct answer is A. The candidate datastore is a defining feature of NETCONF. Multiple edit-config operations can be staged in the candidate, then a single <commit> RPC applies all changes atomically to the running datastore. If the commit fails (e.g., a YANG constraint violation), the device rolls back to its previous running state — no partial changes are left. This is the foundation of reliable, transactional network automation. RESTCONF has no candidate datastore — each HTTP operation applies directly to running. Compare with show running-config which shows the active configuration at any point.

4. Which transport protocol and port does NETCONF use?

A. HTTPS on port 443 B. UDP on port 161 C. HTTP on port 80 D. SSH on port 830

Correct answer is D. NETCONF uses SSH on TCP port 830. The SSH transport provides encryption and authentication. Within the SSH session, NETCONF exchanges XML-encoded RPC messages. This is different from standard SSH (port 22 for CLI). RESTCONF uses HTTPS on port 443. SNMP uses UDP port 161. Knowing these port numbers is frequently tested on the CCNA exam. See: Common Port Numbers

5. In RESTCONF, which HTTP method should be used to update only the description field of an interface without replacing its other settings?

A. PUT — replaces the entire resource with the supplied data B. PATCH — merges only the supplied fields into the existing resource, leaving all other fields unchanged C. POST — creates a new description entry alongside the existing one D. GET — retrieves the description first, then updates it

Correct answer is B. PATCH performs a merge operation — you supply only the fields you want to change, and all other existing fields remain untouched. This is equivalent to NETCONF edit-config with operation="merge". PUT replaces the entire resource with exactly what you supply — if you omit the IP address in a PUT, the IP address will be deleted. For partial updates (changing one field without touching others), always use PATCH. See: REST API Methods

6. A RESTCONF PUT request returns HTTP status code 204. What does this indicate?

A. The request failed — 204 means No Content was found to process B. The resource was not found and needs to be created first C. The request succeeded — the resource was created or replaced successfully, and there is no response body D. The device requires a commit operation to apply the changes

Correct answer is C. HTTP status code 204 No Content is the standard success response for PUT, PATCH, and DELETE operations in RESTCONF — it means the operation succeeded but there is no data to return in the response body. A 200 OK response (with body) is returned for successful GET requests. A 201 Created is returned for successful POST requests. A 204 from PUT or PATCH means the configuration was accepted and applied. See REST API Overview for full HTTP status code reference.

7. What is the key advantage of NETCONF's <lock> operation over RESTCONF for change management?

A. NETCONF's <lock> prevents other managers or engineers from making concurrent changes to the same datastore during a planned change window — RESTCONF has no equivalent locking mechanism B. Lock encrypts the configuration while it is being modified C. Lock prevents the device from being rebooted while changes are pending D. RESTCONF also supports locking via the X-Lock HTTP header

Correct answer is A. NETCONF's <lock> RPC exclusively locks a datastore for the duration of a change window. While locked, no other NETCONF manager (or CLI session on some platforms) can modify that datastore. This prevents race conditions where two automation tools simultaneously try to modify the same configuration. After the changes are committed, the manager sends <unlock> to release the lock. RESTCONF is stateless and has no lock mechanism — concurrent changes are possible and must be managed at the orchestration layer. See Network Automation Overview.

8. What single Cisco IOS XE command enables both NETCONF and YANG processing on the device?

A. ip netconf enable B. yang-manager start C. netconf ssh enable port 830 D. netconf-yang — this global configuration command enables the NETCONF agent on port 830 and activates YANG model processing. RESTCONF requires the additional restconf command.

Correct answer is D. On Cisco IOS XE, netconf-yang is the command that starts the NETCONF server on TCP port 830 and enables YANG data model processing. To also enable RESTCONF, you run restconf (which also requires ip http secure-server for HTTPS). Both commands require AAA to be configured and SSH to be working. You can verify the status with show platform software yang-management process. See: RESTCONF Lab | SSH Security

9. An automation script needs to read the BGP neighbour state and routing table of a Cisco IOS XE router using RESTCONF. Which YANG model path would be most appropriate?

A. The path does not matter — RESTCONF returns all data regardless of the YANG module specified B. For operational state (BGP peer status, live routing table), the path would use the operational data tree — for example, Cisco-IOS-XE native BGP operational models or ietf-routing/routing-state for routing data. A GET to the appropriate YANG path retrieves structured JSON with live operational values. C. RESTCONF can only read configuration data — operational state requires SNMP D. NETCONF and RESTCONF cannot retrieve routing table data — only NETFLOW supports this

Correct answer is B. RESTCONF can retrieve both configuration data (what you've configured) and operational data (live state — BGP adjacency status, interface counters, routing table entries). Operational paths on Cisco IOS XE typically use Cisco-native YANG modules (e.g., Cisco-IOS-XE-bgp-oper for BGP operational state). SNMP can also read operational data but returns unstructured binary MIB values rather than structured JSON. See: Python for Networking

10. How do NETCONF and RESTCONF differ in handling configuration changes to the running datastore?

A. Both require a separate commit command after every change B. RESTCONF writes to the candidate datastore; NETCONF writes directly to running C. NETCONF can stage multiple changes in a candidate datastore and commit them atomically — if any fails, all roll back. RESTCONF writes directly to the running datastore with each HTTP request taking effect immediately — no candidate or rollback capability D. They are equivalent — both write directly to running with each operation

Correct answer is C. This is the most important operational difference between NETCONF and RESTCONF. NETCONF's candidate datastore + commit provides atomic transactions — you can stage 10 changes and commit them all at once; if the 7th fails, the device rolls back to pre-change state. RESTCONF is stateless — each HTTP PUT/PATCH/DELETE takes effect immediately on the running config. A failure midway through a multi-step RESTCONF change leaves the device in a partially-changed state that must be manually resolved. Use show running-config to verify the active configuration after any change. See: NETCONF Lab

← Back to Home