NETCONF and YANG: Building Programmable Networks
Model-driven Network Management with Nokia SROS
What is YANG?
YANG ( Yet Another Next Generation) is a data modeling language that defines the structure, semantics, and constraints of configuration and state data for network devices and services. YANG modules outline the hierarchical schema, including nodes, types, constraints, RPCs, and notifications. YANG has become the networking industry standard for data modeling because it is human readable, extensible and easy to learn
A YANG model defines a tree structure and data is mapped into this tree. A model is defined in a text file and comprises a module and, optionally, submodules, which when compiled together form the tree.
YANG is a way to enforce constraints on data inputs. These may inputs used from an API encoded as XML and JSON. The device will check if the data adheres to the underlying model
YANG Module Definition
module nokia-types-bgp
module nokia-types-bgp {
yang-version "1.1";
namespace "urn:nokia.com:sros:ns:yang:sr:types-bgp";
prefix "types-bgp";
import nokia-sros-yang-extensions { prefix "sros-ext"; }
import nokia-types-sros { prefix "types-sros"; }
sros-ext:sros-major-release "rel22";
revision "2022-05-03";
typedef llgr-family-identifiers {
type enumeration {
enum "ipv4" { value 1; }
enum "vpn-ipv4" { value 2; }
enum "ipv6" { value 3; }
enum "vpn-ipv6" { value 5; }
enum "l2-vpn" { value 6; }
enum "flow-ipv4" { value 10; }
enum "route-target" { value 11; }
enum "flow-ipv6" { value 14; }
enum "label-ipv4" { value 17; }
enum "label-ipv6" { value 18; }
enum "flow-vpn-ipv4" { value 23; }
enum "flow-vpn-ipv6" { value 24; }
}
}
A module name is specified in the module nokia-types-bgp section, with nokia-types-bgp as the name of the new YANG module. A yang-version indicates the version number of the YANG definition used by the author, not the module itself. This is typically 1.0 or 1.1. For new modules, it's recommended to start with the latest version.
A prefix is a short name used within YANG modules for quick reference to the modules. An import is used alongside the module name of the YANG module being imported.
A revision number is formatted as a date and should be updated whenever the module changes. A type definition (typedef) defines custom types using standardized YANG elements.
Exploring YANG in Depth
YANG STATEMENTS
Leaf Nodes
Simple data such as an integer or a string
Represents a single value
No children
# YANG
leaf host-name {
type string;
description "Hostname for this system";
}
# NETCONF XML
<host-name>codednetwork.com</host-name>
Leaf-List Nodes
This is just like leaf statement but there can be multiple instances
one value of a particular type per leaf
# YANG
leaf-list name-server {
type string;
description "List of DNS servers to query"
}
# NETCONF XML
<name-server>8.8.8.8</name-server>
<name-server>4.4.4.4</name-server>
List Nodes
It allows you to create a list of leafs or leaf-lists
Each entry is structure or a record instance
# YANG
list vlan {
key "id";
leaf id {
type int;
range 1..4094;
}
leaf name {
type string;
}
}
# NETCONF XML
<vlan>
<id>100</id>
<name>web_vlan</name>
</vlan>
<vlan>
<id>200</id>
<name>app_vlan</name>
</vlan>
Container Nodes
It is used to group nodes in a subtree
It only contains child nodes and has no value
May contain number of child nodes of any type (including leafs, lists, containers and leaf-lists
# YANG
container system {
container login-control {
container pre-login message {
leaf message {
type (*);
description
"Message displayed prior to the login prompt";
}
}
}
# NETCONF XML
<system>
<login-control>
<pre-login message>
<message> Learning Yang is cool </message>
</pre-login message>
</login-control>
</system>
What is NETCONF ?
Overview
NETCONF is a standardized IETF configuration management protocol specified in RFC 6241, known as Network Configuration Protocol (NETCONF) . It is secure, connection-oriented, and runs on top of the SSHv2 transport protocol as specified in RFC 6242 . NETCONF is an XML-based protocol that can be used as an alternative to CLI or SNMP for managing an SR OS router
NETCONF uses RPC messaging for communication between NETCONF client and NETCONF server running on SROS. An RPC message and configuration or state data is encapsulated within an XML document. The SR OS NETCONF interface supports configuration, state and various router operations
Client Server
|=== TRANSPORT ================================|
|<--- TCP SYN -------------------------------->|
|<-- TCP SYN-ACK ----------------------------->|
|--- SSH handshake + userauth ---------------->|
|<-- SSH userauth success ---------------------|
|--- SSH subsystem "netconf" request --------->|
|<-- SSH channel success ----------------------|
| |
|=== SESSION ==================================|
|<--<hello> session-id=42, capabilities -------|
|---<hello> capabilities --------------------->|
| |
|=== OPERATIONS ===============================|
|--- <rpc> get-config(running) --------------->|
|<--<rpc-reply> <data>…<data> -----------------|
| |
|=== TEARDOWN =================================|
|--- <rpc> close-session --------------------->|
|<--<rpc-reply> <ok/> -------------------------|
|--- SSH channel close ----------------------->|
message exchange
Protocol Stack
| Content | yang formatted information |
|---|---|
| Operations | Specific functions that operators can do on the server (get-config, edit-config) |
| Messages | three main message types - Remote Procedure Calls (RPCs) : Instructions /requests formatted in XML . Notification : information provided from the server not in direct response to a RPC. Hello : Special message used in communication setup and capabilities discovery |
| Secure Transport | NETCONF is not a transport layer. It is layered on top of a secured-orientated transport protocol eg SSH , HTTP/TLS |
Enabling NETCONF Nokia SROS
# Step 1 - Ensure model-driven mode is enabled
A:R1# configure system management-interface configuration-mode model-driven
# Step 2 - Enable NETCONF and Auto-save
(gl)[configure system management-interface]
A:admin@R1#
netconf {
admin-state enable
auto-config-save true
}
# Step 3 - Select the YANG Modules
(gl)[configure system management-interface]
A:admin@R1#
yang-modules {
nokia-modules false
nokia-combined-modules true
}
# Step 4 - Create user with NETCONF access
(gl)[configure local-user {
user "netconf" {
password "<password-here>"
access {
netconf true
}
console {
member ["administrative"]
}
}
} system security user-params]
# Step 5 - Grant lock and kill permissions
(gl)[configure system security aaa local-profiles profile "administrative"] A:admin@R1#
netconf {
base-op-authorization {
kill-session true
lock true
}
}
NETCONF - Base Operations
NETCONF - Interacting with Nokia SROS
Connect with SSH
The simplest and the easiest way to interact with a router is by using SSH.
ssh admin@<host-ip> -p 830 -s netconf
<?xml version="1.0" encoding="UTF-8"?>
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<capabilities>
<capability>urn:ietf:params:netconf:base:1.0</capability>
<capability>urn:ietf:params:netconf:base:1.1</capability>
<capability>urn:ietf:params:netconf:capability:candidate:1.0
</capability>
<capability>urn:ietf:params:netconf:capability:confirmed-commit:1.1
</capability>
<capability>urn:ietf:params:netconf:capability:rollback-on-error:1.0
</capability>
<capability>urn:ietf:params:netconf:capability:notification:1.0
</capability>
<capability>urn:ietf:params:netconf:capability:interleave:1.0
</capability>
<capability>urn:ietf:params:netconf:capability:validate:1.0
</capability>
<capability>urn:ietf:params:netconf:capability:validate:1.1
</capability>
<capability>urn:ietf:params:netconf:capability:startup:1.0
</capability>
<capability>urn:ietf:params:netconf:capability:url:1.0
scheme=ftp,tftp,file<</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring
</capability>
<capability>urn:nokia.com:sros:ns:yang:sr:major-release:24
</capability>
<capability>urn:ietf:params:xml:ns:yang:iana-if-type?module=iana-if-
type&revision=2014-05-08</capability>
<capability>urn:ietf:params:netconf:capability:yang-library:1.0?
revision=2016-06-21&module-set-id=gOPkB60aiVyk5<
</capability>
</capabilities>
</session-id>57677<session-id>
</hello>
truncated capabilities
<?xml version="1.0" encoding="UTF-8"?>
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<capabalities>
<capability>urn:ietf:params:netconf:base:1.0</capability>
</capabilities>
</hello>
]]>]]>
# Retrieve the services
<?xml version="1.0" encoding="UTF-8"?>
<rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<get-config>
<source><candidate/></source>
<filter>
<configure xmlns="urn:nokia.com:sros:ns:yang:sr:conf">
<service>
</service>
</configure>
</filter>
</get-config>
</rpc>
]]>]]>
# RPC-REPLY with services
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0>
<data>
<configure xmlns="urn:nokia.com:sros:ns:yang:sr:conf" xmlns:nokia-attr="urn:nokia.com:sros:ns:yang:sr:attributes">
<service>
<epipe>
<service-name>test</service-name>
<admin-state>enable</admin-state>
<service-id>10</service-id>
<customer>1</customer>
<spoke-sdp>
<sdp-bind-id>10:10</sdp-bind-id>
<admin-state>enable</admin-state>
</spoke-sdp>
</epipe>
<sdp>
<sdp-id>10</sdp-id>
<admin-state>enable</admin-state>
<description>pysros-example</description>
<delivery-type>mpls</delivery-type>
<far-end>
<ip-address>10.10.10.2</ip-address>
</far-end>
<lsp>
<lsp-name>PE1-to-PE2</lsp-name>
</lsp>
</sdp>
</service>
</configure>
</data>
</rpc-reply>
Connect with netconf-console2
netconf-console2 is a console application built to interact with network devices using NETCONF. It allows engineers and automation systems to send NETCONF Remote Procedure Call (RPC) operations to a device. It can run in two modes:
Command-line mode: Used to execute one or more RPC operations in a single shell command.
Interactive (console) mode: Provides an interactive session where a user can issue multiple commands sequentially, with limited support for tab-completion
# Install netconf-console2
pip install netconf-console2
# Retrieve configuration
netconf-console2 --host=<host-ip> -u <username> -p <password> --port=830 --get-config
# Configuration results
<?xml version='1.0' encoding='UTF-8'?>
<data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
<configure xmlns="urn:nokia.com:sros:ns:yang:sr:conf" xmlns:nokia-attr="urn:nokia.com:sros:ns:yang:sr:attributes">
<groups>
<group>
<name>test</name>
<router>
<router-name> Base </router-name>
<interface>loop</interface>
<ip-mtu>444</ip-mtu>
</interface>
</router>
<group>
</groups>
<card>
<slot-number>1</slot-number>
<card-type>iom-1<card-type>
<mda>
<mda-slot>1</mda-slot>
<mda-type>me12-100gb-qsfp28</mda-type>
</mda>
</card>
............. [output truncated]
Connect with NETCONF client for Visual Studio Code
This extension adds an interactive NETCONF client to Visual Studio Code, connecting to NETCONF servers such as NOKIA IP routers (SR OS and SRLinux). It brings NETCONF into the editor so you can manage modern network equipment directly from VS Code using the standard NETCONF protocol.
If you're not familiar with Python or using libraries like NAPALM and ncclient to interact with a router running NETCONF, this VS Code extension is perfect for you. The interface is user-friendly and easy to navigate.
Create the connect-name , host-ip and enter the credentials
Click connect icon to start interacting with the Nokia SROS
Base operations options
Other Tools
PYANG
pyang is a YANG validator and converter that checks YANG modules for correctness and generates documentation or code stubs.
Convert YANG into a tree diagram
# Execute the below command
pyang -f tree nokia-state.yang > nokia-state.tree
nokia-state tree structure sample
Generate html/javascript tree
# Execute the below command
pyang -f jstree nokia-state.yang > nokia-state.jstree
Then you can browse the YANG on a web browser
Conclusion
The CLI era gave network engineers power and flexibility, but at the cost of machine-readability, validation, and safe rollback. Every vendor implemented their own syntax, every script was fragile, and every change carried the risk of an unrecoverable typo. NETCONF and YANG fundamentally transform the way network configurations are managed , the device exposes a schema, accepts structured configuration, validates every change before it is deployed, and can roll back automatically.
That shift — from text scraping to model-driven management — is not just a technical improvement. It is what makes large-scale network automation reliable enough to trust in production. When your automation toolchain uses YANG, it knows what a valid interface configuration looks like before it ever touches a router. When it uses confirmed commit, a misconfiguration cannot disable a device permanently. When it subscribes to NETCONF notifications, it reacts to events rather than polling every 60 seconds hoping nothing changed.
" The combination of a strongly-typed schema language, a transactional RPC protocol, and a mandatory encrypted transport is not accidental — it is a deliberate architecture designed for the scale and reliability demands of modern network operations "
