🏠 Back

πŸ”§ YANG Configuration & Drift Detection Lab

Master NETCONF/RESTCONF and Configuration Management

🎯 Lab Overview

Welcome to the YANG Configuration & Configuration Drift Detection Lab. This lab is designed to provide hands-on experience with modern, model-driven programmability on Cisco IOS XE devices.

Why Model-Driven Programmability?
Traditional CLI-based automation relies on screen-scraping, which is brittle and prone to breakage when output formats change. Model-driven programmability uses structured data models (YANG) to provide a consistent, machine-readable interface for network operations.

What You'll Learn

  • YANG (Yet Another Next Generation): Understand the data modeling language used to define the structure of configuration and operational data.
  • NETCONF (RFC 6241): Use the Network Configuration Protocol over SSH to manage device configurations using XML.
  • RESTCONF (RFC 8040): Use the HTTP-based protocol to provide a RESTful interface for YANG-defined data, supporting both XML and JSON.
  • Configuration Drift Detection: Implement automated checks to compare live device configurations against a known-good baseline using Python.

Theoretical Background

YANG Model Types

  • Native Models: Device-specific models defined by the vendor (e.g., Cisco-IOS-XE-native) that cover almost every CLI command.
  • IETF Models: Standardized models defined by the Internet Engineering Task Force for common features like interfaces and routing.
  • OpenConfig Models: Vendor-neutral models developed by major cloud providers (Google, Microsoft, etc.) to normalize management across different vendors.

NETCONF vs. RESTCONF

Feature NETCONF RESTCONF
Transport SSH (Port 830) HTTP/S (Ports 80/443)
Data Encoding XML XML or JSON
Operations get, get-config, edit-config, etc. GET, POST, PUT, PATCH, DELETE
Transactionality Full (Candidate, Commit, Rollback) Limited (Resource-based)

Lab Environment

  • Switch Infrastructure: Three Cisco Catalyst 9000v switches (IOS XE 17.x).
  • Automation Server: Ubuntu server with Python 3.9+ and essential libraries (ncclient, requests, xmltodict).
  • Management Network: Dedicated OOB management subnet 192.168.11.0/24.

πŸ—ΊοΈ Topology

Automation Server 192.168.11.10 | Management Network (192.168.11.0/24) | +-----------+-----------+ | | | SW-ACC-01 SW-ACC-02 SW-ACC-03 .101 .102 .103

Device Details

Device IP Address Role
Automation Server 192.168.11.10 Config Management
SW-ACC-01 192.168.11.101 Access Switch
SW-ACC-02 192.168.11.102 Access Switch
SW-ACC-03 192.168.11.103 Access Switch

βš™οΈ YANG-Based Configuration

1

Install Python Libraries

sudo apt update pip install ncclient requests xmltodict paramiko
2

Enable NETCONF on Switches

configure terminal hostname SW-ACC-01 interface GigabitEthernet0/0 ip address 192.168.11.101 255.255.255.0 no shutdown netconf-yang restconf aaa new-model username admin privilege 15 secret Cisco123! end write memory
3

NETCONF Configuration Script

#!/usr/bin/env python3 from ncclient import manager # Device connection device = { 'host': '192.168.11.101', 'port': 830, 'username': 'admin', 'password': 'Cisco123!', 'hostkey_verify': False } # Configuration template config = """ GigabitEthernet1/0/1 ENG-PORT-01 true """ # Apply configuration with manager.connect(**device, device_params={'name': 'iosxe'}) as m: reply = m.edit_config(target='running', config=config) print("Configuration applied!" if reply.ok else "Failed")
βœ… Save as configure_interface.py and run with python3 configure_interface.py

πŸ” Configuration Drift Detection

1

Create Baseline

#!/usr/bin/env python3 from ncclient import manager import json import xmltodict device = { 'host': '192.168.11.101', 'port': 830, 'username': 'admin', 'password': 'Cisco123!', 'hostkey_verify': False } filter_xml = """ """ with manager.connect(**device, device_params={'name': 'iosxe'}) as m: reply = m.get_config(source='running', filter=filter_xml) config = xmltodict.parse(reply.xml) with open('baseline_SW-ACC-01.json', 'w') as f: json.dump(config, f, indent=2) print("βœ… Baseline created: baseline_SW-ACC-01.json")
2

Drift Detection Script

#!/usr/bin/env python3 from ncclient import manager import json import xmltodict from deepdiff import DeepDiff def get_current_config(host): device = { 'host': host, 'port': 830, 'username': 'admin', 'password': 'Cisco123!', 'hostkey_verify': False } filter_xml = """ """ with manager.connect(**device, device_params={'name': 'iosxe'}) as m: reply = m.get_config(source='running', filter=filter_xml) return xmltodict.parse(reply.xml) def detect_drift(baseline_file, host): # Load baseline with open(baseline_file, 'r') as f: baseline = json.load(f) # Get current config current = get_current_config(host) # Compare diff = DeepDiff(baseline, current, ignore_order=True) if diff: print(f"🚨 DRIFT DETECTED on {host}!") print(json.dumps(diff, indent=2)) return True else: print(f"βœ… No drift detected on {host}") return False # Run detection detect_drift('baseline_SW-ACC-01.json', '192.168.11.101')
⚠️ Install deepdiff: pip install deepdiff
3

Schedule Automated Monitoring

# Add to crontab crontab -e # Run drift detection hourly 0 * * * * cd ~/netauto && python3 drift_detection.py >> /var/log/drift.log 2>&1

🧠 Lab Assessment Quiz

Test your knowledge of YANG, NETCONF, and RESTCONF.

1. What does YANG stand for?
  • a) Yet Another Network Gateway
  • b) Yielding Analog Network Grid
  • c) Yet Another Next Generation
  • d) Yearly Automated Network Group
2. Which transport protocol does NETCONF use by default on port 830?
  • a) HTTP
  • b) SSH
  • c) Telnet
  • d) TLS
3. Which of the following is an HTTP-based protocol for YANG-modeled data?
  • a) SNMP
  • b) NETCONF
  • c) RESTCONF
  • d) gNMI
4. Which RESTCONF operation is typical for creating a new resource?
  • a) GET
  • b) DELETE
  • c) POST
  • d) OPTIONS
5. What is "Configuration Drift"?
  • a) The time it takes for a config to apply
  • b) Unauthorized or manual changes that deviate from the baseline
  • c) The physical movement of network cables
  • d) Dynamic routing protocol convergence
6. Which encoding format(s) does RESTCONF support?
  • a) Only XML
  • b) Only JSON
  • c) XML and JSON
  • d) Yaml and XML
7. Which YANG model type is standardized by the industry rather than a specific vendor?
  • a) Native Models
  • b) IETF Models
  • c) Legacy Models
  • d) Private Models
8. Which NETCONF operation is used to retrieve ONLY configuration data, excluding operational state?
  • a) get
  • b) get-config
  • c) edit-config
  • d) copy-config
9. What is the primary purpose of the NETCONF <hello> message exchanged during session establishment?
  • a) To authenticate the user
  • b) To synchronize the device clock
  • c) To exchange supported capabilities (YANG models)
  • d) To test the SSH connection latency
10. In RESTCONF, which top-level resource represents the combined configuration and state data?
  • a) /restconf/operations
  • b) /restconf/data
  • c) /restconf/yang-library
  • d) /restconf/config