Enable Protocol
-
NETCONF
-
gRPC
Note |
Only the first root-lr user created on XR is synchronized as the first root-system user on System Admin, while the consecutive users are not synchronized. The consecutive users created on XR do not exist in the System Admin. Hence any operations through NETCONF or gRPC that requires sysadmin access performed by the consecutive users fails. To overcome this limitation, create the user with the same name in System Admin and grant permission by assigning them to the appropriate group. |
For more information about protocols, see Communication Protocols.
Enable NETCONF over SSH Protocol
NETCONF is an XML-based protocol used over Secure Shell (SSH) transport to configure a network. The client applications use this protocol to request information from the router, and make configuration changes to the router.
For more information about NETCONF, see NETCONF Protocol.
Pre-requisites:
-
Software package k9sec pie is installed on the router.
-
Software package mgbl pie is installed on the router.
-
Crypto keys are generated.
To enable the NETCONF protocol, complete these steps:
-
Enable NETCONF protocol over an SSH connection.
The default port number of 830 is used. A different port within the range of 1 to 65535 can be specified if required.ssh server v2 ssh server netconf netconf agent tty netconf-yang agent ssh
-
Set the session parameters.
where:router (config)# netconf-yang agent session { limit value | absolute-timeout value | idle-timeout value }
-
limit value: sets the maximum count for concurrent netconf-yang sessions. The range is from 1 to 1024.
-
absolute-timeout value: sets the absolute session lifetime, in minutes. The range is from 1 to 1440.
-
idle-timeout value: sets the idle session lifetime, in minutes. The range is from 1 to 1440.
-
-
Verify configuration settings for statistics and clients. router (config)# do show netconf-yang statistics
router (config)# do show netconf-yang clients
Enable NETCONF
config
netconf-yang agent ssh
ssh server netconf port 830
!
Verify Configuration Using Statistics
show netconf-yang statistics
Summary statistics requests| total time| min time per request| max time per request| avg time per request|
other 0| 0h 0m 0s 0ms| 0h 0m 0s 0ms| 0h 0m 0s 0ms| 0h 0m 0s 0ms|
close-session 4| 0h 0m 0s 3ms| 0h 0m 0s 0ms| 0h 0m 0s 1ms| 0h 0m 0s 0ms|
kill-session 0| 0h 0m 0s 0ms| 0h 0m 0s 0ms| 0h 0m 0s 0ms| 0h 0m 0s 0ms|
get-schema 0| 0h 0m 0s 0ms| 0h 0m 0s 0ms| 0h 0m 0s 0ms| 0h 0m 0s 0ms|
get 0| 0h 0m 0s 0ms| 0h 0m 0s 0ms| 0h 0m 0s 0ms| 0h 0m 0s
get-config 1| 0h 0m 0s 1ms| 0h 0m 0s 1ms| 0h 0m 0s 1ms| 0h 0m 0s 1ms|
edit-config 3| 0h 0m 0s 2ms| 0h 0m 0s 0ms| 0h 0m 0s 1ms| 0h 0m 0s 0ms|
commit 0| 0h 0m 0s 0ms| 0h 0m 0s 0ms| 0h 0m 0s 0ms| 0h 0m 0s 0ms|
cancel-commit 0| 0h 0m 0s 0ms| 0h 0m 0s 0ms| 0h 0m 0s 0ms| 0h 0m 0s 0ms|
lock 0| 0h 0m 0s 0ms| 0h 0m 0s 0ms| 0h 0m 0s 0ms| 0h 0m 0s 0ms|
unlock 0| 0h 0m 0s 0ms| 0h 0m 0s 0ms| 0h 0m 0s 0ms| 0h 0m 0s 0ms|
discard-changes 0| 0h 0m 0s 0ms| 0h 0m 0s 0ms| 0h 0m 0s 0ms| 0h 0m 0s 0ms|
validate 0| 0h 0m 0s 0ms| 0h 0m 0s 0ms| 0h 0m 0s 0ms| 0h 0m 0s 0ms|
Verify Configuration Using Clients
show netconf-yang clients
client session ID| NC version| client connect time| last OP time| last OP type| <lock>|
22969| 1.1| 0d 0h 0m 2s| 11:11:24| close-session| No|
What To Do Next:
After NETCONF is enabled, use the YANG data models to manage the relevant configurations.
Enable gRPC over HTTP/2 Protocol
Google-defined remote procedure call (gRPC) is an open-source RPC framework. gRPC supports IPv4 and v6 address families.
For more information about gRPC, see gRPC Protocol.
-
Configure TLS.
Note
It is recommended to configure TLS. Enabling gRPC protocol uses the default HTTP/2 transport with no TLS enabled on TCP. gRPC mandates AAA authentication and authorization for all gRPC requests. If TLS is not configured, the authentication credentials are transferred over the network unencrypted. Enabling TLS ensures that the credentials are secure and encrypted. Non-TLS mode can only be used in secure internal network.
-
Software package mgbl pie is installed on the router.
-
Enable gRPC over an HTTP/2 connection. Router# configure Router (config)# grpc
-
Enable access to a specified port number.
The <port-number> range is from 57344 to 57999. If a port number is unavailable, an error is displayed.Router (config-grpc)# port <port-number>
-
In the configuration mode, set the session parameters.
where:Router (config)# grpc{ address-family | dscp | max-request-per-user | max-request-total | max-streams | max-streams-per-user | no-tls | service-layer | tls-cipher | tls-mutual | tls-trustpoint | vrf }
-
address-family: set the address family identifier type
-
dscp: set QoS marking DSCP on transmitted gRPC
-
max-request-per-user: set the maximum concurrent requests per user
-
max-request-total: set the maximum concurrent requests in total
-
max-streams: set the maximum number of concurrent gRPC requests. The maximum subscription limit is 128 requests. The default is 32 requests
-
max-streams-per-user: set the maximum concurrent gRPC requests for each user. The maximum subscription limit is 128 requests. The default is 32 requests
-
no-tls: disable transport layer security (TLS). The TLS is enabled by default.
-
service-layer: enable the grpc service layer configuration
-
tls-cipher: enable the gRPC TLS cipher suites
-
tls-mutual: set the mutual authentication
-
tls-trustpoint: configure trustpoint
-
server-vrf: enable server vrf
-
What To Do Next:
After gRPC is enabled, use the YANG data models to manage the relevant configurations.