-
Cisco Networking Services Configuration Guide, Cisco IOS XE Release 3S
-
Configuring Cisco Networking Services
-
CNS Configuration Agent
-
CNS Image Agent
-
CNS Event Agent
-
Cisco Networking Services Config Retrieve Enhancement with Retry and Interval
-
Cisco Networking Services Enhanced Results Message
-
Cisco Networking Services Flow-Through Provisioning
-
Cisco Networking Services Interactive CLI
-
Cisco Networking Services Security Enhancement
-
Command Scheduler (Kron)
-
Network Configuration Protocol
-
NETCONF over SSHv2
-
NETCONF Access for Configurations over BEEP
-
Feedback
Contents
- NETCONF over SSHv2
- Finding Feature Information
- Prerequisites for NETCONF over SSHv2
- Restrictions for NETCONF over SSH
- Information About NETCONF over SSHv2
- NETCONF over SSHv2
- How to Configure NETCONF over SSHv2
- Enabling SSH Version 2 Using a Hostname and Domain Name
- Enabling SSH Version 2 Using RSA Key Pairs
- Starting an Encrypted Session with a Remote Device
- Troubleshooting Tips
- What to Do Next
- Verifying the Status of the Secure Shell Connection
- Enabling NETCONF over SSHv2
- Configuration Examples for NETCONF over SSHv2
- Example: Enabling SSHv2 Using a Hostname and Domain Name
- Enabling Secure Shell Version 2 Using RSA Keys Example
- Starting an Encrypted Session with a Remote Device Example
- Configuring NETCONF over SSHv2 Example
- Additional References for NETCONF over SSHv2
- Feature Information for NETCONF over SSHv2
NETCONF over SSHv2
You can use the Network Configuration Protocol (NETCONF) over Secure Shell Version 2 (SSHv2) feature to perform network configurations via the Cisco command-line interface (CLI) over an encrypted transport. The NETCONF Network Manager, which is the NETCONF client, must use Secure Shell Version 2 (SSHv2) as the network transport to the NETCONF server. Multiple NETCONF clients can connect to the NETCONF server.
- Finding Feature Information
- Prerequisites for NETCONF over SSHv2
- Restrictions for NETCONF over SSH
- Information About NETCONF over SSHv2
- How to Configure NETCONF over SSHv2
- Configuration Examples for NETCONF over SSHv2
- Additional References for NETCONF over SSHv2
- Feature Information for NETCONF over SSHv2
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About NETCONF over SSHv2
NETCONF over SSHv2
To run the NETCONF over SSHv2 feature, the client (a Cisco device running Cisco software) establishes an SSH transport connection with the server (a NETCONF network manager). The following image shows a basic NETCONF over SSHv2 network configuration. The client and server exchange keys for security and password encryption. The user ID and password of the SSHv2 session running NETCONF are used for authorization and authentication purposes. The user privilege level is enforced and the client session may not have full access to the NETCONF operations if the privilege level is not high enough. If authentication, authorization, and accounting (AAA) is configured, the AAA service is used as if a user had established an SSH session directly to the device. Using the existing security configuration makes the transition to NETCONF almost seamless. Once the client has been successfully authenticated, the client invokes the SSH connection protocol and the SSH session is established. After the SSH session is established, the user or application invokes NETCONF as an SSH subsystem called “netconf.”
Secure Shell Version 2
SSHv2 runs on top of a reliable transport layer and provides strong authentication and encryption capabilities. SSHv2 provides a means to securely access and securely execute commands on another computer over a network.
NETCONF does not support SSH version 1. The configuration for the SSH Version 2 server is similar to the configuration for SSH version 1. Use the ip ssh version command to specify which version of SSH that you want to configure. If you do not configure this command, SSH by default runs in compatibility mode; that is, both SSH version 1 and SSH version 2 connections are honored.
NoteSSH version 1 is a protocol that has never been defined in a standard. If you do not want your device to fall back to the undefined protocol (version 1), you should use the ip ssh version command and specify version 2.
Use the ip ssh rsa keypair-name command to enable an SSH connection using Rivest, Shamir, and Adelman (RSA) keys that you have configured. If you configure the ip ssh rsa keypair-name command with a key-pair name, SSH is enabled if the key pair exists, or SSH will be enabled if the key pair is generated later. If you use this command to enable SSH, you do not need to configure a hostname and a domain name.
How to Configure NETCONF over SSHv2
Enabling SSH Version 2 Using a Hostname and Domain Name
SUMMARY STEPSPerform this task to configure your device for SSH version 2 using a hostname and domain name. You may also configure SSH version 2 by using the RSA key pair configuration (see Enabling SSH Version 2 Using RSA Key Pairs).
1. enable
2. configure terminal
3. hostname hostname
4. ip domain-name name
5. crypto key generate rsa
6. ip ssh [timeout seconds | authentication-retries integer]
7. ip ssh version 2
DETAILED STEPSEnabling SSH Version 2 Using RSA Key Pairs
SUMMARY STEPSPerform this task to enable SSH version 2 without configuring a hostname or domain name. SSH version 2 will be enabled if the key pair that you configure already exists or if it is generated later. You may also configure SSH version 2 by using the hostname and domain name configuration. (See “Enabling SSH Version 2 Using a Hostname and Domain Name.)
1. enable
2. configure terminal
3. ip ssh rsa keypair-name keypair-name
4. crypto key generate rsa usage-keys label key-label modulus modulus-size
5. ip ssh [timeout seconds | authentication-retries integer]
6. ip ssh version 2
DETAILED STEPSStarting an Encrypted Session with a Remote Device
SUMMARY STEPSPerform this task to start an encrypted session with a remote networking device. (You do not have to enable your device. SSH can be run in disabled mode.)
From any UNIX or UNIX-like device, the following command is typically used to form an SSH session:
ssh -2 -s user@router.example.com netconf
DETAILED STEPS
Command or Action Purpose
Step 1 Do one of the following:
- ssh [-v {1 | 2}] [-c {3des| aes128-cbc | aes192-cbc| aes256-cbc}] [-m{hmac-md5 | hmac-md5-96 | hmac-sha1 | hmac-sha1-96}] [l userid] [-o numberofpasswordprompts n] [-p port-num] {ip-addr | hostname} [command]
Example:Device# ssh -v 2 -c aes256-cbc -m hmac-sha1-96 -l user2 10.76.82.24
Example:Device# ssh -v 2 -c aes256-cbc -m hmac-sha1-96 user2@10.76.82.24Starts an encrypted session with a remote networking device.
The first example adheres to the SSH version 2 conventions. A more natural and common way to start a session is by linking the username with the hostname. For example, the second configuration example provides an end result that is identical to that of the first example.
Troubleshooting Tips
The ip ssh version command can be used for troubleshooting your SSH configuration. By changing versions, you can determine which SSH version has a problem.
What to Do Next
For more information about the ssh command, see the Cisco IOS Security Command Reference.
Verifying the Status of the Secure Shell Connection
SUMMARY STEPSPerform this task to display the status of the SSH connection on your device.
NoteYou can use the following show commands in user EXEC or privileged EXEC mode.
1. enable
2. show ssh
3. show ip ssh
DETAILED STEPS
Command or Action Purpose Examples
The following output from the show ssh command displays status about SSH version 2 connections.
Device# show ssh Connection Version Mode Encryption Hmac State Username 1 2.0 IN aes128-cbc hmac-md5 Session started lab 1 2.0 OUT aes128-cbc hmac-md5 Session started lab %No SSHv1 server connections running.The following output from the show ip ssh command displays the version of SSH that is enabled, the authentication timeout values, and the number of authentication retries.
Device# show ip ssh SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3Enabling NETCONF over SSHv2
Before You BeginSUMMARY STEPSSSHv2 must be enabled.
NoteThere must be at least as many vty lines configured as there are concurrent NETCONF sessions.
Note
1. enable
2. configure terminal
3. netconf ssh [acl access-list-number]
4. netconf lock-time seconds
5. netconf max-sessions session
6. netconf max-message size
DETAILED STEPS
Command or Action Purpose
Step 1 enable
Example:Device> enableEnables privileged EXEC mode.
Step 2 configure terminal
Example:Device# configure terminalEnters global configuration mode.
Step 3 netconf ssh [acl access-list-number]
Example:Device(config)# netconf ssh acl 1Enables NETCONF over SSHv2.
Step 4 netconf lock-time seconds
Example:Device(config)# netconf lock-time 60(Optional) Specifies the maximum time, in seconds, a NETCONF configuration lock is in place without an intermediate operation.
Step 5 netconf max-sessions session
Example:Device(config)# netconf max-sessions 5(Optional) Specifies the maximum number of concurrent NETCONF sessions allowed.
Step 6 netconf max-message size
Example:Device(config)# netconf max-message 37283(Optional) Specifies the maximum size, in kilobytes (KB), for the messages received in a NETCONF session.
Configuration Examples for NETCONF over SSHv2
Configuring NETCONF over SSHv2 Example
SUMMARY STEPSThe following example shows how to configure NETCONF over SSHv2:
Device# configure terminal Device(config)# netconf ssh acl 1 Device(config)# netconf lock-time 60 Device(config)# netconf max-sessions 5 Device(config)# netconf max-message 2345 Device# ssh-2 -s username@10.1.1.1 netconfThe following example shows how to get the configuration for loopback interface 113.
1. First, send the “hello”:
2. Next, send the get-config request:
DETAILED STEPS
Command or Action Purpose
Step 1 First, send the “hello”:
Example:<?xml version="1.0" encoding=\"UTF-8\"?> <hello><capabilities> <capability>u?rn:ietf:params:netconf:base:1.0</capability> <capability>urn:ietf:params:netconf:capability:writeable-running:1.0</capability> <capability>urn:ietf:params:netconf:ca?pability:roll?back-on-error:1.0</capability> <capability>urn:ietf:params:netconf:capability:startup:1.0</capability> <capability>urn:ietf:params:netconf:ca?pability:url:?1.0</capability> <capability>urn:cisco:params:netconf:capability:pi-data-model:1.0</capability> <capability>urn:cisco:params:netconf:capabili?ty:notificati?on:1.0</capability> </capabilities> </hello>]]>]]>Step 2 Next, send the get-config request:
Example:<?xml version="1.0"?> <rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"xmlns:cpi="http://www.cisco.com/cpi_10/schema" message-id="101"> <get-config> <source> <running/> </source> <filter> <config-format-text-cmd> <text-filter-spec> interface Loopback113 </text-filter-spec> </config-format-text-cmd> </filter> </get-config> </rpc>]]>]]><?xml version="1.0" encoding="UTF-8"?> <rpc-reply message-id="101"xmlns=\"urn:ietf:params:netconf:base:1.0\"> <data> <cli-config-data> interface Loopback113 description test456 no ip address load-interval 30 end </cli-config-data> </data> </rpc-rep?ly>]]>]]>Additional References for NETCONF over SSHv2
Related Documents
Related Topic
Document Title
Cicso IOS Commands
NETCONF commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples
Cisco IOS Cisco Networking Services Command Reference
IP access lists commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples
Security commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples
Cisco IOS Security Command Reference
IP access lists
IP Access List Overview and Creating an IP Access List and Applying It to an Interface modules in the Cisco IOS Security Configuration Guide: Securing the Data Plane.
Secure Shell and Secure Shell Version 2
“Configuring Secure Shell” module in the Cisco IOS Security Configuration Guide: Securing User Services.
Technical Assistance
Description
Link
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.
Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.
Feature Information for NETCONF over SSHv2
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 Feature Information for NETCONF over SSHv2 Feature Name
Releases
Feature Information
NETCONF over SSHv2
Cisco IOS XE Release 2.1
12.2(33)SB
12.2(33)SRA
12.2(33)SXI
12.4(9)T
The NETCONF over SSHv2 feature enables you to perform network configurations via the Cisco command-line interface (CLI) over an encrypted transport.
The following commands were introduced or modified by this feature: netconf lock-time, netconf max-message, netconf max-sessions netconf ssh.
