Device management
4.3.a i Console and VTY
General information on “Console and VTY”:
- Console/VTY provide access to the CLI of the device
- For each line different parameters can be configured like timeout, allowed protocols (VTY only), authentication, …
Console:
- Provides access to the device using a Console cable
- Power up/boot process can be observed
- Available when device is powered on
VTY:
- Provides SSH and/or Telnet access to the device
- Available after devices is fully booted
“Console and VTY” CLI configuration commands:
## Entering the console line configuration
Router(config)# line con 0
## Entering the VTY line configuration
Router(config)# line vty <number>
## Configuring different console/VTY line parameters:
Router(config-line)# login authentication
## Configuring an inactivity timeout after which the session gets automatically disconnected
Router(config-line)# exec-timeout <seconds>
## Configuring the allowed input/output protocols (eg. only SSH, telnet, ...)
Router(config-line)# transport input <protocol>
Router(config-line)# transport output <protocol>
## Configuring inbound/outbound access control with ACLs
Router(config-line)# access-class [ACL-NAME] [in | out]
4.3.a ii SSH, SCP
General information on “SSH”:
- Uses tcp/22
- Transport is encrypted
- Used for CLI access
General information on “SCP”:
- Uses tcp/22
- Based on SSH, used for file transfer
- AAA and SSH must be configured for SCP to work
“SSH, SCP” CLI configuration commands:
## Configuring SSH globally (basic configuration)
Router(config)# hostname <hostname>
Router(config)# ip domain-name <domain-name>
Router(config)# crypto key generate rsa [label <label>] [modulus <modulus>]
Router(config)# ip ssh version 2
## Configure VTY lines to only allow SSH connections
Router(config)# line vty <number>
Router(config-line)# transport input ssh
## Changing the SSH port for VTY lines
Router(config)# ip ssh port <port> rotary <group>
Router(config)# ip access-list extended [NAME]
Router(config-ext-nacl)# permit tcp [source] [target] eq <port>
Router(config)# line vty <number>
Router(config-line)# rotary <group>
Router(config-line)# access-class [ACL-NAME] in
## Disabling/Enabling SCP globally
Router(config)# [no] ip scp server enable
4.3.a iii RESTCONF, NETCONF
RESTCONF
REpresentational State Transfer Configuration Protocol
General information on “RESTCONF”:
- Uses HTTPS (tcp/443 by default) as transport protocol
- Requires enabling of HTTPS server
- HTTP verbs (POST, GET, PUT, DELETE) are used to perform actions:
- POST: Used to create a resource.
- GET: Used to retrieve information from the system.
- PUT: Used to update on a resources (full scale update).
- PATCH: Used to make a partial update on a resource (partial update).
- DELETE: Used to delete resources.
- HTTP response status codes:
- 200: OK.
- 201: Created.
- 400: Bad request.
- 401: Unauthorized.
- 403: Forbidden.
- 404: Not Found.
- 500: Internal server error
- 503: Service unavailable.
- Utilizes YANG data models to communicate with network devices
- Data is most commonly encoded in JSON but XML is also supported
- Only a small set of IOS versions support RESTCONF (eg. IOS-XE supports RESTCONF, “normal” IOS doesn’t)
- A privilege level 15 user is required for RESTCONF
- Differences to NETCONF:
- Currently RESTCONF/NETCONF don’t have feature parity (= RESTCONF is a functional sub-set of NETCONF)
- RESTCONF messages are independent (no state tracking, not knowing what was done previously)
- RESTCONF sends single, independent commands whereas NETCONF establishes/maintains a session
- RESTCONF = stateless, NETCONF = stateful
- More information about RESTCONF can be found at 5.3.c Interaction with Cisco IOS XE API
“RESTCONF” CLI configuration commands:
## Enabling HTTPS web server
Router(config)# ip http secure-server
## Enabling RESTCONF
Router(config)# restconf
NETCONF
NETwork CONFiguration Protocol
General information on “NETCONF”:
- Uses SSH (tcp/830 by default) as transport protocol
- Requires configured and working SSHv2 configuration
- Utilizes YANG data models to communicate with network devices
- Data is most commonly encoded in XML but JSON is also supported
- IOS supports “Global Session Lock” which allows only one device to change a config even if there’re multiple NETCONF session established
- Only a small set of IOS versions support NETCONF (eg. IOS-XE supports NETCONF, “normal” IOS doesn’t)
- A privilege level 15 user is required for NETCONF
- Terminology:
- NETCONF Agent: NETCONF-capable device
- NETCONF Manager: Client Application to do configuration stuff
- Datastore: Database/table of information of the Agent. Target of NETCONF commands.
- Datastore:
- <RUNNING>: Stores the running-configuration of the device.
- <STARTUP>: Stores the startup-configuration of the device.
- <CANDIDATE>: Stores the candidate-configuration of the device (comparable to ‘commit’ on VIPTELA/IOS-XR).
- Important: Not all datastores are supported by all devices. The only required datastore is <RUNNING>.
- More information about NETCONF can be found at 5.3.c Interaction with Cisco IOS XE API
“NETCONF” CLI configuration commands:
## Enabling NETCONF
Router(config)# netconf-yang
## Changing the NETCONF default port
Router(config)# netconf-yang ssh port <port>
“NETCONF” CLI show commands:
## Showing currently connected NETCONF sessions
Router# show netconf-yang sessions
## Showing available NETCONF datastores
Router# show netconf-yang datastore