Transport and sessions

SSH transport for NETCONF is supported on TCP port 830 with IPv4 or IPv6 in the ‟Base” routing instance.

NETCONF SSH sessions (similar to CLI, Secure Copy (SCP), and SSH File Transfer Protocol (sFTP) sessions) are subject to any configurable and non-configurable session limits; for example, inbound-max-sessions. The SSH server and NETCONF protocol must be enabled in the router configuration to use NETCONF.

Unlike CLI sessions, NETCONF sessions are not subject to automatic session timeout. Operators can manually disconnect sessions using the admin disconnect command.

NETCONF user accounts must exist on the SR OS to enable a client establishing a NETCONF session to log into the router. A new access type netconf is provided. The user must be configured with both console and netconf access.

Only authentication through the local user database is supported for NETCONF users (no RADIUS or TACACS+ authentication). Access to various CLI configuration and show commands (authorization) through NETCONF is controlled through the assigned user profile that is used to authenticate the underlying SSH session.

If a NETCONF request attempts to execute a CLI command that is outside the scope of its access profile, the system sends an error response.

Example

The following example shows a user request where the show command usage is outside the scope of the user’s access profile.

<?xml version="1.0" encoding="UTF-8"?>
<rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
        <get>
                <filter>
                        <oper-data-format-cli-block>
                                <cli-show>system security</cli-show>
                        </oper-data-format-cli-block>
                </filter>
        </get>
</rpc>
]]>]]>
Example

The following example shows the reply.

<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
    <rpc-error>
        <error-type>application</error-type>
        <error-tag>operation-failed</error-tag>
        <error-severity>error</error-severity>
        <error-info>
            <err-element>cli-show</err-element>
        </error-info>
        <error-message>
            command failed - 'show system security'
            MINOR: CLI Command not allowed for this user.
        </error-message>
    </rpc-error>
</rpc-reply>
]]>]]>
Parent topic: NETCONF in SR OS