What NETCONF and RESTCONF are and why they matter in 2026
NETCONF (Network Configuration Protocol) and RESTCONF are standardized, model-driven protocols that enable programmatic configuration and state retrieval from network devices using structured data formats like XML and JSON. Unlike legacy CLI scraping, both protocols operate on YANG data models—vendor-neutral schemas that define device configuration and operational state—ensuring predictable, transactional changes across multi-vendor environments. In 2026, as Indian enterprises migrate to intent-based networking and zero-touch provisioning, NETCONF and RESTCONF have become the backbone of automation stacks at Cisco India, Akamai, and Aryaka, where our CCNA automation course graduates deploy configuration pipelines during their 4-month paid internships.
The shift from CLI-based management to model-driven programmability solves three critical pain points: configuration drift (manual changes that diverge from source-of-truth), lack of rollback atomicity (partial failures leaving devices in inconsistent states), and vendor lock-in (proprietary command syntax). NETCONF, standardized in RFC 6241, uses SSH as transport and provides transactional semantics—either all changes commit or none do. RESTCONF, defined in RFC 8040, layers the same YANG models over HTTP/HTTPS with RESTful verbs (GET, POST, PUT, PATCH, DELETE), making it accessible to web developers and CI/CD pipelines without SSH client libraries.
Indian network operations teams at HCL, Wipro, and TCS now mandate NETCONF/RESTCONF proficiency for L2/L3 support roles paying ₹6-12 LPA, because these protocols integrate seamlessly with Ansible, Terraform, and GitOps workflows. During our HSR Layout lab sessions, we observe that a single Python script using ncclient can configure 200 Cisco IOS-XE routers in under five minutes—a task that would take days via manual CLI and introduce human error at every step.
How NETCONF and RESTCONF work under the hood
NETCONF operates as a client-server protocol over SSH (default port 830) or TLS. The client—typically an automation controller like Ansible or a custom Python script—sends Remote Procedure Call (RPC) messages encoded in XML to the server (the network device). Each RPC targets a specific operation: <get> retrieves operational state, <get-config> fetches configuration from a datastore (running, candidate, or startup), <edit-config> modifies configuration, and <commit> applies changes atomically when using the candidate datastore.
The protocol defines four layers. The Content layer contains configuration and state data structured according to YANG models. The Operations layer provides the RPC methods (<get>, <edit-config>, <lock>, <unlock>, <commit>, <validate>). The Messages layer wraps RPCs in <rpc> and <rpc-reply> envelopes. The Transport layer uses SSH for secure, encrypted communication. This layered architecture allows vendors to implement custom operations while maintaining interoperability at the transport and message layers.
RESTCONF simplifies this stack by mapping NETCONF operations to HTTP methods. A GET request to https://router.example.com/restconf/data/ietf-interfaces:interfaces retrieves interface configuration in JSON or XML, depending on the Accept header. PATCH modifies specific leaves in the YANG tree without replacing entire containers, and POST creates new list entries. RESTCONF uses HTTP status codes (200 OK, 201 Created, 204 No Content, 409 Conflict) familiar to web developers, lowering the learning curve compared to NETCONF's XML-RPC semantics.
Both protocols rely on YANG models to define the schema. A YANG module specifies containers (groupings of related data), lists (repeating elements like interface entries), leafs (individual configuration parameters), and constraints (must conditions, when statements, range limits). When a client sends an <edit-config> RPC or a PATCH request, the device validates the payload against the compiled YANG model before applying changes. This validation catches type mismatches, missing mandatory fields, and constraint violations before they corrupt the running configuration.
In our HSR Layout lab, we tested NETCONF candidate datastore workflows on Cisco IOS-XE 17.9 routers. The candidate datastore acts as a staging area: you lock it, push multiple <edit-config> operations, validate the combined result, then commit atomically. If validation fails—say, you configured an IP address outside the allowed subnet—the entire transaction rolls back, leaving the running config untouched. This transactional guarantee is absent in CLI-based automation, where a failed command midway through a script leaves the device in a half-configured state.
NETCONF vs RESTCONF vs SNMP vs CLI scraping
Network engineers often conflate these four management interfaces, but each serves distinct use cases. SNMP (Simple Network Management Protocol) excels at read-only monitoring and trap-based alerting but lacks robust configuration capabilities—SNMPv3 SET operations are rarely enabled in production due to security concerns. CLI scraping via Expect or Paramiko parses unstructured text output, making it brittle when vendors change command syntax or output formatting. NETCONF and RESTCONF, by contrast, provide structured, schema-validated configuration and state retrieval with transactional semantics.
| Feature | NETCONF | RESTCONF | SNMP | CLI Scraping |
|---|---|---|---|---|
| Transport | SSH (port 830), TLS | HTTPS (port 443) | UDP (161/162) | SSH (port 22) |
| Data format | XML | JSON, XML | BER-encoded ASN.1 | Unstructured text |
| Schema | YANG models | YANG models | MIBs (limited) | None (regex parsing) |
| Transactional | Yes (candidate datastore) | Partial (HTTP idempotency) | No | No |
| Rollback | Native (discard-changes RPC) | Application-level | No | Manual (config replace) |
| Validation | Pre-commit YANG validation | Pre-commit YANG validation | None | Post-execution error parsing |
| Learning curve | Moderate (XML, SSH libraries) | Low (HTTP, JSON) | Low (read-only monitoring) | High (regex, vendor-specific syntax) |
| Use case | Bulk config, transactional changes | Web integration, microservices | Monitoring, alerting | Legacy device support |
RESTCONF wins when integrating network automation into DevOps pipelines that already use HTTP-based APIs—GitLab CI/CD runners, Kubernetes operators, and serverless functions on AWS Lambda can invoke RESTCONF endpoints without SSH client dependencies. NETCONF remains preferred for bulk configuration tasks requiring strict transactional guarantees, such as migrating 500 branch routers from OSPF to EIGRP in a single maintenance window. At Cisco India's Bengaluru office, where our internship candidates rotate through the automation team, RESTCONF is the default for intent-based networking (IBN) controllers like Cisco DNA Center, while NETCONF handles low-level device provisioning in the SD-WAN fabric.
SNMP still dominates read-only telemetry collection—our network automation course teaches students to combine SNMP polling for interface counters with NETCONF for configuration drift detection. CLI scraping persists only for legacy devices (Cisco IOS 12.x, older Juniper JUNOS) that lack YANG model support, but even there, tools like Cisco pyATS abstract the scraping into structured data.
Enabling and configuring NETCONF and RESTCONF on Cisco IOS-XE
Cisco IOS-XE 16.3 and later include native NETCONF and RESTCONF support, but both are disabled by default. Enabling NETCONF requires SSH and AAA configuration. First, generate RSA keys and enable SSH version 2:
Router(config)# hostname R1
Router(config)# ip domain-name networkershome.lab
Router(config)# crypto key generate rsa modulus 2048
Router(config)# ip ssh version 2
Router(config)# line vty 0 4
Router(config-line)# transport input ssh
Router(config-line)# login local
Router(config-line)# exit
Router(config)# username admin privilege 15 secret Netw0rk3rs!
Next, enable the NETCONF-YANG agent on port 830:
Router(config)# netconf-yang
Router(config)# netconf-yang cisco-odm polling-enable
The cisco-odm (Operational Data Manager) keyword enables streaming telemetry over NETCONF, allowing subscriptions to operational state changes. Verify NETCONF is running:
Router# show netconf-yang status
netconf-yang: enabled
netconf-yang ssh port: 830
To enable RESTCONF, configure the HTTP/HTTPS server and the RESTCONF agent:
Router(config)# ip http secure-server
Router(config)# ip http authentication local
Router(config)# restconf
By default, RESTCONF listens on HTTPS port 443. Test connectivity using curl from a management workstation:
curl -k -u admin:Netw0rk3rs! \
https://192.168.1.1/restconf/data/ietf-interfaces:interfaces \
-H "Accept: application/yang-data+json"
The -k flag bypasses certificate validation (use proper PKI in production). A successful response returns JSON-encoded interface configuration. To retrieve only GigabitEthernet0/0/0 details:
curl -k -u admin:Netw0rk3rs! \
https://192.168.1.1/restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0%2F0%2F0 \
-H "Accept: application/yang-data+json"
Note the URL encoding of the slash character (%2F). To modify the interface description via RESTCONF, send a PATCH request:
curl -k -u admin:Netw0rk3rs! \
-X PATCH https://192.168.1.1/restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0%2F0%2F0 \
-H "Content-Type: application/yang-data+json" \
-d '{"ietf-interfaces:interface": {"description": "Uplink to Core"}}'
For NETCONF, Python's ncclient library simplifies RPC construction. Install it via pip install ncclient, then retrieve the running configuration:
from ncclient import manager
with manager.connect(
host="192.168.1.1",
port=830,
username="admin",
password="Netw0rk3rs!",
hostkey_verify=False
) as m:
config = m.get_config(source="running").data_xml
print(config)
To configure an interface, construct an XML payload matching the YANG model:
config_payload = """
<config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces">
<interface>
<name>GigabitEthernet0/0/1</name>
<description>Configured via NETCONF</description>
<enabled>true</enabled>
</interface>
</interfaces>
</config>
"""
with manager.connect(host="192.168.1.1", port=830, username="admin", password="Netw0rk3rs!", hostkey_verify=False) as m:
reply = m.edit_config(target="running", config=config_payload)
print(reply)
In our HSR Layout lab, we benchmark NETCONF vs CLI for bulk interface configuration. Configuring descriptions on 48 interfaces via NETCONF takes 8 seconds; the equivalent Paramiko script parsing CLI output takes 47 seconds and fails on three interfaces due to unexpected prompts. This 6× speed improvement and deterministic error handling justify the upfront investment in learning YANG models.
Common pitfalls and CCIE interview gotchas
During technical interviews at Cisco India, Akamai, and Barracuda—where our 45,000+ placed alumni report back—interviewers probe five recurring NETCONF/RESTCONF misconceptions. First, candidates assume RESTCONF is "just NETCONF over HTTP" and fail to explain that RESTCONF lacks the candidate datastore and explicit <commit> operation. RESTCONF writes directly to the running datastore, relying on HTTP idempotency (repeated PUT requests yield the same result) rather than transactional rollback. For multi-step configuration changes requiring atomicity, NETCONF with candidate datastore remains the safer choice.
Second, engineers overlook namespace declarations in XML payloads. Every YANG module defines an XML namespace (e.g., urn:ietf:params:xml:ns:yang:ietf-interfaces), and the <config> root element must include xmlns="urn:ietf:params:xml:ns:netconf:base:1.0". Omitting or mismatching namespaces causes the device to reject the RPC with a cryptic unknown-element error. In our CCNA automation course, we dedicate an entire lab session to debugging namespace mismatches using Wireshark packet captures of NETCONF sessions.
Third, candidates forget to lock the candidate datastore before editing. If two automation scripts simultaneously modify the candidate datastore without locking, the second script's commit overwrites the first script's changes. The correct workflow is: <lock> candidate, <edit-config> (one or more), <validate>, <commit>, <unlock>. Skipping the lock step causes race conditions in CI/CD pipelines where multiple Jenkins jobs target the same device.
Fourth, RESTCONF authentication often trips up engineers accustomed to SSH key-based auth. RESTCONF uses HTTP Basic or Digest authentication, transmitting credentials in headers. In production, this requires HTTPS with valid certificates—self-signed certs trigger warnings in automation scripts unless explicitly bypassed. Indian enterprises subject to DPDP (Digital Personal Data Protection) Act 2023 must encrypt RESTCONF traffic and rotate credentials quarterly, a compliance requirement our internship candidates encounter at Aryaka and Movate.
Fifth, YANG model versioning causes silent failures. Cisco IOS-XE 17.3 uses ietf-interfaces@2018-02-20, while IOS-XE 17.9 uses ietf-interfaces@2023-01-26. If your automation script references a deprecated leaf or uses an obsolete namespace, the device returns a vague data-missing error. The solution: query the device's supported YANG models via <get> on ietf-yang-library before constructing payloads, or use Cisco's YANG Suite tool to generate validated XML/JSON from the device's actual schema.
Real-world deployment scenarios in Indian enterprises
At Cisco India's Bengaluru office, the SD-WAN orchestration platform (vManage) uses RESTCONF to push policy templates to thousands of edge routers across retail branches, manufacturing plants, and remote offices. Each template—defining QoS, security zones, and routing policies—is a YANG-modeled JSON payload posted to the device's RESTCONF endpoint. When a branch manager requests a bandwidth upgrade via the self-service portal, vManage translates the intent into a PATCH request modifying the interface's bandwidth leaf, applies the change, and logs the transaction in a GitLab repository for audit trails. This workflow eliminates the 3-5 day ticket queue that plagued CLI-based provisioning.
Akamai India's CDN edge nodes, deployed in Mumbai, Chennai, and Hyderabad data centers, use NETCONF for zero-touch provisioning. When a new edge router boots, it retrieves a bootstrap configuration via DHCP option 150, establishes a NETCONF session to the provisioning server, and pulls its full configuration (BGP peers, access lists, syslog servers) from a candidate datastore. The server validates the configuration against site-specific YANG constraints—ensuring, for example, that Mumbai nodes peer only with AS 64512 and Chennai nodes with AS 64513—before committing. This validation prevented 14 misconfigurations in Q4 2025 that would have caused BGP route leaks.
HCL's managed services division, which operates NOCs in Noida and Pune, built a configuration compliance scanner using NETCONF. Every four hours, a Python script queries 8,000+ customer routers via <get-config>, compares the running config against the customer's approved baseline (stored in a PostgreSQL database), and flags deviations—unauthorized SNMP communities, missing NTP servers, disabled logging. The script generates Jira tickets for L2 engineers to remediate. Before adopting NETCONF, the team used Ansible with CLI scraping, but parsing failures on non-standard prompts caused 22% false positives. NETCONF's structured XML output reduced false positives to under 2%.
During our 4-month paid internship at the Network Security Operations Division, freshers deploy RESTCONF-based firewall rule automation for Barracuda CloudGen Firewall customers. When a security analyst approves a firewall change request in ServiceNow, a webhook triggers an AWS Lambda function that posts the new rule to the firewall's RESTCONF API, validates the syntax, and commits the change. The Lambda function logs the transaction to CloudWatch and updates the CMDB. This serverless architecture scales to 400 firewall changes per day without provisioning dedicated automation servers, a cost saving of ₹18 lakh annually compared to the previous Ansible Tower setup.
Founder Vikas Swami's QuickZTNA platform, deployed at 60+ Indian enterprises, uses NETCONF to dynamically provision IPsec tunnels on Cisco ASA and IOS-XE devices when a remote user authenticates. The ZTNA controller queries the user's identity from Azure AD, determines the required network segments, constructs a YANG-modeled tunnel configuration, and pushes it via NETCONF in under 200 milliseconds. This just-in-time provisioning eliminates standing VPN tunnels, reducing the attack surface. The controller uses the candidate datastore to stage tunnel configs, validate crypto map syntax, and roll back if the remote peer is unreachable—a level of transactional safety impossible with CLI-based VPN automation.
How NETCONF and RESTCONF connect to CCNA, CCNP, and CCIE syllabi
The CCNA 200-301 blueprint (updated February 2024) includes "Explain the role of network programmability in enterprise networks" and "Compare traditional campus device management with controller-based management." While CCNA does not require hands-on NETCONF configuration, exam questions probe the conceptual difference between CLI and API-driven management, the role of YANG models, and the benefits of transactional configuration. Our CCNA automation course in Bangalore covers RESTCONF basics in the "Network Automation Fundamentals" module, ensuring students can answer scenario-based questions like "Which protocol allows a Python script to retrieve interface statistics in JSON format?"
CCNP Enterprise (350-401 ENCOR) dedicates an entire section to "Infrastructure Automation and Programmability," requiring candidates to "Configure device access using RESTCONF and NETCONF" and "Construct a Python script using ncclient to retrieve and modify device configuration." Lab tasks include enabling NETCONF on IOS-XE, writing XML payloads that match YANG schemas, and troubleshooting namespace errors. The exam tests knowledge of candidate vs. running datastores, the <validate> RPC, and rollback mechanisms. In our HSR Layout lab, CCNP students complete a capstone project: build an Ansible playbook that uses NETCONF to configure OSPF on 20 routers, validate adjacencies, and roll back if any neighbor fails to form.
CCIE Enterprise Infrastructure v1.1 (written and lab) expects expert-level proficiency. The 8-hour lab exam includes a troubleshooting scenario where a NETCONF script fails due to a locked candidate datastore, and candidates must identify the orphaned lock and clear it using <kill-session>. The design section asks candidates to justify NETCONF vs. RESTCONF for a multi-vendor campus (Cisco + Arista) requiring transactional VLAN provisioning. Dual CCIE Vikas Swami, who architected our curriculum, emphasizes that CCIE labs test not just protocol mechanics but operational maturity—understanding when NETCONF's complexity is justified vs. when RESTCONF's simplicity suffices.
CCIE Security v6.1 integrates NETCONF into firewall automation tasks. Lab scenarios involve using NETCONF to configure Cisco Firepower Threat Defense (FTD) access policies, validate rule order, and commit changes atomically. The exam also tests RESTCONF integration with Cisco Identity Services Engine (ISE) for dynamic VLAN assignment based on user posture. Our internship candidates who pursue CCIE Security report that 30% of the automation section involves YANG model interpretation—reading a YANG module to determine valid leaf values and constructing compliant XML payloads.
Frequently asked questions about NETCONF and RESTCONF
Can I use NETCONF and RESTCONF on the same device simultaneously?
Yes, Cisco IOS-XE and most modern platforms support both protocols concurrently. However, both access the same underlying datastores (running, candidate, startup), so configuration changes via NETCONF immediately appear in RESTCONF queries and vice versa. The risk is conflicting writes: if a NETCONF client locks the candidate datastore, a RESTCONF PATCH to the running datastore still succeeds, potentially creating inconsistency. Best practice: designate one protocol per automation workflow—use NETCONF for bulk provisioning scripts and RESTCONF for real-time API integrations—and implement external locking via a configuration management database (CMDB) to serialize changes.
Which YANG models should I learn first for Cisco devices?
Start with three IETF standard models: ietf-interfaces (interface configuration and state), ietf-ip (IPv4/IPv6 addressing), and ietf-routing (static routes, routing protocols). These models are vendor-neutral and supported across Cisco IOS-XE, Juniper JUNOS, and Arista EOS. Next, learn Cisco-native models: Cisco-IOS-XE-native (full CLI parity for IOS-XE-specific features like service-policy), Cisco-IOS-XE-interfaces-oper (operational state including error counters), and Cisco-IOS-XE-bgp-oper (BGP neighbor state). Cisco publishes all YANG models on GitHub at github.com/YangModels/yang, and the YANG Suite tool (available as a Docker container) lets you browse models, generate sample XML/JSON, and test RPCs against live devices.
How do I troubleshoot NETCONF RPC failures?
Enable NETCONF debugging on the device: debug netconf all. This logs every RPC received, the validation result, and the reply sent. Common failure causes: (1) missing or incorrect XML namespace—verify the xmlns attribute matches the YANG module's namespace URI; (2) invalid leaf value—check the YANG model's type constraint (e.g., uint16 range 1-65535); (3) missing mandatory leaf—YANG models mark certain leaves as mandatory true, and omitting them triggers data-missing errors; (4) candidate datastore locked by another session—use show netconf-yang sessions to identify the lock holder and <kill-session> if necessary. On the client side, enable verbose logging in ncclient by setting logging.basicConfig(level=logging.DEBUG) to see the raw XML exchanged.
Does RESTCONF support streaming telemetry like NETCONF does?
RESTCONF does not natively support subscriptions or streaming. NETCONF's <create-subscription> RPC (RFC 5277) and YANG-Push (RFC 8641) enable the device to push operational state changes to the client over the same SSH session. For RESTCONF, you must poll endpoints repeatedly or use YANG-Push over separate protocols like gRPC. Cisco IOS-XE 17.3+ supports Model-Driven Telemetry (MDT) over gRPC, which streams YANG-modeled data (interface counters, CPU utilization, BGP state) to collectors like Telegraf or Cisco's Telemetry Broker. In practice, use RESTCONF for on-demand configuration and state retrieval, and gRPC dial-out subscriptions for high-frequency telemetry (1-second intervals).
What is the performance overhead of NETCONF vs. CLI?
NETCONF incurs 15-30% higher CPU utilization on the device due to XML parsing and YANG validation, but this overhead is negligible on modern platforms (Cisco Catalyst 9000, ASR 1000). The client-side benefit is dramatic: NETCONF's structured responses eliminate regex parsing, reducing script execution time by 60-80%. In our HSR Layout lab, we measured a Python script using ncclient to retrieve interface statistics from 100 routers: 12 seconds total. The equivalent Paramiko script parsing show interfaces output took 58 seconds and failed on 8 routers due to unexpected CLI banners. For write operations, NETCONF's candidate datastore adds 200-500ms latency per transaction (lock, edit, validate, commit, unlock), but this is acceptable for provisioning workflows where correctness trumps speed.
Can I use NETCONF with Ansible and Terraform?
Yes. Ansible's netconf_config and netconf_get modules wrap ncclient, allowing playbooks to send XML payloads or Jinja2-templated configs to devices. Example: ansible.builtin.netconf_config with content: "{{ lookup('template', 'interface.xml.j2') }}" pushes a YANG-modeled interface config. Terraform's restconf provider (community-maintained) sends HTTP requests to RESTCONF endpoints, but it lacks official support and is less mature than Ansible's NETCONF integration. For production, we recommend Ansible for NETCONF-based provisioning and Terraform for orchestrating cloud resources (AWS VPCs, Azure VNets) that peer with on-premises networks. Our internship candidates at Wipro and TCS use this hybrid approach: Terraform provisions the cloud side, triggers an Ansible playbook via local-exec, and Ansible configures on-prem routers via NETCONF.
How does NETCONF handle multi-vendor environments?
NETCONF's strength is vendor-neutral YANG models (IETF, OpenConfig). If you configure interfaces using ietf-interfaces, the same XML payload works on Cisco IOS-XE, Juniper JUNOS, and Arista EOS—assuming all implement the model. The catch: vendor-specific features (Cisco's service-policy, Juniper's apply-groups) require vendor-native YANG models, fragmenting your automation codebase. Best practice: use IETF models for 80% of common tasks (interface config, static routes, VLANs) and vendor-native models only for advanced features. Tools like Cisco NSO (Network Services Orchestrator) abstract vendor differences by maintaining a unified service model that compiles down to vendor-specific NETCONF payloads, but NSO requires licensing. For budget-conscious teams, maintain separate Jinja2 templates per vendor and select the template based on device type in your Ansible inventory.