Contents

NETCONF commands· 1

netconf log· 1

netconf soap http acl 2

netconf soap http dscp· 2

netconf soap http enable· 3

netconf soap https acl 4

netconf soap https dscp· 4

netconf soap https enable· 5

netconf ssh server enable· 5

netconf ssh server port 6

xml 7

 

NETCONF commands

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.

netconf log

Use netconf log to enable NETCONF logging.

Use undo netconf log to remove the configuration for the specified NETCONF operation sources and NETCONF operations.

Syntax

netconf log source { all | { agent | soap } * } { { protocol-operation { all | { action | config | get | set | session | syntax | others } * } } | verbose }

undo netconf log source { all | { agent | soap } * } { { protocol-operation { all | { action | config | get | set | session | syntax | others } * } } | verbose }

Default

NETCONF logging is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

source: Specifies a NETCONF operation source that represents clients that use a protocol.

·     all: Specifies NETCONF clients that use all protocols.

·     agent: Specifies clients that use Telnet, SSH, console, or NETCONF over SSH.

·     soap: Specifies clients that use SOAP over HTTP, or SOAP over HTTPS.

protocol-operation: Specifies a NETCONF operation type.

·     all: Specifies all NETCONF operations.

·     action: Specifies the action operation.

·     config: Specifies the configuration-related NETCONF operations, including the CLI, save, load, rollback, lock, unlock, and save-point operations.

·     get: Specifies the data retrieval-related NETCONF operations, including the get, get-config, get-bulk, get-bulk-config, and get-sessions operations.

·     set: Specifies all edit-config operations.

·     session: Specifies session-related NETCONF operations, including the kill-session and close-session operations, and capability exchange by hello messages.

·     syntax: Specifies the requests that include XML and schema errors.

·     others: Specifies NETCONF operations except for those specified by keywords action, config, get, set, session, and syntax.

verbose: Logs detailed information about requests and replies for types of NETCONF operations, including packet contents of format-correct requests and error information about failed <edit-config> operations.

Examples

# Configure the device to log NETCONF edit-config information sourced from agent clients.

<Sysname> system-view

[sysname] netconf log source agent protocol-operation set

netconf soap http acl

Use netconf soap http acl to apply an ACL to NETCONF over SOAP over HTTP traffic.

Use undo netconf soap http acl to restore the default.

Syntax

netconf soap http acl { acl-number | name acl-name }

undo netconf soap http acl

Default

No ACL is applied to NETCONF over SOAP over HTTP traffic.

Views

System view

Predefined user roles

network-admin

Parameters

acl-number: Specifies an ACL by its number in the range of 2000 to 2999.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter. To avoid confusion, it cannot be all. The specified ACL must be an existing IPv4 basic ACL.

Usage guidelines

This command is not available in FIPS mode.

Only NETCONF clients permitted by the ACL can access the device through SOAP over HTTP.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Use ACL 2001 to allow only NETCONF clients from subnet 10.10.0.0/16 to access the device through SOAP over HTTP.

<Sysname> system-view

[Sysname] acl basic 2001

[Sysname-acl-ipv4-basic-2001] rule permit source 10.10.0.0 0.0.255.255

[Sysname-acl-ipv4-basic-2001] quit

[Sysname] netconf soap http acl 2001

netconf soap http dscp

Use netconf soap http dscp to set the DSCP value for outgoing NETCONF over SOAP over HTTP packets.

Use undo netconf soap http dscp to restore the default.

Syntax

netconf soap http dscp dscp-value

undo netconf soap http dscp

Default

The DSCP value is 0 for outgoing NETCONF over SOAP over HTTP packets.

Views

System view

Predefined user roles

network-admin

Parameters

dscp-value: Specifies a DSCP value in the range of 0 to 63. A larger DSCP value represents a higher priority.

Usage guidelines

The DSCP value of an IP packet specifies the priority level of the packet and affects the transmission priority of the packet.

Examples

# Set the DSCP value to 30 for outgoing NETCONF over SOAP over HTTP packets.

<Sysname> system-view

[Sysname] netconf soap http dscp 30

netconf soap http enable

Use netconf soap http enable to enable NETCONF over SOAP over HTTP.

Use undo netconf soap http enable to disable NETCONF over SOAP over HTTP.

Syntax

netconf soap http enable

undo netconf soap http enable

Default

NETCONF over SOAP over HTTP is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command is not available in FIPS mode.

This command enables the device to resolve NETCONF messages that are encapsulated with SOAP in HTTP packets.

Examples

# Enable NETCONF over SOAP over HTTP.

<Sysname> system-view

[Sysname] netconf soap http enable

netconf soap https acl

Use netconf soap https acl to apply an ACL to NETCONF over SOAP over HTTPS traffic.

Use undo netconf soap https acl to restore the default.

Syntax

netconf soap https acl { acl-number | name acl-name }

undo netconf soap https acl

Default

No ACL is applied to NETCONF over SOAP over HTTPS traffic.

Views

System view

Predefined user roles

network-admin

Parameters

acl-number: Specifies an ACL by its number in the range of 2000 to 2999.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter. To avoid confusion, it cannot be all. The specified ACL must be an existing IPv4 basic ACL.

Usage guidelines

Only NETCONF clients permitted by the ACL can access the device through SOAP over HTTPS.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Use ACL 2001 to allow only NETCONF clients from subnet 10.10.0.0/16 to access the device through SOAP over HTTPS.

<Sysname> system-view

[Sysname] acl basic 2001

[Sysname-acl-ipv4-basic-2001] rule permit source 10.10.0.0 0.0.255.255

[Sysname-acl-ipv4-basic-2001] quit

[Sysname] netconf soap https acl 2001

netconf soap https dscp

Use netconf soap https dscp to set the DSCP value for outgoing NETCONF over SOAP over HTTPS packets.

Use undo netconf soap https dscp to restore the default.

Syntax

netconf soap https dscp dscp-value

undo netconf soap https dscp

Default

The DSCP value is 0 for outgoing NETCONF over SOAP over HTTPS packets.

Views

System view

Predefined user roles

network-admin

Parameters

dscp-value: Specifies a DSCP value in the range of 0 to 63. A larger DSCP value represents a higher priority.

Usage guidelines

The DSCP value of an IP packet specifies the priority level of the packet and affects the transmission priority of the packet.

Examples

# Set the DSCP value to 30 for outgoing NETCONF over SOAP over HTTPS packets.

<Sysname> system-view

[Sysname] netconf soap https dscp 30

netconf soap https enable

Use netconf soap https enable to enable NETCONF over SOAP over HTTPS.

Use undo netconf soap https enable to disable NETCONF over SOAP over HTTPS.

Syntax

netconf soap https enable

undo netconf soap https enable

Default

NETCONF over SOAP over HTTPS is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command enables the device to resolve NETCONF messages that are encapsulated with SOAP in HTTPS packets.

Examples

# Enable NETCONF over SOAP over HTTPS.

<Sysname> system-view

[Sysname] netconf soap https enable

netconf ssh server enable

Use netconf ssh server enable to enable NETCONF over SSH.

Use undo netconf ssh server enable to disable NETCONF over SSH.

Syntax

netconf ssh server enable

undo netconf ssh server enable

Default

NETCONF over SSH is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature allows you to use an SSH client to invoke NETCONF as an SSH subsystem. Then, you can directly issue XML messages to perform NETCONF operations without using the xml command.

Before you execute this command, configure the authentication mode for users as scheme on the device. Then, the NETCONF-over-SSH-enabled user terminals can access the device through NETCONF over SSH.

Only capability set urn:ietf:params:netconf:base:1.0 is available. It is supported by both the device and user terminals.

Examples

# Enable NETCONF over SSH.

<Sysname> system

[Sysname] netconf ssh server enable

netconf ssh server port

Use netconf ssh server port to specify a port to listen for NETCONF over SSH connections.

Use undo netconf ssh server port to restore the default.

Syntax

netconf ssh server port port-number

undo netconf ssh server port

Default

Port 830 listens for NETCONF over SSH connections.

Views

System view

Predefined user roles

network-admin

Parameters

port-number: Specifies a port by its number in the range of 1 to 65535.

Usage guidelines

When assigning a listening port, make sure the specified port is not being used by other services. The SSH service can share the same port with other services, but it might not operate correctly.

Examples

# Specify port 800 to listen for NETCONF over SSH connections.

<Sysname> system

[Sysname] netconf ssh server port 800

xml

Use xml to enter XML view.

Syntax

xml

Views

User view

Predefined user roles

network-admin

network-operator

Usage guidelines

In XML view, you can use NETCONF messages to configure the device or obtain data from the device. The NETCONF operations you can perform depend on the user roles you have, as shown in Table 1.

Table 1 NETCONF operations available for the predefined user roles

User role	NETCONF operations
network-admin	All NETCONF operations
network-operator	·     Get ·     Get-bulk ·     Get-bulk-config ·     Get-config ·     Get-sessions ·     Close-session

 

NETCONF messages must comply with the XML format requirements and the semantic and syntactic requirements in the NETCONF XML API reference for the switch. To ensure successful configuration, use third-party software to generate NETCONF messages.

To quit XML view, use a NETCONF message instead of the quit command.

If you have configured a shortcut key (Ctrl + C, by default) by using the escape-key command in user line/user line class view, the NETCONF message should not contain the shortcut key string. Otherwise, relevant configurations in XML view might be affected. For example, in user line view, you configured "a" as the shortcut key by using the escape-key a command. When a NETCONF message contains the character "a," only the contents after the last "a" in the message can be processed.

Examples

# Enter XML view.

<Sysname> xml

<?xml version="1.0" encoding="UTF-8"?><hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"><capabilities><capability>urn:ietf:params:netconf:base:1.1</capability><capability>urn:ietf:params:netconf:writable-running</capability><capability>urn:ietf:params:netconf:capability:notification:1.0</capability><capability>urn:ietf:params:netconf:capability:validate:1.1</capability><capability>urn:ietf:params:netconf:capability:interleave:1.0</capability><capability>urn:h3c:params:netconf:capability:h3c-netconf-ext:1.0</capability></capabilities><session-id>1</session-id></hello>]]>]]>

# Quit XML view.

<rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">

  <close-session>

  </close-session>

</rpc>]]>]]>

<Sysname>