Login
- Table of Contents
-
- 11-Network Management and Monitoring Command Reference
- 00-Preface
- 01-System maintenance and debugging commands
- 02-NQA commands
- 03-NTP commands
- 04-SNMP commands
- 05-RMON commands
- 06-Event MIB commands
- 07-NETCONF commands
- 08-EAA commands
- 09-Process monitoring and maintenance commands
- 10-Sampler commands
- 11-Mirroring commands
- 12-NetStream commands
- 13-IPv6 NetStream commands
- 14-sFlow commands
- 15-TCP connection trace commands
- 16-Performance management commands
- 17-Information center commands
- 18-GOLD commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 07-NETCONF commands | 98.66 KB |
netconf capability specific-namespace
netconf soap https ssl-server-policy
reset netconf service statistics
reset netconf session statistics
NETCONF commands
display netconf service
Use display netconf service to display current NETCONF service status and global NETCONF service statistics.
Syntax
display netconf service
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display the current NETCONF service status and global NETCONF service statistics.
<Sysname> display netconf service
NETCONF over SOAP over HTTP: Enabled (port 80)
NETCONF over SOAP over HTTPS: Enabled (port 443)
NETCONF over SSH: Enabled (port 830)
NETCONF over Telnet: Enabled
NETCONF over Console: Enabled
SOAP timeout: 10 minutes Agent timeout: 10 minutes
Active sessions: 1
Service statistics:
NETCONF start time: 2015-10-10T08:08:08
Output notifications: 50
Output RPC errors: 20
Dropped sessions: 0
Sessions: 100
Received bad hellos: 0
Received RPCs: 1000
Received bad RPCs: 20
Table 1 Command output
|
Field |
Description |
|
SOAP timeout |
NETCONF session idle timeout time for NETCONF over SOAP over HTTP sessions and NETCONF over SOAP over HTTPS sessions. |
|
Agent timeout |
NETCONF session idle timeout time for NETCONF over SSH sessions, NETCONF over Telnet sessions, and NETCONF over console sessions. If this field displays 0, the timeout feature is disabled for NETCONF over SSH sessions, NETCONF over Telnet sessions, and NETCONF over console sessions. |
|
Active sessions |
Number of active NETCONF sessions. |
|
NETCONF start time |
Time when the NETCONF service was started. |
|
Output notifications |
Number of subscribed notifications output by the device. |
|
Output RPC errors |
Number of erroneous RPC requests output by the device. |
|
Dropped sessions |
Number of NETCONF sessions dropped due to timeout or abnormal network disconnection. |
|
Sessions |
Number of established NETCONF sessions. |
|
Received bad hellos |
Number of received erroneous hello messages. |
|
Received RPCs |
Total number of RPC requests received by the device. |
|
Received bad RPCs |
Number of received erroneous RPC requests. |
display netconf session
Use display netconf session to display NETCONF session status and statistics.
Syntax
display netconf session
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display NETCONF session status and statistics.
<Sysname> display netconf session
Session ID: 1 Session type: Agent
Username: test
Login time: 2015-10-10T08:08:08
Client IP address: 192.168.1.1
Session statistics:
Received RPCs : 10 Received bad RPCs : 0
Output RPC errors: 10 Output notifications: 0
Session ID: 2 Session type: SOAP
Username: test
Login time: 2015-10-10T08:08:08
Client IP address: 192.168.1.1
Session statistics:
Received RPCs : 10 Received bad RPCs : 0
Output RPC errors: 10 Output notifications: 0
Table 2 Command output
|
Field |
Description |
|
Session ID |
ID of the NETCONF session. |
|
Session type |
NETCONF session type: · soap—NETCONF over SOAP over HTTP or NETCONF over SOAP over HTTPS. · agent—NETCONF over SSH, NETCONF over Telnet, or NETCONF over console. |
|
Username |
Username used by the NETCONF client to establish the session. If the session type is agent and login authentication was not performed, this field displays a hyphen (-). |
|
Login time |
Time when the NETCONF session was established. |
|
Client IP address |
IP address of the NETCONF client. This field displays a hyphen (-) for NETCONF over console sessions. |
|
Received RPCs |
Number of received RPC requests. |
|
Received bad RPCs |
Number of received erroneous RPC requests. |
|
Output RPC errors |
Number of erroneous RPC requests output by the device. |
|
Output notifications |
Number of subscribed notifications output by the device. |
netconf capability specific-namespace
Use netconf capability specific-namespace to configure the device to use module-specific namespaces.
Use undo netconf capability specific-namespace to restore the default.
Syntax
netconf capability specific-namespace
undo netconf capability specific-namespace
Default
The device uses the common namespace.
Views
System view
Predefined user roles
network-admin
Usage guidelines
NETCONF supports both the common namespace and module-specific namespaces. The common namespace is incompatible with module-specific namespaces. To set up a NETCONF session, the device and the client must use the same type of namespaces. By default, the common namespace is used. If the client does not support the common namespace, use this command to configure the device to use module-specific namespaces.
For this command to take effect, you must reestablish the NETCONF session.
Examples
# Configure the device to use module-specific namespaces.
<Sysname> system-view
[Sysname] netconf capability specific-namespace
netconf idle-timeout
Use netconf idle-timeout to set the NETCONF session idle timeout time.
Use undo netconf idle-timeout to restore the default.
Syntax
netconf { soap | agent } idle-timeout minute
undo netconf { soap | agent } idle-timeout
Default
The NETCONF session idle timeout time is 10 minutes for NETCONF over SOAP over HTTP sessions and NETCONF over SOAP over HTTPS sessions.
The NETCONF session idle timeout time is 0 minutes for NETCONF over SSH sessions, NETCONF over Telnet sessions, and NETCONF over console sessions. The sessions never time out.
Views
System view
Predefined user roles
network-admin
Parameters
soap: Specifies the NETCONF over SOAP over HTTP sessions and NETCONF over SOAP over HTTPS sessions.
agent: Specifies the NETCONF over SSH sessions, NETCONF over Telnet sessions, and NETCONF over console sessions.
minute: Specifies the NETCONF session idle timeout time in minutes. The value range is as follows:
· 1 to 999 for NETCONF over SOAP over HTTP sessions and NETCONF over SOAP over HTTPS sessions.
· 0 to 999 for NETCONF over SSH sessions, NETCONF over Telnet sessions, and NETCONF over console sessions. To disable the timeout feature, set this argument to 0.
Usage guidelines
If no NETCONF packets are exchanged on a NETCONF session within the NETCONF session idle timeout time, the device tears down the session.
Examples
# Set the NETCONF session idle timeout time to 20 minutes for NETCONF over SOAP over HTTP sessions and NETCONF over SOAP over HTTPS sessions.
<Sysname> system-view
[Sysname] netconf soap idle-timeout 20
netconf log
Use netconf log to enable NETCONF logging.
Use undo netconf log to remove the configuration for the specified NETCONF operation sources and NETCONF operations.
Syntax
netconf log source { all | { agent | soap } * } { protocol-operation { all | { action | config | get | session | set | syntax | others } * } | row-operation | verbose }
undo netconf log source { all | { agent | soap } * } { protocol-operation { all | { action | config | get | session | set | syntax | others } * } | row-operation | verbose }
Default
By default, NETCONF logging is enabled to log each row operation in <action> and <edit-config> operation requests and is disabled for all other types of operation requests.
Views
System view
Predefined user roles
network-admin
Parameters
source: Specifies the NETCONF operation sources.
· all: Specifies NETCONF clients that use all protocols.
· agent: Specifies clients that use Telnet, SSH, NETCONF over Telnet, NETCONF over SSH, or NETCONF over console.
· soap: Specifies clients that use SOAP over HTTP or SOAP over HTTPS.
protocol-operation: Logs NETCONF operations by request. The system generates a pair of log messages to log each NETCONF operation request and reply.
· all: Specifies all types of NETCONF operations.
· action: Specifies the <action> operation.
· config: Specifies the configuration-related NETCONF operations, including the <CLI>, <save>, <load>, <rollback>, <lock>, <unlock>, and <save-point> operations.
· get: Specifies the data retrieval-related NETCONF operations, including the <get>, <get-config>, <get-bulk>, <get-bulk-config>, and <get-sessions> operations.
· session: Specifies session-related NETCONF operations, including the <kill-session> and <close-session> operations, and capability exchanges by hello messages.
· set: Specifies all <edit-config> operations.
· syntax: Specifies the requests that include XML and schema errors.
· others: Specifies NETCONF operations except for those specified by keywords action, config, get, set, session, and syntax.
row-operation: Logs NETCONF operations by row operation. The system generates one log message to record a row operation and its operation result. This option applies only to <action> and <edit-config> operations.
verbose: Generates one detailed log message for each request and reply of types of NETCONF operations. The detailed log message includes packet contents of format-correct requests and error information about failed <edit-config> operations.
Usage guidelines
If you specify the protocol-operation keyword, the device logs each of the matching operation request and the operation result. For example, if you perform a NETCONF operation to create VLANs 3 through 5, the device generates the following log messages:
%Mar 21 17:11:34:479 2017 H3C XMLSOAP/6/XML_REQUEST: test from 192.168.100.198, session id 2,message-id 100, receive edit-config request.
%Mar 21 17:11:34:483 2017 H3C XMLSOAP/6/EDIT-CONFIG: test from 192.168.100.198, session id 2,message-id 100, execute success.
If you specify the row-operation keyword, the device logs each row operation in an <action> or <edit-config> operation request. For example, if you send a NETCONF operation request to create VLANs 3 through 5, the device generates the following log messages:
%Mar 31 17:50:02:608 2017 H3C XMLSOAP/6/EDIT-CONFIG: User (test, 192.168.100.20, session ID 1), message ID=100, operation=create VLAN/VLANs (ID=3), result=Succeeded. No attributes.
%Mar 31 17:50:02:609 2017 H3C XMLSOAP/6/EDIT-CONFIG: User (test, 192.168.100.20, session ID 1), message ID=100, operation=create VLAN/VLANs (ID=4), result=Succeeded. No attributes.
%Mar 31 17:50:02:611 2017 H3C XMLSOAP/6/EDIT-CONFIG: User (test, 192.168.100.20, session ID 1), message ID=100, operation=create VLAN/VLANs (ID=5), result=Succeeded. No attributes.
This command generates NETCONF operation logs and sends them to the information center. With the information center, you can configure log destinations and output rules. For information about information center configuration, see Network Management and Monitoring Configuration Guide.
Examples
# Configure the device to log NETCONF operations by row operation.
<Sysname> system-view
[Sysname] netconf log source all row-operation
netconf soap acl
Use netconf soap acl to apply an IPv4 ACL to control NETCONF over SOAP access.
Use undo netconf soap acl to restore the default.
Syntax
netconf soap { http | https } acl { ipv4-acl-number | name ipv4-acl-name }
undo netconf soap { http | https } acl
Default
No IPv4 ACL is applied to control NETCONF over SOAP access.
Views
System view
Predefined user roles
network-admin
Parameters
ipv4-acl-number: Specifies an IPv4 ACL by its number in the range of 2000 to 2999.
http: Applies an IPv4 ACL to control NETCONF over SOAP over HTTP access.
https: Applies an IPv4 ACL to control NETCONF over SOAP over HTTPS access.
name ipv4-acl-name: Specifies an IPv4 ACL by its name. The ipv4-acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter. To avoid confusion, it cannot be all.
Usage guidelines
Only NETCONF clients permitted by the IPv4 ACL can establish NETCONF over SOAP sessions.
This command takes effect only if the ACL is an existing IPv4 basic ACL and has rules. If you do not configure this command or the ACL does not exist or does not have rules, all NETCONF clients can establish NETCONF over SOAP sessions. For information about ACL configuration ,see ACL and QoS Configuration Guide.
If you execute the netconf soap http acl command multiple times, the most recent configuration takes effect. The same is true for the netconf soap https acl command.
Examples
# Use IPv4 ACL 2001 to allow only NETCONF clients from subnet 10.10.0.0/16 to establish NETCONF over SOAP over HTTPS sessions.
<Sysname> system-view
[Sysname] acl basic 2001
[Sysname-acl-ipv4-basic-2001] rule permit source 10.10.0.0 0.0.255.255
[Sysname-acl-ipv4-basic-2001] quit
[Sysname] netconf soap https acl 2001
netconf soap domain
Use netconf soap domain to specify a mandatory authentication domain for NETCONF users.
Use undo netconf soap domain to restore the default.
Syntax
netconf soap domain domain-name
undo netconf soap domain
Default
No mandatory authentication domain is specified for NETCONF users.
Views
System view
Predefined user roles
network-admin
Parameters
domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. For information about ISP domains, see Security Configuration Guide.
Usage guidelines
You can use one of the following methods to specify an authentication domain:
· Execute the netconf soap domain command to specify a mandatory authentication domain. After this command is executed, all NETCONF users are placed in the domain for authentication.
· Add an authentication domain to the <UserName> parameter of a SOAP request. The authentication domain takes effect only on the current request.
The authentication domain specified by using this command takes precedence over the authentication domain specified by the <UserName> parameter of a SOAP request.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify mandatory authentication domain my-domain for NETCONF users.
<Sysname> system-view
[Sysname] netconf soap domain my-domain
netconf soap dscp
Use netconf soap dscp to set the DSCP value for outgoing NETCONF over SOAP packets.
Use undo netconf soap dscp to restore the default.
Syntax
netconf soap { http | https } dscp dscp-value
undo netconf soap { http | https } dscp
Default
The DSCP value is 0 for outgoing NETCONF over SOAP packets.
Views
System view
Predefined user roles
network-admin
Parameters
dscp-value: Specifies a DSCP value in the range of 0 to 63. A larger DSCP value represents a higher priority.
http: Specifies NETCONF over SOAP over HTTP traffic.
https: Specifies NETCONF over SOAP over HTTPS traffic.
Usage guidelines
The DSCP value of an IP packet specifies the priority level of the packet and affects the transmission priority of the packet.
Examples
# Set the DSCP value to 30 for outgoing NETCONF over SOAP over HTTP packets.
<Sysname> system-view
[Sysname] netconf soap http dscp 30
netconf soap enable
Use netconf soap enable to enable NETCONF over SOAP.
Use undo netconf soap enable to disable NETCONF over SOAP.
Syntax
netconf soap { http | https } enable
undo netconf soap { http | https } enable
Default
NETCONF over SOAP is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
http: Specifies NETCONF over SOAP over HTTP.
https: Specifies NETCONF over SOAP over HTTPS.
Usage guidelines
This command enables the device to resolve NETCONF messages that are encapsulated with SOAP in HTTP or HTTPS packets.
Examples
# Enable NETCONF over SOAP over HTTP.
<Sysname> system-view
[Sysname] netconf soap http enable
netconf soap https ssl-server-policy
Use netconf soap https ssl-server-policy to apply an SSL server policy to the NETCONF over SOAP over HTTPS service.
Use undo netconf soap https ssl-server-policy to restore the default.
Syntax
netconf soap https ssl-server-policy policy-name
undo netconf soap https ssl-server-policy
Default
No SSL server policy is applied to the NETCONF over SOAP over HTTPS service.
Views
System view
Predefined user roles
network-admin
Parameters
policy-name: Specifies an SSL server policy name, a string of 1 to 31 characters.
Usage guidelines
The NETCONF over SOAP over HTTPS service will use the SSL server policy to enhance service security. For more information about SSL server policies, see SSL configuration in Security Configuration Guide.
You can configure this command only when NETCONF over SOAP over HTTPS is disabled.
This command takes effect after you enable NETCONF over SOAP over HTTPS.
If you execute this command multiple times, the most recent configuration takes effect.
After NETCONF over SOAP over HTTPS is enabled, changes to the applied SSL server policy do not take effect. For the changes to take effect, you must disable NETCONF over SOAP over HTTPS and then enable NETCONF over SOAP over HTTPS again.
Examples
# Apply SSL server policy myssl to the NETCONF over SOAP over HTTPS service.
<Sysname> system-view
[Sysname] netconf soap https ssl-server-policy myssl
Related commands
netconf soap enable
ssl server-policy (Security Command Reference)
netconf ssh server enable
Use netconf ssh server enable to enable NETCONF over SSH.
Use undo netconf ssh server enable to disable NETCONF over SSH.
Syntax
netconf ssh server enable
undo netconf ssh server enable
Default
NETCONF over SSH is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This feature allows you to use an SSH client to invoke NETCONF as an SSH subsystem. Then, you can directly use XML messages to perform NETCONF operations without using the xml command.
Before you execute this command, configure the authentication mode for users as scheme on the device. Then, the NETCONF-over-SSH-enabled user terminals can access the device through NETCONF over SSH.
Only capability set urn:ietf:params:netconf:base:1.0 is available. It is supported by both the device and user terminals.
Examples
# Enable NETCONF over SSH.
<Sysname> system-view
[Sysname] netconf ssh server enable
netconf ssh server port
Use netconf ssh server port to specify a port to listen for NETCONF over SSH session requests.
Use undo netconf ssh server port to restore the default.
Syntax
netconf ssh server port port-number
undo netconf ssh server port
Default
Port 830 listens for NETCONF over SSH session requests.
Views
System view
Predefined user roles
network-admin
Parameters
port-number: Specifies a port by its number in the range of 1 to 65535.
Usage guidelines
Make sure the specified port is not being used by other services.
Examples
# Specify port 800 to listen for NETCONF over SSH session requests.
<Sysname> system-view
[Sysname] netconf ssh server port 800
reset netconf service statistics
Use reset netconf service statistics to clear current global NETCONF service statistics.
Syntax
reset netconf service statistics
Views
User view
Predefined user roles
network-admin
Examples
# Clear current global NETCONF service statistics.
<Sysname> reset netconf service statistics
reset netconf session statistics
Use reset netconf session statistics to clear current NETCONF session statistics.
Syntax
reset netconf session statistics
Views
User view
Predefined user roles
network-admin
Examples
# Clear current NETCONF session statistics.
<Sysname> reset netconf session statistics
xml
Use xml to enter XML view.
Syntax
xml
Views
User view
Predefined user roles
network-admin
network-operator
Usage guidelines
In XML view, use NETCONF messages to configure the device or obtain data from the device. The NETCONF operations you can perform depend on the user roles you have, as shown in Table 3.
Table 3 NETCONF operations available for the predefined user roles
|
User role |
NETCONF operations |
|
network-admin |
All NETCONF operations |
|
network-operator |
· Get · Get-bulk · Get-bulk-config · Get-config · Get-sessions · Close-session |
To ensure the format correctness of NETCONF messages in XML view, do not enter NETCONF messages manually. Copy and paste the messages.
While the device is performing a NETCONF operation, do not perform any other operations, such as pasting a NETCONF message or pressing Enter.
For the device to identify NETCONF messages, you must add end mark ]]>]]> at the end of each NETCONF message.
After you enter XML view, the device automatically advertises its NETCONF capabilities to the client. In response, you must configure the client to notify the device of its supported NETCONF capabilities. After the capability exchange, you can use the client to configure the device.
NETCONF messages must comply with the XML format requirements and semantic and syntactic requirements in the NETCONF XML API reference for the device. As a best practice, use third-party software to generate NETCONF messages to ensure successful configuration.
To quit XML view, use a NETCONF message instead of the quit command.
If you have configured a shortcut key (Ctrl + C, by default) by using the escape-key command in user line/user line class view, the NETCONF message should not contain the shortcut key string. If the NETCONF message contains the shortcut key string, relevant configurations in XML view might be affected. For example, in user line view, you configured "a" as the shortcut key by using the escape-key a command. When a NETCONF message includes the character "a," only the contents after the last "a" in the message can be processed.
Examples
# Enter XML view.
<Sysname> xml
<?xml version="1.0" encoding="UTF-8"?><hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"><capabilities><capability>urn:ietf:params:netconf:base:1.1</capability><capability>urn:ietf:params:netconf:writable-running</capability><capability>urn:ietf:params:netconf:capability:notification:1.0</capability><capability>urn:ietf:params:netconf:capability:validate:1.1</capability><capability>urn:ietf:params:netconf:capability:interleave:1.0</capability><capability>urn:h3c:params:netconf:capability:h3c-netconf-ext:1.0</capability></capabilities><session-id>1</session-id></hello>]]>]]>
# Notify the device of the NETCONF capabilities supported on the client.
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<capabilities>
<capability>
urn:ietf:params:netconf:base:1.0
</capability>
</capabilities>
</hello>]]>]]>
# Quit XML view.
<rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<close-session/>
</rpc>]]>]]>
