Field	Description
SOAP timeout	NETCONF session idle timeout time for NETCONF over SOAP over HTTP sessions and NETCONF over SOAP over HTTPS sessions.
Agent timeout	NETCONF session idle timeout time for NETCONF over SSH sessions, NETCONF over Telnet sessions, and NETCONF over console sessions.
Active sessions	Number of active NETCONF sessions.
NETCONF start time	Time when the NETCONF service was started.
Output notifications	Number of subscribed notifications output by the device.
Output RPC errors	Number of erroneous RPC requests output by the device.
Dropped sessions	Number of NETCONF sessions dropped due to timeout or abnormal network disconnection.
Sessions	Number of established NETCONF sessions.
Received bad hellos	Number of received erroneous hello messages.
Received RPCs	Total number of RPC requests received by the device.
Received bad RPCs	Number of received erroneous RPC requests.

display netconf session

Use display netconf session to display NETCONF session status and statistics.

Syntax

display netconf session

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Examples

# Display NETCONF session status and statistics.

<Sysname> display netconf session

Session ID: 1 Session type: Agent

Username: test

Client IP address: 192.168.1.1

Session statistics:

Received RPCs : 10 Received bad RPCs : 0

Output RPC errors: 10 Output notifications: 0

Session ID: 2 Session type: SOAP

Username: test

Client IP address: 192.168.1.1

Session statistics:

Received RPCs : 10 Received bad RPCs : 0

Output RPC errors: 10 Output notifications: 0

Table 2 Command output

Field	Description
Session ID	ID of the NETCONF session.
Session type	NETCONF session type: · soap—NETCONF over SOAP over HTTP or NETCONF over SOAP over HTTPS. · agent—NETCONF over SSH, NETCONF over Telnet, or NETCONF over console.
Username	Username used by the NETCONF client to establish the session. If the session type is agent and login authentication was not performed, this field displays a hyphen (-).
Login time	Time when the NETCONF session was established.
Client IP address	IP address of the NETCONF client. This field displays a hyphen (-) for NETCONF over console sessions.
Received RPCs	Number of received RPC requests.
Received bad RPCs	Number of received erroneous RPC requests.
Output RPC errors	Number of erroneous RPC requests output by the device.
Output notifications	Number of subscribed notifications output by the device.

netconf capability specific-namespace

Use netconf capability specific-namespace to configure the device to use module-specific namespaces.

Use undo netconf capability specific-namespace to restore the default.

Syntax

netconf capability specific-namespace

undo netconf capability specific-namespace

Default

The device uses the common namespace.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

NETCONF supports both the common namespace and module-specific namespaces. The common namespace is incompatible with module-specific namespaces. To set up a NETCONF session, the device and the client must use the same type of namespaces. By default, the common namespace is used. If the client does not support the common namespace, use this command to configure the device to use module-specific namespaces.

For this command to take effect, you must reestablish the NETCONF session.

Examples

# Configure the device to use module-specific namespaces.

<Sysname> system-view

[Sysname] netconf capability specific-namespace

netconf idle-timeout

Use netconf idle-timeout to set the NETCONF session idle timeout time.

Use undo netconf idle-timeout to restore the default.

Syntax

netconf { soap | agent } idle-timeout minute

undo netconf { soap | agent } idle-timeout

Default

The NETCONF session idle timeout time is 10 minutes for NETCONF over SOAP over HTTP sessions and NETCONF over SOAP over HTTPS sessions.

The NETCONF session idle timeout time is 0 minutes for NETCONF over SSH sessions, NETCONF over Telnet sessions, and NETCONF over console sessions. The sessions never time out.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

soap: Specifies the NETCONF over SOAP over HTTP sessions and NETCONF over SOAP over HTTPS sessions.

agent: Specifies the NETCONF over SSH sessions, NETCONF over Telnet sessions, and NETCONF over console sessions.

minute: Specifies the NETCONF session idle timeout time in minutes. The value range is as follows:

· 1 to 999 for NETCONF over SOAP over HTTP sessions and NETCONF over SOAP over HTTPS sessions.

· 0 to 999 for NETCONF over SSH sessions, NETCONF over Telnet sessions, and NETCONF over console sessions. To disable the timeout feature, set this argument to 0.

Usage guidelines

If no NETCONF packets are exchanged on a NETCONF session within the NETCONF session idle timeout time, the device tears down the session.

Examples

# Set the NETCONF session idle timeout time to 20 minutes for NETCONF over SOAP over HTTP sessions and NETCONF over SOAP over HTTPS sessions.

<Sysname> system-view

[Sysname] netconf soap idle-timeout 20

netconf log

Use netconf log to enable NETCONF logging.

Use undo netconf log to remove the configuration for the specified NETCONF operation sources and NETCONF operations.

Syntax

netconf log source { all | { agent | soap | web } * } { protocol-operation { all | { action | config | get | session | set | syntax | others } * } | row-operation | verbose }

undo netconf log source { all | { agent | soap | web } * } { protocol-operation { all | { action | config | get | session | set | syntax | others } * } | row-operation | verbose }

Default

NETCONF logging is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

source: Specifies a NETCONF operation source that represents clients that use a protocol.

· all: Specifies NETCONF clients that use all protocols.

· agent: Specifies clients that use Telnet, SSH, NETCONF over console, or NETCONF over SSH.

· soap: Specifies clients that use SOAP over HTTP, or SOAP over HTTPS.

· web: Specifies clients that use Web.

protocol-operation: Logs requests and replies for specific types of NETCONF operations.

· all: Specifies all types of NETCONF operations.

· action: Specifies the <action> operation.

· config: Specifies the configuration-related NETCONF operations, including the <CLI>, <save>, <load>, <rollback>, <lock>, <unlock>, and <save-point> operations.

· get: Specifies the data retrieval-related NETCONF operations, including the <get>, <get-config>, <get-bulk>, <get-bulk-config>, and <get-sessions> operations.

· session: Specifies session-related NETCONF operations, including the <kill-session> and <close-session> operations, and capability exchanges by hello messages.

· set: Specifies all <edit-config> operations.

· syntax: Specifies the requests that include XML and schema errors.

· others: Specifies NETCONF operations except for those specified by keywords action, config, get, set, session, and syntax.

row-operation: Logs row operations for <action> and <edit-config> operations.

verbose : Logs detailed information about requests and replies for types of NETCONF operations, including packet contents of format-correct requests and error information about failed <edit-config> operations.

Usage guidelines

If you specify the protocol-operation keyword, the device logs the matching operation and operation results on a per-request basis. For example, if the device creates VLANs 3 through 5 in response to a NETCONF request, the device outputs the following log messages:

%Mar 21 17:11:34:479 2017 Sysname XMLSOAP/6/XML_REQUEST: test from 192.168.100.198, session id 2,message-id 100, receive edit-config request.

%Mar 21 17:11:34:483 2017 Sysname XMLSOAP/6/EDIT-CONFIG: test from 192.168.100.198, session id 2,message-id 100, execute success.

If you specify the row-operation keyword, the device logs each row operation and the operation result for an <action> or <edit-config> request. For example, if the device creates VLANs 3 through 5 in response to a NETCONF request, the device outputs one log message about each VLAN operation, as follows:

%Mar 31 17:50:02:608 2017 Sysname XMLSOAP/6/EDIT-CONFIG: User (test, 192.168.100.20, session ID 1), message ID=100, operation=create VLAN/VLANs (ID=3), result=Succeeded. No attributes.

%Mar 31 17:50:02:609 2017 Sysname XMLSOAP/6/EDIT-CONFIG: User (test, 192.168.100.20, session ID 1), message ID=100, operation=create VLAN/VLANs (ID=4), result=Succeeded. No attributes.

%Mar 31 17:50:02:611 2017 Sysname XMLSOAP/6/EDIT-CONFIG: User (test, 192.168.100.20, session ID 1), message ID=100, operation=create VLAN/VLANs (ID=5), result=Succeeded. No attributes.

For NETCONF to correctly send the generated logs to the information center, you must also configure the information center. For information about information center configuration, see Network Management and Monitoring Configuration Guide.

Examples

# Configure the device to log NETCONF edit-config information sourced from agent clients.

<Sysname> system-view

[Sysname] netconf log source agent protocol-operation set

netconf soap acl

Use netconf soap acl to apply an ACL to control NETCONF over SOAP access.

Use undo netconf soap acl to restore the default.

Syntax

netconf soap { http | https } [ ipv6 ] acl { acl-number | name acl-name }

undo netconf soap { http | https } [ ipv6 ] acl

Default

No ACL is applied to control NETCONF over SOAP access.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

http: Applies an ACL to control NETCONF over SOAP over HTTP access.

https: Applies an ACL to control NETCONF over SOAP over HTTPS access.

ipv6: Specifies an IPv6 ACL. To specify an IPv4 ACL, do not specify this keyword. This keyword is supported only if you have specified the http keyword.

acl-number: Specifies a numbered basic ACL by its number in the range of 2000 to 2999.

name acl-name: Specifies a named ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter. To avoid confusion, it cannot be all.

Usage guidelines

To control NETCONF over SOAP access, specify an ACL that exists and has rules.

· If the specified ACL exists and has rules, only clients permitted by the ACL can establish NETCONF over SOAP sessions. A client cannot establish a NETCONF over SOAP session with the device if it does not match the ACL or is denied by the ACL.

· If the applied ACL does not exist or does not have rules, any NETCONF clients can establish NETCONF over SOAP sessions with the device.

· To apply an ACL rule only to a VPN instance, specify that VPN instance in the rule. If you do not specify a VPN instance, the rule applies to packets on the public network.

If you execute the netconf soap http acl command multiple times, the most recent configuration takes effect. The same is true for the netconf soap https acl command.

Examples

# Use IPv4 ACL 2001 to allow only NETCONF clients from subnet 10.10.0.0/16 to establish NETCONF over SOAP over HTTP sessions.

<Sysname> system-view

[Sysname] acl basic 2001

[Sysname-acl-ipv4-basic-2001] rule permit source 10.10.0.0 0.0.255.255

[Sysname-acl-ipv4-basic-2001] quit

[Sysname] netconf soap http acl 2001

# Use IPv6 ACL 2002 to allow only NETCONF clients from subnet 6::2/64 to establish NETCONF over SOAP over HTTP sessions.

<Sysname> system-view

[Sysname] acl ipv6 basic 2002

[Sysname-acl-ipv6-basic-2002] rule deny source 6::2 64

[Sysname-acl-ipv6-basic-2002] quit

[Sysname] netconf soap http ipv6 acl 2002

netconf soap domain

Use netconf soap domain to specify a mandatory authentication domain for NETCONF users.

Use undo netconf soap domain to restore the default.

Syntax

netconf soap domain domain-name

undo netconf soap domain

Default

No mandatory authentication domain is specified for NETCONF users.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. For information about ISP domains, see AAA in Security Configuration Guide.

Usage guidelines

You can use either of the following methods to specify an authentication domain:

· Execute the netconf soap domain command to specify a mandatory authentication domain. After you execute this command, all NETCONF users are placed in the domain for authentication.

· Add an authentication domain to the <UserName> parameter of a SOAP request. The authentication domain takes effect only on the current request.

The authentication domain specified by using this command takes precedence over the authentication domain specified by the <UserName> parameter of a SOAP request.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify mandatory authentication domain my-domain for NETCONF users.

<Sysname> system-view

[Sysname] netconf soap domain my-domain

netconf soap enable

Use netconf soap enable to enable NETCONF over SOAP.

Use undo netconf soap enable to disable NETCONF over SOAP.

Syntax

netconf soap { http | https } enable

undo netconf soap { http | https } enable

Default

NETCONF over SOAP is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

http: Specifies NETCONF over SOAP over HTTP.

https: Specifies NETCONF over SOAP over HTTPS.

Usage guidelines

This command enables the device to resolve NETCONF messages that are encapsulated with SOAP in HTTP or HTTPS packets.

Examples

# Enable NETCONF over SOAP over HTTP.

<Sysname> system-view

[Sysname] netconf soap http enable

netconf soap http port

Use netconf soap http port to specify a port to listen for NETCONF over SOAP over HTTP session requests.

Use undo netconf soap http port to restore the default.

Syntax

netconf soap http port port-number

undo netconf soap http port

Default

The device uses port 80 to listen for NETCONF over SOAP over HTTP session requests.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

port-number: Specifies a port by its number in the range of 1 to 65535.

Usage guidelines

Executing this command causes existing NETCONF over SOAP sessions to become ineffective. You must re-establish the sessions again.

Examples

# Use port 1000 to listen for NETCONF over SOAP over HTTP session requests.

<Sysname> system-view

[Sysname] netconf soap http port 1000

netconf soap https ssl-server-policy

Use netconf soap https ssl-server-policy to apply an SSL server policy to the NETCONF over SOAP over HTTPS service.

Use undo netconf soap https ssl-server-policy to restore the default.

Syntax

netconf soap https ssl-server-policy policy-name

undo netconf soap https ssl-server-policy

Default

No SSL server policy is applied to the NETCONF over SOAP over HTTPS service.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

policy-name: Specifies an SSL server policy name, a string of 1 to 31 characters.

Usage guidelines

The NETCONF over SOAP over HTTPS service will use the SSL server policy to enhance service security. For more information about SSL server policies, see SSL configuration in Security Configuration Guide.

You can configure this command only when NETCONF over SOAP over HTTPS is disabled.

This command takes effect after you enable NETCONF over SOAP over HTTPS.

If you execute this command multiple times, the most recent configuration takes effect.

After NETCONF over SOAP over HTTPS is enabled, changes to the applied SSL server policy do not affect established NETCONF over SOAP over HTTPS sessions. The changes affect only NETCONF over SOAP over HTTPS sessions established after the changes are made.

Examples

# Apply SSL server policy myssl to the NETCONF over SOAP over HTTPS service.

<Sysname> system-view

[Sysname] netconf soap https ssl-server-policy myssl

Related commands

netconf soap enable

ssl server-policy (Security Command Reference)

netconf ssh acl

Use netconf ssh acl to apply an IPv4 ACL to control NETCONF over SSH access.

Use undo netconf ssh acl to restore the default.

Syntax

netconf ssh acl { ipv4-acl-number | name ipv4-acl-name }

undo netconf ssh acl

Default

No IPv4 ACL is applied to control NETCONF over SSH access.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

ipv4-acl-number: Specifies a numbered IPv4 ACL by its number in the range of 2000 to 2999.

name ipv4-acl-name: Specifies a numbered IPv4 basic ACL by its name. The ipv4-acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter. To avoid confusion, it cannot be all.

Usage guidelines

To control NETCONF over SSH access, specify an ACL that exists and has rules.

· If the specified ACL exists and has rules, only clients permitted by the ACL can establish NETCONF over SSH sessions.

· If no ACL is applied, all NETCONF clients can establish NETCONF over SSH sessions with the device.

· If the applied ACL does not exist or does not have rules, no NETCONF clients can establish NETCONF over SSH sessions with the device.

· To apply an ACL rule only to a VPN instance, specify that VPN instance in the rule. If you do not specify a VPN instance, the rule applies to packets on the public network.

For more information about ACL configuration, see ACL and QoS Configuration Guide.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Use IPv4 ACL 2001 to allow only NETCONF clients from subnet 10.10.0.0/16 to establish NETCONF over SSH sessions.

<Sysname> system-view

[Sysname] acl basic 2001

[Sysname-acl-ipv4-basic-2001] rule permit source 10.10.0.0 0.0.255.255

[Sysname-acl-ipv4-basic-2001] quit

[Sysname] netconf ssh acl 2001

Related commands

netconf soap acl

netconf ssh server enable

Use netconf ssh server enable to enable NETCONF over SSH.

Use undo netconf ssh server enable to disable NETCONF over SSH.

Syntax

netconf ssh server enable

undo netconf ssh server enable

Default

NETCONF over SSH is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

This feature allows you to use an SSH client to invoke NETCONF as an SSH subsystem. Then, you can directly use XML messages to perform NETCONF operations without using the xml command.

Before you execute this command, configure the authentication mode for users as scheme on the device. Then, the NETCONF-over-SSH-enabled user terminals can access the device through NETCONF over SSH.

Only capability set urn:ietf:params:netconf:base:1.0 is available. It is supported by both the device and user terminals.

Examples

# Enable NETCONF over SSH.

<Sysname> system-view

[Sysname] netconf ssh server enable

netconf ssh server port

Use netconf ssh server port to specify a port to listen for NETCONF over SSH session requests.

Use undo netconf ssh server port to restore the default.

Syntax

netconf ssh server port port-number

undo netconf ssh server port

Default

The device uses port 830 to listen for NETCONF over SSH session requests.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

port-number: Specifies a port by its number in the range of 1 to 65535.

Usage guidelines

Make sure the specified port is not being used by other services.

Examples

# Use port 800 to listen for NETCONF over SSH session requests.

<Sysname> system-view

[Sysname] netconf ssh server port 800

reset netconf service statistics

Use reset netconf service statistics to clear current global NETCONF service statistics.

Syntax

reset netconf service statistics

Views

User view

Predefined user roles

network-admin

context-admin

Examples

# Clear current global NETCONF service statistics.

<Sysname> reset netconf service statistics

Related commands

display netconf service

reset netconf session statistics

Use reset netconf session statistics to clear current NETCONF session statistics.

Syntax

reset netconf session statistics

Views

User view

Predefined user roles

network-admin

context-admin

Examples

# Clear current NETCONF session statistics.

<Sysname> reset netconf session statistics

Related commands

display netconf session

xml

Use xml to enter XML view.

Syntax

xml

Views

User view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Usage guidelines

In XML view, use NETCONF messages to configure the device or obtain data from the device. The NETCONF operations you can perform depend on the user roles you have, as shown in Table 3.

Table 3 NETCONF operations available for the predefined user roles

User role	NETCONF operations
network-admin context-admin	All NETCONF operations
network-operator Context-operator	· Get · Get-bulk · Get-bulk-config · Get-config · Get-sessions · Close-session

User role

NETCONF operations

network-admin

context-admin

All NETCONF operations

network-operator

Context-operator

· Get

· Get-bulk

· Get-bulk-config

· Get-config

· Get-sessions

· Close-session

To ensure the format correctness of NETCONF messages in XML view, do not enter NETCONF messages manually. Copy and paste the messages.

While the device is performing a NETCONF operation, do not perform any other operations, such as pasting a NETCONF message or pressing Enter.

For the device to identify NETCONF messages, you must add end mark ]]>]]> at the end of each NETCONF message.

After you enter XML view, the device automatically advertises its NETCONF capabilities to the client. In response, you must configure the client to notify the device of its supported NETCONF capabilities. After the capability exchange, you can use the client to configure the device.

NETCONF messages must comply with the XML format requirements and semantic and syntactic requirements in the NETCONF XML API reference for the device. As a best practice, use third-party software to generate NETCONF messages to ensure successful configuration.

To quit XML view, use a NETCONF message instead of the quit command.

If you have configured a shortcut key (Ctrl + C, by default) by using the escape-key command in user line/user line class view, the NETCONF message should not contain the shortcut key string. If the NETCONF message contains the shortcut key string, relevant configurations in XML view might be affected. For example, in user line view, you configured "a" as the shortcut key by using the escape-key a command. When a NETCONF message includes the character "a," only the content after the last "a" in the message can be processed.

Examples

# Enter XML view.

<Sysname> xml

# Notify the device of the NETCONF capabilities supported on the client.

urn:ietf:params:netconf:base:1.0

</capability>

</capabilities>

</hello>]]>]]>

# Quit XML view.

<close-session/>

</rpc>]]>]]>

17-Network Management and Monitoring Command Reference

NETCONF commands

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us