Python NETCONF & YANG — Core Concepts

Learn how Python uses NETCONF and YANG to programmatically configure routers, switches, and firewalls with structured, validated operations.

Why this matters in production

CLI-based network management (SSH into a device, type commands) does not scale. It is fragile, hard to audit, and nearly impossible to roll back cleanly. NETCONF replaces that ad-hoc approach with a structured protocol where configuration is sent as XML, validated against a schema (YANG), and applied transactionally — meaning it either fully succeeds or fully rolls back.

Major vendors (Cisco, Juniper, Arista, Nokia) support NETCONF. As networks grow more complex and “infrastructure as code” becomes standard, NETCONF and YANG are becoming the API layer for network equipment.

How NETCONF works

NETCONF runs over SSH (port 830 by default) and uses XML for all messages. The protocol defines several operations:

  • get — Retrieve operational data (interface status, counters).
  • get-config — Retrieve the device configuration.
  • edit-config — Modify the configuration.
  • copy-config — Replace the entire configuration.
  • lock / unlock — Prevent other sessions from making changes during yours.
  • commit — Apply candidate configuration changes (on devices that support candidate datastores).
  • validate — Check configuration validity without applying it.

The transactional model is the key advantage: you can lock the config, make changes to a candidate datastore, validate, commit if valid, and unlock. If anything fails, nothing changes.

What YANG defines

YANG is a data modeling language that describes the structure of device configuration and state. A YANG model specifies:

  • Containers and lists — Hierarchical groupings (like a “interfaces” container with a list of “interface” entries).
  • Leaves — Individual settings (hostname, IP address, MTU).
  • Types — Data validation (IP address format, integer ranges, enumerations).
  • Constraints — Rules like “this value must be unique” or “this setting requires that other setting.”

Vendors publish YANG models for their devices. The IETF publishes standard models that work across vendors (like the ietf-interfaces model).

Python libraries

  • ncclient — The standard Python NETCONF client. Handles SSH sessions, XML message framing, and the RPC protocol.
  • scrapli-netconf — A newer alternative with a cleaner API, built on the scrapli SSH framework.
  • pyang — Validates and compiles YANG models. Useful for understanding what a device supports.

Practical workflow

  1. Discover capabilities — Connect to the device and read its “hello” message, which lists supported YANG models and NETCONF features.
  2. Get current config — Fetch the running or candidate configuration as XML.
  3. Build the change — Construct an XML payload matching the YANG model structure.
  4. Lock, edit, validate, commit, unlock — Apply the change transactionally.
  5. Verify — Fetch the config again to confirm the change took effect.

Common misconception

Many network engineers assume NETCONF is just “SNMP but newer.” The protocols serve different purposes. SNMP is primarily for monitoring (reading device state). NETCONF is primarily for configuration (writing device settings). They complement each other — you might use SNMP to detect a problem and NETCONF to fix it programmatically.

When things go wrong

  • Capability mismatch — The device does not support the YANG model you are using. Always check the capabilities exchange first.
  • XML namespace errors — NETCONF is strict about XML namespaces. A missing or wrong namespace causes silent failures.
  • Lock contention — Another session has the configuration locked. Implement timeouts and retry logic.
  • Vendor deviations — Vendors sometimes implement YANG models with deviations (extra fields, missing fields). Test against actual devices, not just the published model.

One thing to remember: NETCONF gives you transactional, validated, structured configuration management for network devices — the same reliability guarantees that databases provide for application data. Python’s ncclient makes it accessible without needing to hand-craft XML.

pythonnetworkingautomation

See Also

  • Python Dns Resolver Understand how Python translates website names into addresses, like a phone book for the entire internet.
  • Python Dpkt Packet Parsing Understand how Python reads and decodes captured network traffic, like opening envelopes to see what is inside each message.
  • Python Ftp Sftp Transfers Understand how Python moves files between computers over a network, like a digital delivery truck with a locked or unlocked cargo door.
  • Python Impacket Security Tools Understand how Python speaks the secret languages of Windows networks, helping security teams find weaknesses before attackers do.
  • Python Pcap Analysis Understand how Python reads recordings of network traffic, like playing back security camera footage to see what happened on your network.

Related Topics

ab-testing How tech companies run thousands of experiments at once to improve their products — the scientific method applied to everything from button colors to recommendation algorithms. 3 levels → activation-functions Why neural networks need these tiny mathematical functions — and how ReLU's simplicity accidentally made deep learning possible. 3 levels → ai-agents-architecture How AI systems go from answering questions to actually doing things — the design patterns that turn language models into autonomous agents that browse, code, and plan. 3 levels →