[Day #53 Pyats Series] RESTCONF validation for Cisco IOS-XE using pyATS for Cisco [Python for Network Engineer]

Post Views: 3

Table of Contents

Introduction

In today’s modern network automation era, ensuring API-based management protocols like RESTCONF are correctly configured and functioning is crucial for integrating controllers, orchestrators, or custom-built Python scripts for network interaction.

In this Day #53 of our “101 Days of pyATS (Vendor-Agnostic)” series, we’ll walk through validating RESTCONF configuration on Cisco IOS-XE using pyATS, focusing on a real-world, script-based approach. RESTCONF is a standardized API used to access YANG data models over HTTPs. Cisco IOS-XE supports RESTCONF natively, and it’s commonly used for telemetry, configuration push, and real-time monitoring.

As part of “Python for Network Engineer” best practices, we use Cisco’s pyATS framework to script the validation—making it reusable, scalable, and vendor-agnostic-friendly.

Topology Overview

Let’s assume a simple lab setup where a network automation engine (your workstation or CI/CD runner) connects via HTTPS to a Cisco IOS-XE router.

This topology is sufficient to validate the operational state of RESTCONF over HTTPS.

Topology & Communications

Protocol: HTTPS (port 443)
Authentication: Basic (Username/Password)
Endpoint URI: /restconf/data/
Interface IP: 192.168.1.1
pyATS Host: 192.168.1.10
Reachability: Confirmed via ping, then RESTCONF status verified

You must ensure RESTCONF is enabled on the Cisco device, and the interface used is reachable from your automation environment.

Workflow Script

Here’s the pyATS + Python script to validate RESTCONF endpoint health and retrieve capabilities:

from genie.testbed import load
import requests
from requests.auth import HTTPBasicAuth
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

# Load testbed
testbed = load('testbed.yml')
device = testbed.devices['iosxe']

# RESTCONF base URI and authentication
restconf_url = f"https://{device.connections.restconf.ip}/restconf/data"
headers = {
    "Accept": "application/yang-data+json",
    "Content-Type": "application/yang-data+json"
}

# Authentication from testbed
username = device.connections.restconf.username
password = device.connections.restconf.password

# Perform RESTCONF GET Request
response = requests.get(
    restconf_url,
    headers=headers,
    auth=HTTPBasicAuth(username, password),
    verify=False
)

# Output Results
print(f"RESTCONF Status Code: {response.status_code}")
print(f"Response Body:\n{response.text}")

Explanation by Line

from genie.testbed import load: Loads your device configurations from testbed YAML.
requests: Used for HTTPS REST API calls.
restconf_url: Constructs Cisco’s RESTCONF endpoint.
HTTPBasicAuth: Auth method required for IOS-XE RESTCONF by default.
verify=False: Disables SSL verification in lab use (enable for prod).
response.status_code: Verifies if RESTCONF is reachable (200 = OK).
response.text: Contains the payload from Cisco’s YANG model response.

This script can be extended to check specific modules like interface state, routing table, config models, etc.

testbed.yml Example

devices:
  iosxe:
    type: router
    os: iosxe
    connections:
      defaults:
        class: unicon.Unicon
      cli:
        protocol: ssh
        ip: 192.168.1.1
      restconf:
        protocol: https
        ip: 192.168.1.1
        port: 443
        username: admin
        password: cisco123

This structure allows device.connections.restconf to be used seamlessly in your scripts.

Post-Validation CLI Screenshots

To ensure RESTCONF is enabled, verify the following configurations and outputs on Cisco CLI:

R1# show running-config | section restconf
restconf

R1# show ip http server status
HTTP server status: Enabled
HTTP secure server status: Enabled
HTTP port: 80
HTTP secure port: 443

R1# show platform software yang-management process
Process: restconf        State: running

You can also test via browser or curl:

curl -k -u admin:cisco123 https://192.168.1.1/restconf/data

FAQs

1. What is RESTCONF and why is it important in Cisco IOS-XE environments?

RESTCONF is a REST-like protocol used to access configuration and operational data on network devices using YANG data models over HTTPs. It provides a simplified, programmatic way to interact with device configurations, often used in automation and network orchestration tools.

In Cisco IOS-XE, RESTCONF enables:

Reading and modifying configuration/state data
Interfacing with YANG models like ietf-interfaces, Cisco-IOS-XE-native
Lightweight alternative to NETCONF for certain use-cases

It plays a critical role in SDN, DevNet use-cases, and model-driven programmability.

2. How do I enable RESTCONF on Cisco IOS-XE?

To enable RESTCONF, the following configuration is required:

conf t
  restconf
  ip http secure-server
  ip http authentication local
  username admin privilege 15 secret admin123
end

Also ensure:

HTTPS is enabled
Authentication credentials exist
ACLs are applied if needed for control

You can test RESTCONF with tools like Postman, curl, or Python (requests module).

3. What are the most common RESTCONF endpoints used for validation?

Here are the typical endpoints for RESTCONF on Cisco IOS-XE:

Endpoint	Purpose
`/restconf/data/ietf-interfaces:interfaces`	Interface configuration and operational status
`/restconf/data/Cisco-IOS-XE-native:native/interface`	Native interface configuration
`/restconf/data/Cisco-IOS-XE-native:native/hostname`	Hostname configuration
`/restconf/data/ietf-routing:routing-state`	Routing operational state

These can be accessed using GET or PATCH/POST requests based on validation intent.

4. What authentication methods are supported with RESTCONF?

Cisco IOS-XE RESTCONF supports:

Basic Authentication (base64 encoded username:password)
Token-based authentication (via OAuth on DNAC or external controllers)
HTTPS transport security (TLS 1.2/1.3)

For most automation scripts and tools, basic auth over HTTPS is commonly used for RESTCONF on routers and switches.

5. How do I validate RESTCONF connectivity using Python?

You can use Python’s requests module to perform a RESTCONF validation:

import requests
from requests.auth import HTTPBasicAuth

url = "https://10.10.10.1/restconf/data/ietf-interfaces:interfaces"
headers = {
    "Accept": "application/yang-data+json",
    "Content-Type": "application/yang-data+json"
}

response = requests.get(url, auth=HTTPBasicAuth("admin", "admin123"), headers=headers, verify=False)

print("Status Code:", response.status_code)
print("Response JSON:", response.json())

Expected HTTP response codes:

200 OK → Success
401 Unauthorized → Invalid credentials
404 Not Found → Invalid endpoint or YANG model mismatch

6. Can I use pyATS to validate RESTCONF responses from Cisco devices?

Yes! pyATS can integrate with custom scripts or Genie parsers to:

Trigger RESTCONF GET requests
Validate response structure and values
Compare device RESTCONF output with CLI or baseline JSON

This ensures configuration and state are both aligned — useful for config audits and network compliance testing.

7. What are common RESTCONF validation issues and how to troubleshoot them?

Common issues include:

Issue	Cause	Fix
`401 Unauthorized`	Wrong credentials	Verify user and password
`404 Not Found`	Incorrect URI or disabled YANG model	Check endpoint or enable YANG models
`503 Service Unavailable`	RESTCONF not enabled	Check `restconf` config in device
`SSL certificate error`	HTTPS self-signed cert	Use `verify=False` or import cert

Use tools like Postman, curl, or Wireshark to test and capture RESTCONF flow.

8. What is the difference between RESTCONF and NETCONF in IOS-XE?

Feature	RESTCONF	NETCONF
Protocol	HTTPs (RESTful)	SSH (RPC-based)
Data Encoding	JSON / XML	XML
Lightweight	Yes	No (more verbose)
Tooling Support	Web tools, Postman, REST clients	Mostly DevNet/CLI tools
Use-Case	Web integration, dashboards	Deep YANG model manipulation

For most modern automation, RESTCONF + JSON is preferred due to ease of integration with APIs and REST tools.

YouTube Link

Watch the Complete Python for Network Engineer: RESTCONF validation for Cisco IOS-XE using pyATS for Cisco [Python for Network Engineer] Lab Demo & Explanation on our channel:

Master Python Network Automation, Ansible, REST API & Cisco DevNet

Why Robot Framework for Network Automation?

Join Our Training

Ready to go deeper into Python for Network Engineer, DevNet, APIs like RESTCONF/NETCONF, Ansible, pyATS, Genie, and multi-vendor automation?

Join our 3-month instructor-led program led by Trainer Sagar Dhawan (14+ years industry experience) and transform your career with real-world automation skills.

Full Course Outline:
https://course.networkjourney.com/python-ansible-api-cisco-devnet-for-network-engineers/

Whether you’re a beginner or experienced professional, this training is crafted to elevate your Python for Network Engineer capabilities. Start automating now!

Enroll Now & Future‑Proof Your Career
Email: info@networkjourney.com
WhatsApp / Call: +91 97395 21088

21 DAYS CCNA BOOTCAMP	Click to Watch
PYTHON3/ANSIBLE for NETWORK AUTOMATION	Click to Watch
"FIREWALL MASTERY" : PA + FGT+ CP + ASA/FTD + F5 LTM	Click to Watch
OSPF+BGP+MPLS	Click to Watch
SDN ORCHESTRATION	Click to Watch

PYTHON NETWORK AUTOMATION	Read Course Outline
CCNA + CCNP ENTERPRISE	Read Course Outline
CCNA to CCIE SECURITY	Read Course Outline
CISCO DEVNET + DEVCOR	Read Course Outline
"MASTER CLOUD" : AZ700 + AWS + GCP	Read Course Outline
"FIREWALL MASTERY" : PA + FGT+ CP + ASA/FTD + F5 LTM	Read Course Outline
CISCO DNAC	Read Course Outline
CISCO ISE	Read Course Outline
MULTI-VENDOR TRAINING	Read Course Outline
SDN ORCHESTRATION	Read Course Outline

[Day #53 Pyats Series] RESTCONF validation for Cisco IOS-XE using pyATS for Cisco [Python for Network Engineer]