Skip to content

NETCONF and Nornir Automation for CSR1000v

Status

Accepted for lab and reference automation. CSR1000v remains valid for EVE-NG and Academy scenarios, but it is not the primary live WAN control path.

Context

HybridOps still needs a reliable, auditable method for managing simulated and multi-vendor network environments in labs and Academy material. Manual SSH-based configuration and CLI scraping are error-prone and unsuitable for structured validation pipelines.

NETCONF (RFC 6241) provides:

  • Structured configuration and operational state retrieval (XML/YANG).
  • Transactional operations with validation and rollback.
  • Consistent support across Cisco CSR, Arista vEOS, and Juniper vSRX.

Nornir’s NETCONF/SSH capabilities allow:

  • Multi-device orchestration.
  • Pre-/post-change validation.
  • Evidence capture at scale.

This ADR complements the higher-level decision to use Nornir alongside Ansible for hybrid automation (see ADR-0601 when introduced).

Decision

Adopt NETCONF over SSH as the standard interface for configuration, telemetry, and audit for all CSR1000v instances.
Use Nornir with Netmiko and ncclient as the primary automation stack for:

  • Pushing configuration changes.
  • Validating operational state.
  • Capturing structured run records (XML/YANG) into runtime logs.

Implementation Highlights

  • Transport: NETCONF over SSH on port 830.
  • Schema: Cisco native + OpenConfig YANG models where available.
  • Automation layer: Nornir tasks (for example netconf_get, netconf_edit_config) wrapped in a netconf_collector plugin to:
  • Capture running-config.
  • Snapshot operational state (interfaces, BGP, IPsec).
  • Store records under <runtime-root>/logs/networking/netconf-csr1000v/ with correlation IDs.
  • Pipeline integration:
  • Jenkins / Ansible triggers Nornir runs as part of change workflows.
  • Pre-change snapshot, change execution, post-change snapshot, diff, and result published in run records.

Consequences

Positive

  • Strong compliance and audit visibility via structured, machine-parsable configuration/state.
  • Enables pre-/post-change validation directly from CI/CD pipelines.
  • Extensible to other vendors that support NETCONF/YANG (Arista, Juniper, VyOS with YANG).
  • Reduces reliance on brittle screen-scraping and ad-hoc SSH sessions.

Negative

  • Requires maintaining compatible YANG model versions across CSR images.
  • NETCONF/YANG parsing adds CPU overhead on virtual routers during heavy automation runs.
  • Engineers must be familiar with YANG paths and NETCONF RPC patterns.

Neutral

  • Coexists cleanly with Ansible (declarative config push) and Nornir (state introspection).
  • Can later be augmented with gNMI/RESTCONF without breaking existing pipelines.

Planned records

These paths are reserved for implementation once automation and evidence capture are in place:

  • Runbook: docs/ops/runbooks/networking/netconf-csr1000v-setup.md
  • Diagram: docs/diagrams/netconf_csr_architecture.mmd
  • Evidence root: <runtime-root>/logs/networking/netconf-csr1000v/

References

Maintainer: HybridOps License: MIT-0 for code, CC-BY-4.0 for documentation unless otherwise stated.