Licensing Requirements and Limitations for NETCONF

Involved Network Elements

Third-party NMSs that support the NETCONF over SSH mode or Huawei iMaster NCE-Campus

Licensing Requirements

NETCONF is a basic feature of a switch and is not under license control.

Feature Support in V200R019C10

All models of S12700 and S12700E series switches support NETCONF.

For details about software mappings, use the Hardware Query Tool.

Feature Limitations

Precautions for NETCONF-enabled switches

• To facilitate fault diagnosis on iMaster NCE-Campus, a switch automatically generates a virtual management interface Ethernet0/0/1 after startup. This interface is activated only after NETCONF is enabled, and then the switch assigns a fixed IP address to it.

  The following message is displayed when you attempt to access the virtual management network interface of a NETCONF-enabled switch:

  Error: This command cannot be executed in netconf mode.

  The following message is displayed when you attempt to access the virtual management network interface of a NETCONF-disabled switch:

  Error: This interface is used only by the cloud management platform to diagnose device faults.

• A NETCONF-enabled switch supports PnP VLAN auto-negotiation to implement plug and play in the Huawei CloudCampus Solution.
• After NETCONF is enabled, the trust dscp configuration is automatically generated on all service interfaces.
• For security purposes, a static ARP entry will be automatically generated after the switch goes online through a service interface. The IP address and MAC address in this ARP entry are those of an upstream gateway. This ARP entry cannot be manually modified or deleted, and can only be automatically updated or deleted based on the changes of the upstream gateway.
• If an error occurs in the NETCONF service process of the switch, detailed error information of the process will be saved in the flash:/core_dump directory.
• The switch is disconnected from and then reconnected to iMaster NCE-Campus during patch activation if the switch needs to have patches installed and the patch file contains the NETCONF-related process patch of the .bin type.
• When a CSS of modular switches is enabled with NETCONF and configured to go online on a controller, the switches restart if their CSS configuration is inconsistent with that on the controller. You are advised to manually save the configuration before the switches go online.

• To ensure that the configurations recorded by the NMS (for example, iMaster NCE-Campus) are consistent with those in the configuration file of a switch, do not specify a new configuration file for the switch, for example, using the BootLoad menu to specify a new configuration file. Otherwise, the configurations in the existing configuration file of the switch may be lost.

• When the delete-config operation is performed on the NMS to clear configurations in a NETCONF database, the switch automatically runs the reset saved-configuration command to clear the next startup configuration file and cancel the configuration file used for next startup.

• On a NETCONF-enabled switch running V200R019C00 or an earlier version, VCMP and LNP cannot be configured. On a NETCONF-enabled switch running a version later than V200R019C00, LNP cannot be configured, and VCMP also cannot be configured if the management-vlan or callhome command has been run.
• After the NETCONF function is enabled, the commands listed in Table 14-7 cannot be configured.
  Table 14-7 Commands that cannot be configured after NETCONF is enabled

  Command	Function
  ap auth-mode { mac-auth | no-auth | sn-auth } undo ap auth-mode	Configure the AP authentication mode. For an AC working in NETCONF mode, the AP authentication mode is SN authentication.
  ap blacklistmac ap-mac1 [ to ap-mac2 ] undo ap blacklist { mac ap-mac1 [ to ap-mac2 ] | all }	Add an AP to the AP blacklist or remove an AP from the AP blacklist.
  ap modify ap-id mac ap-mac	Modifies the MAC address of an AP.
  ap whitelist { mac ap-mac1 [ to ap-mac2 ] | sn ap-sn1 [ to ap-sn2 ] } undo ap whitelist { mac { ap-mac1 [ to ap-mac2 ] | all } | sn { ap-sn1 [ to ap-sn2 ] | all } }	Add an AP to the AP whitelist or remove an AP from the AP whitelist.
  ap-confirm { all | mac ap-mac | sn ap-sn }	Allows an AP that fails to be authenticated to go online.
  ap-name ap-name	Configures the name of an AP.
  ap-rename { ap-name name | ap-mac ap-mac-address | ap-id ap-id } new-name ap-new-name	Configures a new name for an AP.
  css issu abort	Aborts ISSU of a CSS.
  css issu check system-file [ patch patch-name ]	Starts the ISSU feasibility check for a CSS.
  css issu confirm	Confirms the ISSU result of a CSS.
  css issu reset rollback-timer timer	Sets the rollback timer value for a CSS ISSU.
  css issu start [ rollback-timer timer ] system-file [ patch patch-name ]	Starts ISSU for a CSS.
  css issu switchover	Triggers a master/standby switchover during a CSS ISSU.
  capwap source interface { loopback loopback-number | vlanif vlan-id }	Configures the interface used by the AC to establish a CAPWAP tunnel as the source interface of the AC.
  format drive	Formats a storage device.
  fixdisk drive	Restores a storage device in which the file system fails to run properly.
  interface Ethernet0/0/1	Enters the view of a virtual management interface.
  lnp disable undo lnp disable	Enables or disables LNP negotiation on a device.
  stp disable	Disables STP.
  interface Eth-Trunk 0 mode lacp	Set the working mode of Eth-Trunk 0 used for PNP negotiation to LACP.

• Table 14-8 describes the function configuration restrictions on a NETCONF-enabled switch. If a function can be configured through both a command and an NMS such as iMaster NCE-Campus, the command configuration on the switch will not be synchronized to the NMS. As a result, the device configurations on the NMS are different from those on the device. Therefore, you are advised to configure such functions on the NMS.
  Table 14-8 Function configuration restrictions

  Category	Switch Processing
  Functions that can be configured only using NETCONF on the NMS, but cannot be configured using commands on the switch	In versions earlier than V200R013, the following message is displayed when you configure these functions using commands on the switch: Error: This command cannot be executed in netconf status.
  	In V200R013 and later versions, you can configure these functions using NETCONF on the NMS or by running commands on the switch.
  Functions that can be configured using NETCONF on the NMS or by running commands on the switch	When you configure these functions using commands on the switch, a warning message is displayed. Continue the configuration after confirming that no conflict will occur. Versions earlier than V200R019C00: Warning: This command may cause confliction in netconf status. Continue? [Y/N]: V200R019C00 and later versions: Warning: This command may cause a configuration conflict in NETCONF mode. Continue? [Y/N]:
  Functions that can be configured using NETCONF or SNMP on the NMS	No warning message will be displayed. Ensure that no conflict will occur before configuring these functions.

• In V200R020 and later versions, you can configure whether non-whitelisted commands can be locally configured on the device through iMaster NCE-Campus. By default, all commands can be locally configured on the device. For details about the whitelisted commands, see Table 14-9.

  The interface views in the following table include only the GigabitEthernet interface view, XGigabitEthernet interface view, 25GE interface view, 40GE interface view, and 100GE interface view.

  Table 14-9 Whitelisted commands

  Command	Description	View
  interface GigabitEthernet	Displays the GE interface view.	System view
  interface XGigabitEthernet	Displays the XGE interface view.	System view
  interface 25GE	Displays the 25GE interface view.	System view
  interface 40GE	Displays the 40GE interface view.	System view
  interface 100GE	Displays the 100GE interface view.	System view
  reset trace instance	Clears all the diagnosis instances on a device.	System view
  save trace information	Saves diagnosis information in the buffer area as a file.	System view
  trace undo trace	Configures service diagnosis. Cancels service diagnosis.	System view
  acl undo acl	Creates ACL rules. Deletes ACL rules.	System view
  pki undo pki	Configures PKI function. Cancels PKI function.	System view
  observe-port undo observe-port	Creates an observing port. Deletes an observing port.	System view
  traffic-mirror undo traffic-mirror	Configures the traffic mirroring function. Cancels the traffic mirroring function.	System view and Interface view
  traffic-statistic undo traffic-statistic	Enables the traffic statistics collection function. Cancels the traffic statistics collection function.	System view and Interface view
  capture-packet	Configures the packet obtaining function.	System view
  http server load undo http server load	Loads a specified web page file. Cancels loading a specified web page file.	System view
  controller ip-address undo controller ip-address	Configures an IP address for iMaster NCE-Campus. Deletes the IP address configured for iMaster NCE-Campus.	System view
  controller url undo controller url	Configures a URL for iMaster NCE-Campus. Deletes the URL configured for iMaster NCE-Campus.	System view
  lldp enable undo lldp enable	Enables LLDP. Disables LLDP.	System view and Interface view
  display	Displays the device status or configurations.	All views
  quit	Returns to the upper-level view.	All views
  return	Returns to the user view.	All views
  diagnose	Displays the diagnostic view.	System view
  reset cloud-mng	Clears cloud-based management records.	System view
  ping	Determines whether the specified IPv4 address is reachable.	All views
  tracert	Displays the path of packets from the source end to the destination end and detects network connectivity.	All views
  stelnet host-ip	Configures the IP address of the STelnet server.	System view
  sftp (excluding sftp client-source, sftp client-transfile, sftp ipv4, sftp ipv6, and sftp server enable)	Connects the switch to an SFTP server.	System view
  mad restore	Restores all the blocked interfaces of a standby switch that enters the Recovery state after its CSS splits.	System view
  negotiation auto undo negotiation auto	Configures an Ethernet interface to work in auto-negotiation mode. Configures an Ethernet interface to work in non-auto-negotiation mode.	Interface view
  speed undo speed	Sets the rate for an Ethernet interface working in non-auto-negotiation mode. Restores the default rate for an Ethernet interface working in non-auto-negotiation mode.	Interface view
  duplex undo duplex	Sets the duplex mode for an Ethernet electrical interface working in non-auto-negotiation mode. Restores the default duplex mode for an Ethernet electrical interface working in non-auto-negotiation mode.	Interface view
  port-mirroring undo port-mirroring	Binds a mirrored port to an observing port. Cancels binding a mirrored port to an observing port.	Interface view
  virtual-cable-test	Tests the cable connected to an Ethernet electrical interface and displays the test result.	Interface view
  All commands in the ACL view	Performs ACL-related configurations.	-
  All commands in the PKI entity view	Configures a PKI entity.	-
  All commands in the PKI realm view	Configures a PKI realm.	-
  All commands in the FTP client view	Configures FTP transfer.	-
  All commands in the WLAN client view	Configures WLAN.	-
  All commands in the user view	Commands starting with the following keywords in the user view are not supported: configuration format local-user lock startup saved-configuration save (except save logfile) reboot (except reboot fast) schedule reset saved-configuration fixdisk rollback	-
  All commands in the diagnostic view	Commands starting with the following keywords in the diagnostic view are not supported: cli configuration test-device cli enable-config configuration exclusive undo startup run	-