Chapter 1: YANG Data Models: OpenConfig, IETF, and Native Models
Learning Objectives
Differentiate between OpenConfig, IETF, and Cisco native YANG models and explain when to use each
Navigate and interpret a YANG module tree generated per RFC 8340
Identify YANG constructs including containers, lists, leaves, leaf-lists, augmentations, and deviations
Use pyang and YANG Suite to explore and validate YANG modules
Introduction to Data Modeling with YANG
Pre-Reading Check — Introduction to YANG
1. What fundamental problem do YANG data models solve for network automation?
2. Which RFC defines the current version of YANG (YANG 1.1)?
3. The same YANG module can describe data carried over NETCONF, RESTCONF, or gRPC/gNMI. What does this illustrate about YANG?
Why Data Models Matter for Network Automation
Without a shared vocabulary, automation engineers must write separate, brittle scripts for each vendor's CLI. Model-driven programmability solves this by establishing a precise, machine-readable contract: here is the structure of network configuration data, independent of how any particular vendor exposes it.
Automation code written against a well-defined data model can be vendor-agnostic, self-documenting, and verifiable before it ever touches a device.
YANG Language Overview and RFC 7950
YANG (Yet Another Next Generation) is a schema language purpose-built for networking — similar in spirit to XSD or JSON Schema. It was first standardized in RFC 6020 (YANG 1.0, 2010) and significantly revised in RFC 7950 (YANG 1.1, 2016), the version in use today.
YANG is transport-agnostic: the same YANG module describes data carried over NETCONF (as XML), RESTCONF (as JSON or XML), or gRPC/gNMI (as protocol buffers or JSON).
Key properties defined in RFC 7950:
Hierarchical: Data is organized as a tree of nodes
Typed: Every leaf has a type (string, uint32, boolean, enumeration, identityref, etc.)
Constrained: must expressions, when conditions, and cardinality constraints enforce valid data
Extensible: Modules can augment or deviate from other modules without modifying the originals
Self-documenting: description statements are part of the language itself, not comments
YANG Module Structure: module, submodule, revision, namespace
Every YANG model is organized as a module — a single .yang file with a top-level module statement. Larger models split content into submodules included with the include statement.
Globally unique URI identifying this module's schema nodes
prefix
Short alias used to reference this module's nodes in other files
import
Pulls in definitions (types, groupings) from another module
include
Incorporates a submodule into this module
revision
Dated changelog entry; the newest revision is the module version
container
A grouping node with no value; contains child nodes
list
A collection of keyed entries (like a database table)
leaf
A scalar value node
The namespace is critically important: when sending a NETCONF <edit-config> or RESTCONF PATCH, the namespace must appear in the XML prefix or JSON key to tell the device which model family the data belongs to.
Figure 1.1: YANG Module Anatomy — Key Components and Their Relationships
graph TD
A["YANG Module (.yang file)"]
A --> B["module declaration\n(top-level name + yang-version)"]
A --> C["namespace\n(globally unique URI)"]
A --> D["prefix\n(short alias for references)"]
A --> E["import / include\n(external modules and submodules)"]
A --> F["revision\n(dated changelog — newest = version)"]
A --> G["Data Nodes"]
G --> H["container\n(groups child nodes; holds no value)"]
G --> I["list\n(keyed collection of entries)"]
G --> J["leaf\n(single typed scalar value)"]
G --> K["leaf-list\n(ordered sequence of scalars)"]
H --> I
H --> J
I --> J
style A fill:#1a3a5c,color:#fff
style G fill:#1a3a5c,color:#fff
Key Takeaway: YANG is a hierarchical, transport-agnostic, typed, and self-documenting schema language for network devices (RFC 7950). Every YANG module is identified by a globally unique namespace that must appear in NETCONF and RESTCONF payloads.
Key Points — Introduction to YANG
YANG 1.1 is defined in RFC 7950 (2016); RFC 6020 defined the original YANG 1.0 (2010)
YANG is transport-agnostic — the same module describes NETCONF, RESTCONF, and gNMI data
Every YANG module has a globally unique namespace URI used in protocol payloads to identify the model family
YANG's core data node types are: container (grouping), list (keyed collection), leaf (scalar value), and leaf-list (sequence of scalars)
The revision statement provides a dated changelog; the newest revision defines the current module version
Animation slot: YANG hierarchy — illustrating a module expanding from namespace root into containers, lists, and leaves as nodes are added
Post-Reading Check — Introduction to YANG
1. An engineer writes a YANG module and needs to pull in a shared type definition from another module. Which YANG statement accomplishes this?
2. In a NETCONF <edit-config> payload that mixes OpenConfig and IETF data, why must namespaces appear in XML element prefixes?
3. A YANG leaf-list differs from a list in that a leaf-list:
OpenConfig YANG Models
Pre-Reading Check — OpenConfig Models
1. OpenConfig was originally created by which type of organization?
2. What is the defining structural characteristic of all OpenConfig YANG models?
OpenConfig Project Goals and Vendor-Neutral Design
OpenConfig is an industry consortium of large network operators (Google, AT&T, British Telecom, Microsoft, and others) who produced YANG models reflecting the operator's perspective rather than any single vendor's implementation. Models are developed publicly on GitHub at github.com/openconfig/public.
Key design principles of OpenConfig:
Vendor-neutral by design: No model node mirrors any specific vendor's CLI keyword
Operator-driven scope: Covers features operators need most — BGP, interfaces, routing policy, MPLS, QoS
Telemetry-first: Every OpenConfig model is designed with streaming telemetry in mind, providing operational state paths suitable for gNMI subscriptions
Consistent structure: All OpenConfig models follow the same style guide, making them predictable once you learn the pattern
OpenConfig Model Hierarchy: The config/state Container Pattern
OpenConfig places configuration data in a config sub-container (read-write — intended configuration) and operational state data in a state sub-container (read-only — what the device has actually applied or observed) at every level of the hierarchy.
This pattern enables a single model to serve both configuration management (write to config) and telemetry collection (subscribe to state) in a unified schema.
Figure 1.2: OpenConfig config/state Container Pattern Applied to an Interface
graph TD
ROOT["openconfig-interfaces\ninterfaces"]
ROOT --> IFACE["interface* [name]\n(list, keyed by name)"]
IFACE --> CFG["config\n(rw — intended configuration)"]
IFACE --> STATE["state\n(ro — applied + observed data)"]
CFG --> C1["name : string"]
CFG --> C2["type : identityref"]
CFG --> C3["mtu? : uint16"]
CFG --> C4["description? : string"]
CFG --> C5["enabled? : boolean"]
STATE --> S1["name : string"]
STATE --> S2["type : identityref"]
STATE --> S3["mtu? : uint16"]
STATE --> S4["description? : string"]
STATE --> S5["enabled? : boolean"]
STATE --> S6["oper-status : enumeration\n(operational state only)"]
STATE --> S7["counters\n(in-octets, out-octets, ...)"]
style CFG fill:#1a5c2a,color:#fff
style STATE fill:#5c1a1a,color:#fff
style ROOT fill:#1a3a5c,color:#fff
Augmentations and Deviations
Augmentation: A vendor adds new schema nodes to an existing OpenConfig model without modifying the original. Augmented nodes from a different namespace require that namespace's prefix in NETCONF/RESTCONF payloads.
Deviation: A vendor declares where their implementation does not fully conform to an OpenConfig model. If a leaf is not-supported, automation tools can understand the actual capability of a specific device rather than assuming full model compliance.
Key Takeaway: OpenConfig models are operator-driven, vendor-neutral YANG modules with a consistent config/state container pattern. They are the recommended first choice for multi-vendor automation, with gaps addressed through augmentation and deviation.
Key Points — OpenConfig Models
OpenConfig models are maintained on GitHub (github.com/openconfig/public) and evolve faster than IETF RFCs
The config/state container pattern is the hallmark of all OpenConfig models: config is read-write (intended), state is read-only (observed)
state containers include all config leaves plus additional operational-only leaves (e.g., oper-status, counters)
OpenConfig is designed telemetry-first, making it ideal as a gNMI subscription path source
Post-Reading Check — OpenConfig Models
1. In an OpenConfig model, an engineer needs to read the current operational status of a BGP session (e.g., whether it is ESTABLISHED). Which container path should they query?
2. Cisco's IOS XE supports openconfig-interfaces but does not implement an optional leaf for a proprietary feature. What mechanism would Cisco publish to communicate this to automation tools?
3. Why does the OpenConfig state container always include all leaves present in the config container, plus additional operational-only leaves?
IETF YANG Models
Pre-Reading Check — IETF Models
1. What is the primary advantage of IETF YANG models compared to OpenConfig models?
2. Which IETF model provides a baseline schema for managing network interfaces?
IETF Standardization Process
IETF YANG models are produced by the NETMOD (Network Modeling) working group and published as RFCs after a formal review involving technical experts, working group consensus, and IESG approval. This rigor ensures broad multi-vendor consensus but means updates are slow — changes to a widely-deployed model like ietf-interfaces can take years.
IETF's goal: standards-minimal interoperability — every vendor implementing the RFC must support the same baseline schema. IETF module namespaces follow: urn:ietf:params:xml:ns:yang:ietf-<module-name>.
Key IETF Models
ietf-interfaces (RFC 7223 / RFC 8343): Baseline schema for interface management — name, type, enabled state, basic statistics. Intentionally minimal; interface-type-specific attributes are added via augmentation (e.g., ietf-ip augments it to add IP address configuration)
ietf-routing (RFC 8022 / RFC 8349): Three modules forming a core routing data model with generic routing instance and RIB concepts; protocol modules (ietf-ospf, ietf-bgp) augment it further
ietf-access-control-list (RFC 8519): Schema for ACL configuration — acl-sets, acl-entries, matches, and actions
IETF vs OpenConfig: Comparison
Dimension
IETF Models
OpenConfig Models
Governing body
IETF NETMOD WG
Industry operator consortium
Update speed
Slow (RFC process, years)
Faster (GitHub, months)
Design philosophy
Standards-minimal baseline
Operator-feature completeness
Config/state separation
Mixed (per-module design)
Consistent config/state containers
Telemetry focus
Limited
Strong — designed for gNMI
Namespace pattern
urn:ietf:params:xml:ns:yang:
http://openconfig.net/yang/
Best use case
Compliance baseline, auditing
Unified multi-vendor automation
Figure 1.3: Decision Flowchart — Selecting the Right YANG Model Family
Key Takeaway: IETF YANG models are formally standardized through the RFC process and provide a conservative, broadly interoperable baseline — best for compliance enforcement across any RFC-conformant vendor. OpenConfig complements IETF with richer schemas and built-in telemetry support.
Key Points — IETF Models
IETF models are produced by the NETMOD working group and published as RFCs after formal multi-vendor consensus review
ietf-interfaces is deliberately minimal — vendor-specific and type-specific attributes are added via augmentation (e.g., ietf-ip adds IP configuration)
IETF models are the right choice when compliance auditing requires identical baseline behavior across any RFC-conformant vendor
Never use both an IETF/OpenConfig model and a Cisco-native model to configure the same parameter simultaneously — this creates conflicting state
Post-Reading Check — IETF Models
1. An engineer is writing a compliance-auditing tool that must run unchanged against Cisco, Juniper, and Arista routers to verify interface configurations. Which model family is the best fit?
2. The ietf-interfaces model deliberately excludes IP address configuration. How is IP address support added to the model?
3. An enterprise uses ietf-interfaces for interface compliance checking but openconfig-bgp for day-to-day BGP automation. Why is this a valid approach?
Cisco Native YANG Models
Pre-Reading Check — Cisco Native Models
1. What is the primary reason to use Cisco native YANG models instead of OpenConfig or IETF models?
IOS XE Native Model Structure
When OpenConfig and IETF models don't provide access to a feature, Cisco native YANG models fill the gap. These proprietary models map closely to IOS XE's internal data structures and CLI command hierarchy. The namespace pattern is http://cisco.com/ns/yang/<module-name>.
The -oper suffix marks operational state modules that provide read-only data — similar to the state containers in OpenConfig, but as separate modules rather than co-located containers.
Model Selection Decision Rules
Prefer OpenConfig for multi-vendor environments or when strong telemetry support is required
Use IETF models for strict standards compliance and maximum multi-vendor baseline interoperability
Fall back to Cisco native when a required feature is not covered by OpenConfig or IETF models
Never mix OpenConfig and Cisco native to configure the same parameter — mixed configuration causes unpredictable state
Scenario
Recommended Model Family
Configure interfaces on Cisco + Arista
OpenConfig (openconfig-interfaces)
Audit interface state against RFC standard
IETF (ietf-interfaces)
Configure Cisco-specific QoS MQC policies
Cisco native (Cisco-IOS-XE-qos)
Stream BGP session state via gNMI telemetry
OpenConfig (openconfig-bgp)
Configure OSPFv3 with IOS XE-specific area options not in IETF
Cisco native (Cisco-IOS-XE-ospf)
Multi-vendor routing policy for traffic engineering
OpenConfig (openconfig-routing-policy)
Discovering Available Models on Cisco IOS XE
All Cisco native YANG models are published per release in the GitHub repository at github.com/YangModels/yang under vendor/cisco/xe/<version>/. On a live device, available models can be discovered via:
NETCONF get-schema (RFC 6022): Retrieves the YANG source for a specific module directly from the device
Query ietf-yang-library (RFC 7895) via RESTCONF: GET https://<device>/restconf/data/ietf-yang-library:modules-state — returns every module name, revision, namespace, and feature set the device has loaded
Key Takeaway: Cisco native YANG models provide the deepest access to IOS XE features, closely mirroring the CLI hierarchy. They are indispensable for Cisco-specific advanced configuration but sacrifice portability. Always prefer OpenConfig and IETF where possible, and never use both simultaneously for the same configuration parameter.
Key Points — Cisco Native Models
Cisco native model namespace pattern: http://cisco.com/ns/yang/<module-name>
The -oper suffix (e.g., Cisco-IOS-XE-bgp-oper) denotes a read-only operational state module
All native models are published per IOS XE release at github.com/YangModels/yang/vendor/cisco/xe/<version>/
Use ietf-yang-library (RFC 7895) via RESTCONF to programmatically discover all models a device supports
Mixing native and OpenConfig/IETF models for the same parameter on the same device causes unpredictable, conflicting state
Post-Reading Check — Cisco Native Models
1. An engineer needs to configure a Cisco-proprietary QoS MQC policy on an IOS XE router. OpenConfig has no equivalent model for this feature. Which model should they use?
2. An engineer has already configured BGP peer-as via openconfig-bgp and now wants to add a Cisco-specific BGP timer using Cisco-IOS-XE-bgp for the same neighbor. What is the risk?
3. A network engineer wants to programmatically discover which YANG models are loaded on an IOS XE device without checking GitHub. What is the best approach?
Interpreting YANG Module Trees (RFC 8340)
Pre-Reading Check — YANG Tree Notation
1. In a YANG tree diagram, what does the symbol * after a node name indicate?
2. What does rw vs ro in a YANG tree flag indicate?
Tree Diagram Notation and Symbols
RFC 8340 (BCP 215) defines the authoritative text-based format for representing YANG module hierarchies. The general structure of a tree line is:
Read-only: operational state, RPC output, notification data
-w
Write-only: RPC or action input parameter
-x
RPC or action node
-n
Notification node
mp
Schema mount point
Cardinality and Node-Type Symbols (follow the node name):
Symbol
Meaning
?
Optional node (may be absent)
!
Presence container (its existence has semantic meaning even if empty)
*
List node or leaf-list (zero or more instances)
[keys]
List key leaves, shown in brackets
(name)
Choice node
:(name):
Case node within a choice
x prefix
Deprecated (still usable but avoid in new code)
o prefix
Obsolete (do not use)
Figure 1.4: RFC 8340 YANG Tree Notation — Node Types and Symbol Reference
graph TD
ROOT["module: example-model\n(tree root)"]
ROOT --> CONT["+--rw interfaces\ncontainer (rw, no ?, no *)\nGroups children; always present"]
CONT --> LIST["+--rw interface* [name]\nlist (rw, * = multiple entries)\n[name] = key leaf"]
LIST --> LEAF_M["+--rw name string\nleaf — mandatory (no ?)\nMust be present in every entry"]
LIST --> LEAF_O["+--rw description? string\nleaf — optional (?)\nMay be omitted"]
LIST --> LEAF_RO["+--ro oper-status enumeration\nleaf — read-only (ro)\nDevice writes; operator reads only"]
LIST --> CHOICE["+--rw (af-choice)\nchoice node — mutually exclusive cases"]
CHOICE --> CASE1["+--:(ipv4):\ncase — only one case active at a time"]
CHOICE --> CASE2["+--:(ipv6):\ncase — mutually exclusive with ipv4"]
LIST --> OPER_CONT["+--ro statistics\ncontainer — read-only subtree\nHolds counters and state data"]
style ROOT fill:#1a3a5c,color:#fff
style CONT fill:#1a3a5c,color:#cce
style LIST fill:#1a3a5c,color:#cce
style LEAF_RO fill:#5c1a1a,color:#fff
style OPER_CONT fill:#5c1a1a,color:#fff
Reading Container, List, Leaf, and Choice Nodes
module: ietf-interfaces
+--rw interfaces <-- container (rw, no ?, no *)
+--rw interface* [name] <-- list (rw, *, keyed by [name])
+--rw name string <-- leaf, mandatory (no ?)
+--rw description? string <-- leaf, optional (?)
+--rw type identityref <-- leaf, mandatory
+--rw enabled? boolean <-- leaf, optional
+--ro oper-status enumeration <-- leaf, read-only (ro)
+--ro statistics <-- container, read-only
+--ro in-octets yang:counter64
+--ro out-octets yang:counter64
interfaces — no * or ? means it is a mandatory container, always present
interface* [name] — * means this is a list; [name] is the key leaf needed to address a specific entry
name and type have no ? — mandatory leaves in every interface entry
description? and enabled? carry ? — optional leaves
oper-status is ro — you cannot write to it; it reflects device observation
Using pyang to Generate Tree Output
pyang is the standard open-source CLI tool for working with YANG modules. Install with pip install pyang.
# Generate a complete tree for a module
pyang -f tree ietf-interfaces.yang
# Focus on a specific subtree path
pyang -f tree --tree-path /interfaces/interface ietf-interfaces.yang
# Limit tree depth
pyang -f tree --tree-depth 3 Cisco-IOS-XE-native.yang
# Apply a deviation module to show actual device support
pyang -f tree --deviation-module Cisco-IOS-XE-native-devs.yang \
Cisco-IOS-XE-native.yang
# Generate interactive HTML tree
pyang -f jstree openconfig-interfaces.yang > oc-interfaces.html
# Generate XML payload skeleton (all mandatory nodes)
pyang -f sample-xml-skeleton ietf-interfaces.yang
YANG Suite for Visual Model Exploration
Cisco YANG Suite is a free graphical web application for exploring YANG models and interacting with live Cisco devices over NETCONF, RESTCONF, gRPC, and gNMI. Deploy via Docker:
git clone https://github.com/CiscoDevNet/yangsuite
cd yangsuite
./start_yang_suite.sh
YANG Suite organizes models into two tiers:
YANG Repository: A collection of related YANG modules for a specific OS version (e.g., "IOS XE 17.9")
YANG Set (module set): A curated subset containing only the modules relevant to a specific task and their transitive dependencies
Figure 1.5: YANG Suite Workflow — From Model Repository to Live Device RPC
sequenceDiagram
actor Engineer
participant YS as YANG Suite (Web GUI)
participant Repo as YANG Repository
participant Device as Cisco IOS XE Device
Engineer->>YS: Upload YANG files or connect device
YS->>Device: NETCONF get-schema (RFC 6022)
Device-->>YS: Return YANG module source files
YS->>Repo: Store modules in YANG Repository
Engineer->>YS: Define YANG Set (select modules + resolve dependencies)
YS-->>Engineer: Curated module subset ready
Engineer->>YS: Explore YANG (browse model tree graphically)
YS-->>Engineer: Interactive tree: containers, lists, leaves, descriptions
Engineer->>YS: Protocols - NETCONF (select path, fill values, build RPC)
YS-->>Engineer: Generated RPC payload preview
Engineer->>YS: Define device profile (IP, credentials, port 830)
Engineer->>YS: Execute RPC
YS->>Device: NETCONF edit-config or get
Device-->>YS: NETCONF rpc-reply
YS-->>Engineer: Display response / diff
Capability
pyang
YANG Suite
Installation
pip install pyang
Docker or pip install yangsuite
Interface
CLI
Web GUI
Tree visualization
Text (-f tree) or HTML (-f jstree)
Interactive graphical tree
Model validation
Yes (RFC 7950)
Partial (dependency resolution)
RPC construction
No
Yes (visual builder + execution)
Live device interaction
No
Yes (NETCONF, RESTCONF, gNMI)
XPath testing
No
Yes
Best for
Quick model inspection, scripting, CI/CD
Hands-on learning, RPC prototyping
Key Takeaway: RFC 8340 defines standardized text notation for YANG tree diagrams — rw/ro indicate access, * marks list nodes, ? marks optional leaves, and bracketed keys identify list keys. pyang generates trees and validates models from the CLI; YANG Suite provides a graphical interface for visual exploration, RPC construction, and live device interaction.
Key Points — YANG Trees and Tools
RFC 8340 (BCP 215) is the authoritative standard for YANG tree diagram notation — memorize the core symbols: rw, ro, *, ?, !, [keys]
pyang -f tree <file.yang> and pyang --tree-help are the two most essential pyang commands
pyang's -f sample-xml-skeleton output generates a template NETCONF payload with all mandatory nodes — useful for payload construction
YANG Suite's XPath tester is invaluable when constructing gNMI subscription paths
A YANG Set in YANG Suite is more efficient than using a full repository — it resolves only the transitive dependencies you need
Animation slot: RFC 8340 tree notation walkthrough — an annotated tree diagram building up node by node, highlighting each symbol as it appears
Post-Reading Check — YANG Tree Notation and Tools
1. In this YANG tree line: +--rw interface* [name] — what does the combination of * and [name] tell you?
2. An engineer wants to generate a template NETCONF XML payload pre-populated with all mandatory nodes from an IETF module. Which pyang command produces this?
3. A network engineer is learning YANG and needs to visually browse the openconfig-bgp model tree, fill in values for a BGP neighbor, generate a NETCONF payload, and immediately test it against a lab device. Which tool best fits this workflow?
4. An engineer sees x prefixing a node name in a YANG tree. What should they do with that node?