Mental model
Old way: SSH into a router, type show ip interface brief, parse the text output with regex, hope the format doesn’t change between IOS versions.
New way: send GET /restconf/data/ietf-interfaces:interfaces to the router’s HTTPS endpoint, get back structured JSON. Parse with one line of Python. No regex. No surprises when IOS updates.
That’s the elevator pitch for REST APIs. They turn network gear into something a normal application can talk to.
The four verbs
| Verb | What it does | Example |
|---|---|---|
| GET | Read state — no changes | GET /interfaces → list all interfaces |
| POST | Create something new | POST /vlans with body {"id": 10, "name": "USERS"} |
| PUT | Replace something entirely | PUT /interfaces/Gi0/1 with full new config |
| DELETE | Remove something | DELETE /vlans/10 |
There’s also PATCH (partial update) but it’s less common. For CCNA-level, know the big four.
Status codes you’ll actually see
| Code | Meaning | Cause |
|---|---|---|
| 200 OK | Success, response body has data | GET worked |
| 201 Created | Success, new resource made | POST worked |
| 204 No Content | Success, nothing to return | DELETE worked |
| 400 Bad Request | Your request was malformed | Bad JSON, missing field |
| 401 Unauthorized | Credentials missing or wrong | Auth issue |
| 403 Forbidden | You’re authenticated but can’t do this | Permissions |
| 404 Not Found | The URL / resource doesn’t exist | Wrong path |
| 500 Internal Server Error | The device blew up | Device bug |
The rule of thumb: 2xx = good. 4xx = your fault. 5xx = the device’s fault.
A working example — get all interfaces from an IOS-XE device
With curl
$ curl -k -u admin:cisco123 \
-H "Accept: application/yang-data+json" \
https://10.0.0.1/restconf/data/ietf-interfaces:interfaces
With Python
import requests
from requests.auth import HTTPBasicAuth
resp = requests.get(
"https://10.0.0.1/restconf/data/ietf-interfaces:interfaces",
auth=HTTPBasicAuth("admin", "cisco123"),
headers={"Accept": "application/yang-data+json"},
verify=False, # ! test only — use proper certs in production
)
print(resp.status_code)
print(resp.json())
What the response looks like (JSON)
{
"ietf-interfaces:interfaces": {
"interface": [
{ "name": "GigabitEthernet0/0", "type": "iana-if-type:ethernetCsmacd", "enabled": true },
{ "name": "GigabitEthernet0/1", "type": "iana-if-type:ethernetCsmacd", "enabled": false }
]
}
}
Parse with resp.json()["ietf-interfaces:interfaces"]["interface"] — done. No regex.
Configure a device with POST
Add a VLAN to a Catalyst running RESTCONF:
import requests
requests.post(
"https://10.0.0.1/restconf/data/Cisco-IOS-XE-vlan:vlan",
auth=("admin", "cisco123"),
headers={
"Accept": "application/yang-data+json",
"Content-Type": "application/yang-data+json",
},
json={"vlan-list": [{"id": 10, "name": "USERS"}]},
verify=False,
)
If the response code is 201, the VLAN now exists on the switch. Verify with a show vlan brief over SSH or another GET.
Authentication
Three flavors you’ll meet:
- Basic auth — username + password in every request. Simple. Used by most Cisco platforms for CCNA-level demos.
- API tokens — generate a token once, send it as a header on every request. Used by Meraki, DNA Center, most modern Cisco platforms.
- OAuth 2.0 — token-with-refresh dance, common in big platforms.
For CCNA-level prep, focus on basic auth and API tokens.
Common mistakes
-
Sending Content-Type wrong. Posting JSON but forgetting
Content-Type: application/json(orapplication/yang-data+jsonfor RESTCONF). Device responds with 400 Bad Request. -
Reading the request body when the response code is non-2xx. Always check
resp.status_codefirst. The body of a 4xx response often has the actual error message. -
verify=Falsein production. Disables HTTPS certificate validation. Fine in a lab; dangerous in production (man-in-the-middle attacks). Use proper certs. -
Hardcoding passwords in scripts. Use environment variables or a secrets manager. Hardcoded creds in a Git repo is a career-limiting move.
-
Not handling 401/403 errors. Token expired? Permissions changed? Catch the error, refresh the token or log the issue.
-
Polling instead of using webhooks. Cisco DNA Center and Meraki support webhooks — the device pushes you events instead of you polling every minute. Use them when available.
Lab to try tonight
- Spin up an IOS-XE device in CML or use a sandbox at devnetsandbox.cisco.com.
- Enable RESTCONF:
(config)# restconf+ip http secure-server. - From your laptop, send a GET to
/restconf/data/ietf-interfaces:interfaces. Confirm you get JSON back. - Send a POST to create a new loopback interface.
- GET again — verify the new interface appears.
- DELETE the loopback. GET again — verify it’s gone.
- Bonus: write a Python script that bulk-shuts every interface that hasn’t seen traffic in 30 days (real ops automation).
Cheat strip
| Concept | Plain English |
|---|---|
| REST | An architectural style for HTTP APIs |
| GET / POST / PUT / DELETE | Read / create / replace / remove |
| 2xx / 4xx / 5xx | Success / your fault / server fault |
| JSON / XML | The two body formats. Prefer JSON. |
| RESTCONF | The Cisco-flavored REST API standard for network gear |
| NETCONF | An older, XML-based API still widely used. Mentioned in CCNA exam topics. |
| API token | An auth credential sent as a header — more secure than basic auth |
verify=False | Disables HTTPS cert validation. Lab use only. |