Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

external-header-nav
keyboard_arrow_up
close
keyboard_arrow_left
Ansible for Junos OS Developer Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
keyboard_arrow_right

Set up Ansible for Junos OS Managed Nodes

date_range 03-Oct-24

Juniper Networks supports using Ansible to manage Junos devices and provides Ansible modules that you can use to perform operational and configuration tasks on the devices. You do not need to install any client software on the remote nodes in order to use Ansible to manage the devices. Also, Python is not required on the managed Junos devices because the Juniper Networks modules are executed locally on the Ansible control node and use Junos PyEZ and the Junos XML API over NETCONF to perform the corresponding operational and configuration tasks.

You can execute Ansible for Junos OS modules using any user account that has access to the managed Junos device. When you execute Ansible modules, Junos OS user account access privileges are enforced. The class configured for the Junos OS user account determines the permissions. Thus, if a user executes a module that loads configuration changes onto a device, the user must have permissions to change the relevant portions of the configuration. For information about configuring user accounts on Junos devices, see the User Access and Authentication Administration Guide for Junos OS.

Juniper Networks provides modules that enable you to connect to Junos devices using NETCONF over SSH or telnet. To manage devices through a NETCONF session over SSH, you must enable the NETCONF service over SSH on the managed device and ensure that the device meets requirements for SSHv2 connections. The modules also enable you to telnet to the device’s management interface or to a console server that is directly connected to the device’s CONSOLE port. To use Ansible to telnet directly to the device’s management interface, you must configure the Telnet service on the managed device.

The following sections outline the requirements and required configuration on Junos devices when you use Ansible to access the device using the different connection protocols.

Enable NETCONF on Junos Devices

To enable NETCONF over SSH on the default port (830) on a Junos device:

  1. Configure the NETCONF-over-SSH service.
    content_copy zoom_out_map
    [edit system services]
    user@host# set netconf ssh
    
  2. Commit the configuration.
    content_copy zoom_out_map
    [edit system services]
    user@host# commit
    

Satisfy Requirements for SSHv2 Connections

The NETCONF server communicates with client applications within the context of a NETCONF session. The server and client explicitly establish a connection and session before exchanging data, and close the session and connection when they are finished. The Ansible for Junos OS modules access the NETCONF server using the SSH protocol and standard SSH authentication mechanisms. When you use Ansible to manage Junos devices, the most convenient way to access a device is to configure SSH keys.

To establish an SSHv2 connection with a Junos device, you must ensure that the following requirements are met:

  • The NETCONF service over SSH is enabled on each device where a NETCONF session will be established.

  • The client application has a user account and can log in to each device where a NETCONF session will be established.

  • The login account used by the client application has an SSH public/private key pair or a text-based password configured.

  • The client application can access the public/private keys or text-based password.

For information about enabling NETCONF on a Junos device and satisfying the requirements for establishing an SSH session, see the NETCONF XML Management Protocol Developer Guide.

Configure Telnet Service on Junos Devices

The Juniper Networks Ansible modules can telnet directly to a Junos device. To telnet to a Junos device, you must configure the Telnet service on the device. Configuring Telnet service for a device enables unencrypted, remote access to the device.

Note:

Because telnet uses clear-text passwords (therefore creating a potential security vulnerability), we recommend that you use SSH.

To enable the Telnet service:

  1. Configure the service.
    content_copy zoom_out_map
    [edit system services]
    user@host# set telnet
    
  2. (Optional) Configure the connection limit, rate limit, and order of authentication, as necessary.
    content_copy zoom_out_map
    [edit system services]
    user@host# set telnet connection-limit connection-limit
    user@host# set telnet rate-limit rate-limit
    user@host# set telnet authentication-order [radius tacplus password]
    
  3. Commit the configuration.
    content_copy zoom_out_map
    [edit system services]
    user@host# commit
    
external-footer-nav
Ask AI
close

How can I help you today?

LLMs can make mistakes. Verify important information.
chat_add_on New topic
send progress_activity
This conversation will be monitored and recorded. Any information you provide will be subject to our Privacy Notice and may be used for quality assurance purposes. Do not include any personal or sensitive information. Ask AI can make mistakes. Verify generated output for accuracy.
Protected by hCaptcha arrow_drop_down arrow_drop_up
Juniper Networks, Inc. | Privacy Notice | Terms of Use