Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Set up Ansible for Junos OS Managed Nodes

Juniper Networks supports using Ansible to manage Junos devices and provides Ansible modules that you can use to perform operational and configuration tasks on the devices. You do not need to install any client software on the remote nodes in order to use Ansible to manage the devices. Also, Python is not required on the managed Junos devices because the Juniper Networks modules are executed locally on the Ansible control node and use Junos PyEZ and the Junos XML API over NETCONF to perform the corresponding operational and configuration tasks.

You can execute Ansible for Junos OS modules using any user account that has access to the managed Junos device. When you execute Ansible modules, Junos OS user account access privileges are enforced. The class configured for the Junos OS user account determines the permissions. Thus, if a user executes a module that loads configuration changes onto a device, the user must have permissions to change the relevant portions of the configuration. For information about configuring user accounts on Junos devices, see the User Access and Authentication Administration Guide for Junos OS.

Juniper Networks provides modules that enable you to connect to Junos devices using NETCONF over SSH or telnet. To manage devices through a NETCONF session over SSH, you must enable the NETCONF service over SSH on the managed device and ensure that the device meets requirements for SSHv2 connections. The modules also enable you to telnet to the device’s management interface or to a console server that is directly connected to the device’s CONSOLE port. To use Ansible to telnet directly to the device’s management interface, you must configure the Telnet service on the managed device.

The following sections outline the requirements and required configuration on Junos devices when you use Ansible to access the device using the different connection protocols.

Enable NETCONF on Junos Devices

To enable NETCONF over SSH on the default port (830) on a Junos device:

  1. Configure the NETCONF-over-SSH service.
  2. Commit the configuration.

Satisfy Requirements for SSHv2 Connections

The NETCONF server communicates with client applications within the context of a NETCONF session. The server and client explicitly establish a connection and session before exchanging data, and close the session and connection when they are finished. The Ansible for Junos OS modules access the NETCONF server using the SSH protocol and standard SSH authentication mechanisms. When you use Ansible to manage Junos devices, the most convenient way to access a device is to configure SSH keys.

To establish an SSHv2 connection with a Junos device, you must ensure that the following requirements are met:

  • The NETCONF service over SSH is enabled on each device where a NETCONF session will be established.

  • The client application has a user account and can log in to each device where a NETCONF session will be established.

  • The login account used by the client application has an SSH public/private key pair or a text-based password configured.

  • The client application can access the public/private keys or text-based password.

For information about enabling NETCONF on a Junos device and satisfying the requirements for establishing an SSH session, see the NETCONF XML Management Protocol Developer Guide.

Configure Telnet Service on Junos Devices

The Juniper Networks Ansible modules can telnet directly to a Junos device. To telnet to a Junos device, you must configure the Telnet service on the device. Configuring Telnet service for a device enables unencrypted, remote access to the device.

Note:

Because telnet uses clear-text passwords (therefore creating a potential security vulnerability), we recommend that you use SSH.

To enable the Telnet service:

  1. Configure the service.
  2. (Optional) Configure the connection limit, rate limit, and order of authentication, as necessary.
  3. Commit the configuration.