Skip to main content

Juniper JunOS Discovery

The Infracast Juniper JunOS plugin connects to Juniper devices using NETCONF (preferred) or SSH CLI to enumerate device configuration, interfaces, and routing tables. Starting from one or more seed devices, it performs neighbor-based topology walking to automatically discover adjacent Juniper infrastructure.

How It Works

  1. Infracast SSHs into each seed device (port 22 by default) and opens a NETCONF session if supported
  2. Device identity, interfaces, and routing instances are collected
  3. LLDP neighbor data is used to discover adjacent devices
  4. Newly discovered neighbors are added to the work queue and visited in turn (up to depth 3)

Prerequisites

  • SSH access (TCP/22) from the Infracast collector to Juniper devices
  • NETCONF over SSH enabled on the device (strongly recommended for structured data)
  • A read-only user account on each device (local or via RADIUS/TACACS+)
  • LLDP enabled for neighbor discovery (optional but recommended)

Creating a Read-Only User on JunOS

# SSH into the device
ssh admin@junos-router.example.com

# Enter configuration mode
configure

# Create a read-only user class
set system login class infracast-ro permissions [ view view-configuration ]

# Create the user
set system login user infracast class infracast-ro authentication plain-text-password
# (enter password when prompted)

# Enable NETCONF over SSH
set system services netconf ssh

# Enable LLDP (if not already enabled)
set protocols lldp interface all

# Commit
commit
exit
tip

The view and view-configuration permissions are sufficient for all Infracast discovery commands. Infracast never requires operational mode commands that modify state or require higher privilege.

Registering the Credential in Infracast

infracast creds add \
  --plugin juniper-junos \
  --name "junos-network" \
  --type ssh-password \
  --username "infracast" \
  --password-file /run/secrets/junos-ssh-password

Or with an SSH key:

infracast creds add \
  --plugin juniper-junos \
  --name "junos-network" \
  --type ssh-key \
  --username "infracast" \
  --private-key-file /run/secrets/infracast-junos-key

Configuring the Discovery Job

infracast.yaml
discovery:
  jobs:
    - name: junos-discovery
      plugin: juniper-junos
      credential: junos-network
      schedule: "0 3 * * *"    # nightly at 3 AM UTC
      config:
        # Seed devices — discovery starts here
        seeds: "10.0.0.1,10.1.0.1"

        # SSH/NETCONF settings
        ssh_port: "22"
        timeout_seconds: "30"

        # Use NETCONF (recommended). Set to "false" to fall back to SSH CLI only.
        use_netconf: "true"

What Gets Discovered

Resource TypeDescription
juniper.deviceJunOS device (hostname, model, Junos version, serial number, uptime)
juniper.interfacePhysical and logical interface (name, IP/prefix, admin/operational state, description, speed)
juniper.routeRouting table entry (destination, next-hop, protocol, metric, routing instance)

Edges represent containment (interfacedevice) and topology (neighbor edges derived from LLDP).

Troubleshooting

SSH connection refused

Symptom: Error: dial tcp 10.0.0.1:22: connect: connection refused

Checks:

  1. Verify SSH is enabled: show system services
  2. Ensure no firewall filter blocks TCP/22 from the Infracast collector's IP
  3. Check the management interface is UP: show interfaces management

NETCONF session fails to open

Symptom: Discovery falls back to CLI mode; logs show netconf session error

Checks:

  1. Verify NETCONF is configured: show system services netconf
  2. If not configured, either enable it (set system services netconf ssh + commit) or set use_netconf: "false" in the job config

Authentication failure

Symptom: Error: ssh: unable to authenticate

Checks:

  1. Verify the username and credentials are correct
  2. If using RADIUS/TACACS+ authentication, ensure the infracast user exists in the AAA server
  3. Verify the login class has SSH access permitted

Neighbor walking stops at depth 3

Symptom: Only a portion of the network is discovered

Cause: The default neighbor-walk depth is 3 hops from each seed. The code uses depth < 3 as its termination condition.

Fix: Add additional seed IPs closer to the network edges to reduce the required depth from each seed:

config:
  seeds: "10.0.0.1,10.1.0.1,10.2.0.1,10.3.0.1"

Missing routing table entries

Symptom: Routes are missing or incomplete

Cause: JunOS devices with VRFs/routing-instances may not expose all tables in the default inet.0 table.

Check: Ensure the infracast-ro user class has permission to view all routing instances:

show route all