gRPC Services for Junos Telemetry Interface

 

Configuring gRPC for the Junos Telemetry Interface

Starting with Junos OS Release 16.1R3 on MX Series routers and PTX3000 and PTX5000 routers, you can stream telemetry data for various network elements through gRPC, an open source framework for handling remote procedure calls based on TCP. The Junos Telemetry Interface relies on a so-called push model to deliver data asynchronously, which eliminates polling. For all Juniper devices that run a version of Junos OS with upgraded FreeBSD kernel, you must install the Junos Network Agent software package, which provides the interfaces to manage gRPC subscriptions. For Juniper Network devices that run other all other versions of the Junos OS, this functionality is embedded in the Junos OS software. For more information about installing the Junos Network Agent package, see Installing the Network Agent Package.

The Junos Telemetry Interface and gRPC streaming are supported on QFX10000 and QFX5200 switches, and PTX1000 routers starting with Junos OS Release 17.2R1.

The Junos Telemetry Interface and gRPC streaming are supported on QFX5110, EX4600, and EX9200 switches starting with Junos OS Release 17.3R1.

Before you begin:

  • Install Junos OS Release 16.1R3 or later on your Juniper Networks device.

  • If your Juniper Networks device is running a version of Junos OS with an upgraded FreeBSD kernel, install the Junos Network Agent software package.

  • Install the OpenConfig for Junos module. For more information see, Installing the OpenConfig Package.

To configure your system for gRPC services:

  1. Specify the API connection setting either as unsecured or as based on Secure Socket Layer (SSL) technology. You can specify only one type of connection.

    For example, to set the API connection as unsecured:

    For example, to set the API connection based on a SSL:

    For an SSL-based connection, you must specify a local-certificate name or you can rely on the default IP address (::) to enable Junos to “listen” for all IPv4 and IPv6 addresses on incoming connections. If you would rather specify an IP address, follow stp b. below.

    1. Specify a local certificate-name. The certificate can be any user-defined value from the certificate configuration (not shown here). The certificate name should used in thisexample is jsd_certificate:
      Note

      Enter the name of a certificate you have configured with the local certificate-name statement at the [edit security certificates] hierarchy level.

    2. (Optional) Specify an IP address to listen to for incoming connections. for example, 192.0.2.0:
      Note

      If you do not specify an IP address, the default address of :: is used to listen for incoming connections.

  2. Specify port 32767 for accepting incoming connections through gRPC. Note

    Port 32767 is the required port for gRPC streaming for both unsecured and SSL-based connections.

Configuring Bidirectional Authentication for gRPC for Junos Telemetry Interface

Starting with Junos OS Release 17.4R1, you can configure bidirectional authentication for gRPC sessions used to stream telemetry data. Previously, only authentication of the server, that is, Juniper device, was supported. Now the external client, that is management station that collects data, can also be authenticated using SSL certificates. The JET service process (jsd), which supports application interaction with Junos OS, uses the credentials provided by the external client to authenticate the client and authorize a connection.

Before you begin:

To configure authentication for the external client, that is, management station that collects telemetry data streamed from the Juniper device:

  1. Enable bidirectional authentication and specify the requirements for a client certificate.

    For example, to specify the strongest authentication, which requires a certificate and its validation:

    Note

    The default is no-certificate. The other options are: request-certificate, request-certificate-and-verify, require-certificate, require-certificate-and-verfiy.

    We recommend that you use no-certificate option in a test environment only.

  2. Specify the certificate authority.Note

    For the certificate authority, specify a certificate-authority profile you have configured at the [edit security pki ca-profile] hierarchy level. This profile is used to validate the certificate provided by the client.

    A digital certificate provides a way of authenticating users through a trusted third-party called a certificate authority (CA). The CA validates the identity of a certificate holder and “signs” the certificate to attest that it has not been forged or altered. For more information, see Digital Certificates Overview and Example: Requesting a CA Digital Certificate.

    For example, to specify a certificate-authority profile named jsd_certificate:

  3. Verify that an external client can successfully connect with the Juniper device through the jsd process and invoke OpenConfig RPCs.

    The external client passes username and password credentials as part of metadata in each RPC. The RPC is allowed if valid credentials are used. Otherwise an error message is returned.

See also

Release History Table
Release
Description
Starting with Junos OS Release 17.4R1, you can configure bidirectional authentication for gRPC sessions used to stream telemetry data.
The Junos Telemetry Interface and gRPC streaming are supported on QFX5110, EX4600, and EX9200 switches starting with Junos OS Release 17.3R1.
The Junos Telemetry Interface and gRPC streaming are supported on QFX10000 and QFX5200 switches, and PTX1000 routers starting with Junos OS Release 17.2R1.
Starting with Junos OS Release 16.1R3 on MX Series routers and PTX3000 and PTX5000 routers, you can stream telemetry data for various network elements through gRPC, an open source framework for handling remote procedure calls based on TCP.