Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Contrail Insights JTI (gRPC) Monitoring

Set Up gRPC-based Streaming

Starting with Junos OS Release 16.1R3, you can stream telemetry data for various network elements through gRPC, an open source framework for handling remote procedure calls based on TCP. The Junos Telemetry Interface relies on a so-called push model to deliver data asynchronously, which eliminates polling.

The Junos Telemetry Interface and gRPC streaming are supported on QFX10000 and QFX5200 switches starting with Junos OS Release 17.2R1. The Junos Telemetry Interface and gRPC streaming is supported on QFX5110 switch starting with Junos OS Release 17.3R1. For more information on supported devices, and to configure gRPC for Junos Telemetry Interface, see gRPC Services for Junos Telemetry Interface.

For all Juniper devices that run a version of Junos OS with upgraded FreeBSD kernel, you must install the Junos Network Agent software package, which provides the interfaces to manage gRPC subscriptions. For Juniper Network devices that run other all other versions of the Junos OS, this functionality is embedded in the Junos OS software. For more information, see Installing the Network Agent Package. You must also install the OpenConfig for Junos OS module and the YANG models. For more details, see Understanding OpenConfig and gRPC on Junos Telemetry Interface.

Contrail Insights automatically configures the network device based on the JSON file you provide. Contrail Insights will stream the gRPC metrics with a default interval of 60 seconds.

After completing the above steps, verify the following configuration on the network device:

While configuring gRPC devices, you can select to enable SSL on the gRPC subscription. Select Settings in the top right of the Dashboard, Network Devices > +Add Device. Also, see section “Secure Socket Layer (SSL) gRPC Configuration.”

Figure 1: Configure gRPC Network Device Telemetry and Enable SSL Configure gRPC Network Device Telemetry and Enable SSL

In addition, you need to enable gRPC plug-in in your group_vars/all file to enable gRPC monitoring in Contrail Insights:

To allow Contrail Insights to configure the network device, have the following settings on your device and supply the device username and password:

Unsecured gRPC Configuration

Following is the configuration Contrail Insights adds on the device when you select SSLEnabled = False when configuring the device.

Secure Socket Layer (SSL) gRPC Configuration

In order for Contrail Insights to subscribe to devices over SSL technology, complete the following steps in advance of enabling SSL.

  1. Certificates for all devices need to be signed by one single certificate authority (CA).

  2. Common Name (CN) value specified for the certificate used by a particular device, should be that device's Domain Name System (DNS) name.

  3. Certificates need to be preloaded on the device as name appformix by running the following command:

  4. When configuring the devices in Contrail Insights, enter the device DNS name or IP address in the ManagementIp field. The ManagementIp should be able to resolve (translate) the device DNS name from the Contrail Insights Platform node.

    Example configuration Contrail Insights puts on the device:

Distribute gRPC Network Device CA Using Ansible

In order for Contrail Insights to have secure connections between collectors (Contrail Insights Agent and devices), the collector needs to have the CA, which signed all of the devices' certificates, in /opt/appformix/etc/cert/.

Then use Ansible to distribute the CA to all Contrail Insights Agents. Add the following in your group_vars/all file and then run the playbook.