Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

gRPC Services for Junos Telemetry Interface

Configuring gRPC for the Junos Telemetry Interface

You can stream telemetry data for various network elements through gRPC, an open source framework for handling remote procedure calls based on TCP. The Junos Telemetry Interface relies on a so-called push model to deliver data asynchronously, which eliminates polling. For all Juniper devices that run a version of Junos OS with upgraded FreeBSD kernel, you must install the Junos Network Agent software package, which provides the interfaces to manage gRPC subscriptions. For Juniper Network devices that run other all other versions of the Junos OS, this functionality is embedded in the Junos OS software. For more information about installing the Junos Network Agent package, see Installing the Network Agent Package.

Before you begin:

  • Install Junos OS Release 16.1R3 or later on your Juniper Networks device.

  • If your Juniper Networks device is running a version of Junos OS with an upgraded FreeBSD kernel, install the Junos Network Agent software package.

  • Install the OpenConfig for Junos module. For more information see, Installing the OpenConfig Package.

To configure your system for gRPC services:

  1. Specify the API connection setting based on Secure Socket Layer (SSL) technology.

    For example, to set the API connection:

    For an SSL-based connection, you must specify a local-certificate name. You can rely on the default IP address (::) to enable Junos to “listen” for all IPv4 and IPv6 addresses on incoming connections. If you would rather specify an IP address, follow step b. below.

    1. Specify a local certificate-name. The certificate can be any user-defined value from the certificate configuration (not shown here). The certificate name used in this example is jsd_certificate:
      Note:

      Enter the name of a certificate you have configured with the local certificate-name statement at the [edit security certificates] hierarchy level.

    2. (Optional) Specify an IP address to listen for incoming connections. The IP address used in this example is 192.0.2.0:
      Note:

      If you do not specify an IP address, the default address of :: is used to listen for incoming connections.
  2. Specify port 32767 to accept incoming connections through gRPC.
    Note:

    Port 32767 is the required port for gRPC streaming for both unsecured and SSL-based connections.

See Also

Configuring Bidirectional Authentication for gRPC for Junos Telemetry Interface

Starting with Junos OS Release 17.4R1, you can configure bidirectional authentication for gRPC sessions used to stream telemetry data. Previously, only authentication of the server, that is, Juniper device, was supported. Now the external client, that is management station that collects data, can also be authenticated using SSL certificates. The JET service process (jsd), which supports application interaction with Junos OS, uses the credentials provided by the external client to authenticate the client and authorize a connection.

Before you begin:

To configure authentication for the external client, that is, management station that collects telemetry data streamed from the Juniper device:

  1. Enable bidirectional authentication and specify the requirements for a client certificate.

    For example, to specify the strongest authentication, which requires a certificate and its validation:

    Note:

    The default is no-certificate. The other options are: request-certificate, request-certificate-and-verify, require-certificate, require-certificate-and-verfiy.

    We recommend that you use no-certificate option in a test environment only.

  2. Specify the certificate authority.
    Note:

    For the certificate authority, specify a certificate-authority profile you have configured at the [edit security pki ca-profile] hierarchy level. This profile is used to validate the certificate provided by the client.

    A digital certificate provides a way of authenticating users through a trusted third-party called a certificate authority (CA). The CA validates the identity of a certificate holder and “signs” the certificate to attest that it has not been forged or altered. For more information, see Digital Certificates Overview and Example: Requesting a CA Digital Certificate.

    For example, to specify a certificate-authority profile named jsd_certificate:

  3. Verify that an external client can successfully connect with the Juniper device through the jsd process and invoke OpenConfig RPCs.

    The external client passes username and password credentials as part of metadata in each RPC. The RPC is allowed if valid credentials are used. Otherwise an error message is returned.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
17.4R1
Starting with Junos OS Release 17.4R1, you can configure bidirectional authentication for gRPC sessions used to stream telemetry data.
17.3R1
The Junos Telemetry Interface and gRPC streaming are supported on QFX5110, EX4600, and EX9200 switches starting with Junos OS Release 17.3R1.
17.2R1
The Junos Telemetry Interface and gRPC streaming are supported on QFX10000 and QFX5200 switches, and PTX1000 routers starting with Junos OS Release 17.2R1.
16.1R3
Starting with Junos OS Release 16.1R3 on MX Series routers and PTX3000 and PTX5000 routers, you can stream telemetry data for various network elements through gRPC, an open source framework for handling remote procedure calls based on TCP.