Blog Viewer

Config Rendering in Juniper Apstra

By Adam Jarvis posted 11-07-2023 12:47


Config Rendering in Juniper Apstra

A description of the different configurations that can be rendered based on the state of the devices in Apstra.                              

This article is derived from original work created by Josh Saul.


Apstra creates configurations for devices that are under its control.    

This document follows the typical lifecycle of a network device within an Apstra-managed topology.

Pre-Agent Install

Factory Default Config

The Factory Default config is what is on the device when it boots for the first time after being removed from the original shipping container (before being connected to the network).  This config has all the default settings from the vendor for the installed OS version.

User Required Config

Operators need to configure devices before they are available for configuration by Apstra.  This can be accomplished with the following methods:

  • ZTP automated boot script
  • Manual configuration via console port

Either method can be used, but an IP address must be added to the Ethernet management port  before the Apstra agent can be installed.  Admins typically set the following options before proceeding:

  • Management IP Address
  • Management Default Gateway
  • Change default username/password (optional)
  • Add trusted keys to the device for remote access (optional)
  • Add trusted IPs or subnets for remote access (optional)
  • Disable services according to security requirements (optional)

After this is completed, the admin initiates the Apstra Device Agent installation via the Apstra Server or the previous ZTP boot script.

Post-Agent Install

Pristine Config

Once the Apstra Device Agent is installed, the configuration is recorded as “Pristine” on the Apstra Server.  The device immediately enters the quarantined state.  No changes are made to the device while it is in this state.  

If the enable_push_quarantine_config is enabled in the aos.conf file, the following changes are made to devices:

  • All fabric ports are shutdown when a device is onboarded.

The Pristine configuration is not validated; it is accepted by Apstra without inspection.  Validation is implicit for this configuration because we assume the pristine configuration is correct and import it from the device.  Errors in the Pristine configuration can have a very bad effect on the device lifecycle.

Items that are usually set in the pristine configuration include:

  • Banner
  • Tacacs AAA settings
  • TCAM settings
  • Logging settings
  • Other configurations to enable third-party monitoring

The Pristine configuration is also used for all Full configuration pushes from Apstra.

Before the Apstra AOS 4.2 release, adding a new configuration item to the Pristine config, after a device is in operation (Day2 operations) required the device to be removed from the Apstra System and re-imported. In the AOS 4.2 and subsequent releases, changes to the pristine configuration can be done while a switch is in the blueprint.


The administrator selects the device and Acknowledges (ACKs) it in the Apstra UI.  This causes Apstra to install a basic configuration (Discovery-1) on the device, which enables LLDP for neighbor discovery. However, all interfaces are placed into L3 routed mode, so there will be no impact on the rest of the network. This is a Full Config push to the device from Apstra, not an incremental configuration.

Device Added to Blueprint


After the administrator adds the device to the blueprint and commits the change, Apstra begins validating LLDP status against the intended cabling to ensure the neighbors are correctly connected.  This is also known as the “ready” device mode. 

This is the final deployed state config for a deployed device in a running blueprint. 

Discovery-1 config Discovery-2 config Service config
Device is ready to be put in service Device is allocated to blueprint but not deployed Device is allocated to blueprint.

When is it pushed?
• Device connected to Apstra
• Ready for Service
• Not allocated to Blueprint

What is in Discovery-1 Config?
• All ports up in routed mode & at default speeds
• No BGP configuration
• LLDP is enabled on the device

Goal: Enable auto-discovery (up) but do not affect switching(routed mode) 

When is it pushed?
• Device connected to Apstra
• Ready for service
• Allocated to blueprint
• Device's deploy mode is “ready”

What is in discovery-2 config?
• All ports up in routed mode & at speed/breakout as defined in blueprint
• interface descriptions
• Hostname
• No BGP configuration

Goal: Enable cabling validation befor deploying service config to the device 

When is it pushed?
• Device connected to Apstra
• Ready for service
• Allocated to blueprint, device’s deploy mode is “deploy”

What is in service config?
• All ports up in routed mode & at speed/breakout as defined in blueprint
• Hostname configuration
• BGP configuration

Goal: put device into service

Golden Config

When the config has been modified by Apstra (config changes have been validated by Apstra and accepted for a device) the running config is stored as the Golden config.  

The Rendered config is the generated configuration from the staged blueprint.  Note that the Rendered config is not the same thing as the Golden config because it may be different after the configuration push.  

Golden config is the configuration on the device after the last successful config application. Also, under special cases, the user can modify a configuration directly on the device and ask Apstra to absorb this deviation as Golden.    This is not recommended for any part of the device that Apstra directly modifies. We suggest using Configlets to manage these customizations. It’s important to note, that accepting config changes is not persistent. In the event a full config push is performed, these changes are lost.

The Golden configuration is the basis for Apstra to ensure that the device is in an acceptable state.  This is enforced via a monitor that runs once every 60 seconds on the device.


Config rendering is the fundamental Day-2 function of Juniper Apstra automation. Using built-in reference designs and validators, Apstra ensures that the configurations across your fabric are consistent and correct.

Useful links


  • AAA: Authentication, Authorization, and Accounting
  • Configlet: A portion of a device configuration that is not automatically controlled by Apstra, but can be configured and deployed within Apstra
  • LLDP: Link Layer Discovery Protocol
  • TCAM: Tertiary Content-Addressable Memory
  • ZTP: Zero-Touch Provisioning


This article is derived from original work created by Josh Saul


If you want to reach out for comments, feedback or questions, drop us a mail at:

Revision History

Version Author(s) Date Comments
1 Adam Jarvis November 2023 Initial Publication