Blog Viewer

Scripting How-To: NETCONF Remote Connections

By Erdem posted 08-09-2015 07:19



Opening a remote connection to a NETCONF-compliant device. This applies to SLAX version 1.0 and higher.



Prior to Junos OS Release 11.4, on-box scripts could only use Junoscript, a proprietary protocol, to form remote connections, which limited the range of target hosts to Junos OS devices only. Starting with Junos OS Release 11.4R1, remote connections can be formed using NETCONF instead, so now an on-box script can remotely manage any vendor's device as long as it supports the standards-based NETCONF protocol.


Code Changes


The old way to open remote Junoscript connections is to invoke the jcs:open() function with either one or three arguments:

  • One argument: jcs:open( server-name )
  • Three arguments: jcs:open( server-name, username, password )

These methods continue to work correctly, but now jcs:open() can be called with two arguments instead, with the second argument being a sessions-option node-set that, among other things, allows you to select a different connection method than Junoscript.

1	jcs:open( server-name, session-options )

session-options is a node-set that includes the desired settings for the session. It can include any of the following child elements (there is also one additional option that will be discussed in the second portion of this blog post):

  • <method> - The connection method, can be junoscript (the default), junos-netconf, or netconf.
    • junoscript - Start a proprietary Junoscript connection using SSHv2 over port 22.
    • junos-netconf - Start a Juniper Networks proprietary invocation of NETCONF using SSHv2 over port 22, where the NETCONF session is started by invoking "xml-mode netconf need-trailer" on the target host after connecting to it, making this method incompatible with other vendors.
    • netconf - Start a standards-based invocation of NETCONF using SSHv2 over port 830, where the NETCONF session is started by accessing the "netconf" SSHv2 subsystem on the target host. This is compatible with any vendor that has NETCONF enabled. (To enable NETCONF, Junos OS hosts must configure it under [edit system services].)
    • Note: When a system connects to the "netconf" SSHv2 subsystem, the Junos OS host simply executes "xml-mode netconf need-trailer", the same command that is run explicitly through the junos-netconf method, so the two methods operate identically once the NETCONF session is running.
  • <username> - Connect using the provided username instead of the user that executed the script.
  • <password> / <passphrase> - Either element can be used to indicate the password for the SSH session. (They are treated identically by Junos OS.)
  • <port> - Connect using a non-standard port. Otherwise, the junoscript and junos-netconf methods connect using port 22, and the netconf method connects using port 830.

Once connected, RPCs can be executed using jcs:execute() the same way they are in a Junoscript session. However, keep in mind the differences between NETCONF and Junoscript, such as the use of different configuration RPCs (<get-config> instead of <get-configuration>, and so on), and the presence of a <data> top-level element in the returned data.

New Data in the Connection Cookie

With the addition of multiple connection methods, a new child element has been added to the connection cookie, returned by jcs:open() and stored in the script's connection variable:

1	<cookie> {
2	    <server> "";
3	    <method> "netconf";
4	}

Where <method> can be "junoscript", "junos-netconf", or "netconf".

In other words, if you assigned the results of jcs:open() to a variable named $connection, then you could access the method string through the following location path: $connection/method.

New Functions


The connection method can also be retrieved as a string by calling the new jcs:get-protocol() function.


1	var $protocol = jcs:get-protocol( $connection );
2	expr jcs:output( $protocol );



1	netconf
3	(junoscript, junos-netconf, or netconf)

A second function was also added: the jcs:get-hello() function, which allows your script to access the capabilities advertised by the target system in its hello message:



1	var $hello = jcs:get-hello( $connection );

Text output of XML data&colon;


01	<hello> {
02	    <capabilities> {
03	        <capability> "urn:ietf:params:xml:ns:netconf:base:1.0";
04	        <capability> "urn:ietf:params:xml:ns:netconf:capability:candidate:1.0";
05	        <capability> "urn:ietf:params:xml:ns:netconf:capability:confirmed-commit:1.0";
06	        <capability> "urn:ietf:params:xml:ns:netconf:capability:validate:1.0";
07	        <capability> "urn:ietf:params:xml:ns:netconf:capability:url:1.0?protocol=http,ftp,file";
08	        <capability> "";
09	        <capability> "";
10	    }
11	    <session-id> "1764";
12	}

Routing Instance Support

Another historical deficiency of jcs:open() has been its inability to connect to destinations that are located in routing instances other than the main instance. This shortcoming disappears in Junos OS Release 11.4, but not in the R1 or R2 revisions. You'll have to wait until 11.4R3 to use it. And, actually, Junos OS Release 11.4 isn't the first version where this feature is available, as it is also partially implemented in Junos OS Release 11.3, as  explained below.

The only visible change, as a result of this feature, is the addition of two ways to provide the desired routing-instance name to the jcs:open() function. (If no instance is provided, then the main instance is used, as expected.) Here are the two methods:

Method 1: A new four-argument version of jcs:open():


1	jcs:open( server-name, username, password, routing-instance )

This method is supported as of Junos OS Release 11.3R6, 11.4R3, 12.1R2, and 12.2R1. (This is the only version that will work in Junos OS Release 11.3.)

Method 2: A new child element of session-options, either <instance> or <routing-instance>:


1	var $options = {
2	    <routing-instance> "vpn1";
3	}
5	var $connection = jcs:open("", $options );

This element can be used alone, as shown above, or it can be used in combination with the other session options such as <method>. It is supported as of Junos OS Release 11.4R3, 12.1R2, and 12.2R1.