A Model Context Protocol (MCP) server for Juniper Junos devices that enables LLM interactions with network equipment.
Warning: This server enables LLM access to your network infrastructure. Please review these security considerations carefully.
-
Corporate Policy Compliance: Only use this server if your company's policy allows sending data of Junos devices to LLM services.
-
Server Security: Always secure your Junos MCP server before deployment in production environments.
-
Authentication: Do not use password authentication for production deployments. We strongly recommend using SSH key-based authentication for enhanced security.
-
Deployment Strategy: Until your MCP server is properly secured, only deploy locally for testing purposes. Do not deploy remote servers in production without proper security measures.
- Use SSH key authentication instead of passwords
- Implement proper network access controls
- Monitor and log all MCP server activities
- Regular security audits and updates
- Follow your organization's security policies
Warning: The Junos MCP server supports configuration changes, but please ensure you only use this functionality when you want LLM-generated configurations to be loaded and committed on your Junos router.
Always review the configuration being generated by the LLM and only allow tool execution if it's the correct configuration for your use case.
Get the code.
git clone https://github.com/Juniper/junos-mcp-server.git
cd junos-mcp-server
pip install -r requirements.txtIf you're using uv, you can run the server directly:
uv run python jmcp.py -f devices.json -t stdio$ python3.11 jmcp.py --help
Junos MCP Server
options:
-h, --help show this help message and exit
-f DEVICE_MAPPING, --device-mapping DEVICE_MAPPING
the name of the JSON file containing the device mapping
-H HOST, --host HOST Junos MCP Server host
-t TRANSPORT, --transport TRANSPORT
Junos MCP Server transport
-p PORT, --port PORT Junos MCP Server portJunos MCP server supports both streamable-http and stdio transport. Do not use --host with stdio transport.
{
"mcpServers": {
"jmcp": {
"type": "stdio",
"command": "python3",
"args": ["jmcp.py", "-f", "devices.json", "-t", "stdio"]
}
}
}{
"mcpServers": {
"jmcp": {
"type": "stdio",
"command": "uv",
"args": ["run", "python", "jmcp.py", "-f", "devices.json", "-t", "stdio"]
}
}
}Note: Please provide absolute path for jmcp.py and devices.json file.
{
"mcpServers": {
"jmcp": {
"type": "stdio",
"command": "/usr/local/bin/docker",
"args": [
"run",
"--rm",
"-i",
"-v",
"devices.json:/app/config/devices.json",
"-v",
"vsrx_keypair.pem:/app/config/vsrx_keypair.pem",
"junos-mcp-server:latest"
]
}
}
}$ docker build -t junos-mcp-server:latest .By default, the Docker container runs with stdio transport:
$ docker run --rm -it -v /path/to/your/devices.json:/app/config/devices.json junos-mcp-server:latestThis uses the default command: python jmcp.py -f /app/config/devices.json -t stdio
You can override any arguments by specifying the full command:
For stdio transport:
$ docker run --rm -it -v /path/to/your/devices.json:/app/config/devices.json junos-mcp-server:latest python jmcp.py -f /app/config/devices.json -t stdioFor streamable-http transport:
$ docker run --rm -it -v /path/to/your/devices.json:/app/config/devices.json -p 30030:30030 junos-mcp-server:latest python jmcp.py -f /app/config/devices.json -t streamable-http -H 0.0.0.0For streamable-http with custom port:
$ docker run --rm -it -v /path/to/your/devices.json:/app/config/devices.json -p 8080:8080 junos-mcp-server:latest python jmcp.py -f /app/config/devices.json -t streamable-http -p 8080 -H 0.0.0.0Note:
- Always mount your device configuration file using
-v /path/to/your/devices.json:/app/config/devices.json - For streamable-http transport, expose the port using
-p host_port:container_port - Mount any SSH private key files if using key-based authentication (e.g.,
-v /path/to/key.pem:/app/config/key.pem)
Build docker container for Junos MCP Server
$ docker build -t junos-mcp-server:latest .
Note: Mount your config file (devices.json) and mount any other files, in my case I am using pem file for ssh priv key authentication so I am also mounting vsrx_keypair.pem
Junos MCP server supports both password based auth as well as ssh key based auth.
{
"router-1": {
"ip": "ip-addr",
"port": 22,
"username": "user",
"auth": {
"type": "password",
"password": "pwd"
}
},
"router-2": {
"ip": "ip-addr",
"port": 22,
"username": "user",
"auth": {
"type": "ssh_key",
"private_key_path": "/path/to/private/key.pem"
}
},
"router-3": {
"ip": "ip-addr",
"port": 22,
"username": "user",
"auth": {
"type": "password",
"password": "pwd"
}
}
}Note: Port value should be an integer (typically 22 for SSH).
$ python3.11 jmcp.py -f devices.json
[06/11/25 08:26:11] INFO Starting MCP server 'jmcp-server' with transport 'streamable-http' on http://127.0.0.1:30030/mcp
INFO: Started server process [33512]
INFO: Waiting for application startup.
INFO: Application startup complete.
INFO: Uvicorn running on http://127.0.0.1:30030 (Press CTRL+C to quit){
"mcp": {
"servers": {
"my-junos-mcp-server": {
"url": "http://127.0.0.1:30030/mcp/"
}
}
}
}Note: You can use VSCode's Cmd+Shift+P to configure MCP server.
The Junos MCP server supports token-based authentication for secure client access when using streamable-http transport. This prevents unauthorized access to your network infrastructure.
- stdio transport (Claude Desktop): No authentication required - secure by design as it runs locally
- streamable-http transport (VSCode, web clients): Token-based authentication available
The server includes a dedicated token management CLI tool: jmcp_token_manager.py
# Basic token generation
python jmcp_token_manager.py generate --id "vscode-dev"
# With description
python jmcp_token_manager.py generate --id "vscode-dev" --description "VSCode development environment"
# Example output:
Generated new token:
ID: vscode-dev
Token: jmcp_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8
Description: VSCode development environment
Save this token securely - it won't be shown again!python jmcp_token_manager.py list
# Example output:
ID Description Created
-------------------------------------------------------------------------------------
vscode-dev VSCode development environment 2025-01-28T10:30:00Z
prod-client Production client access 2025-01-28T09:15:00Z python jmcp_token_manager.py show --id "vscode-dev"
# Example output:
Token ID: vscode-dev
Token: jmcp_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8
Description: VSCode development environment
Created: 2025-01-28T10:30:00Zpython jmcp_token_manager.py revoke --id "vscode-dev"
# Example output:
Token 'vscode-dev' has been revokedThe server automatically detects and enables authentication based on the presence of tokens:
With tokens configured:
$ python jmcp.py -f devices.json -t streamable-http
INFO - Token-based authentication enabled
INFO - Clients must send 'Authorization: Bearer <token>' header
INFO - Use jmcp_token_manager.py to manage tokens
INFO - Streamable HTTP server started on http://127.0.0.1:30030Without tokens configured:
$ python jmcp.py -f devices.json -t streamable-http
WARNING - No .tokens file found - server is open to all clients
INFO - Create tokens using: python jmcp_token_manager.py generate --id <token-id>
INFO - Streamable HTTP server started on http://127.0.0.1:30030{
"mcp": {
"servers": {
"my-junos-mcp-server": {
"url": "http://127.0.0.1:30030/mcp/",
"headers": {
"Authorization": "Bearer jmcp_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8"
}
}
}
}
}# Test authentication with valid token
curl -X POST "http://127.0.0.1:30030/mcp/" \
-H "Authorization: Bearer jmcp_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8" \
-H "Content-Type: application/json" \
-H "Accept: application/json, text/event-stream" \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}'
# Test without token (should fail with 401)
curl -X POST "http://127.0.0.1:30030/mcp/" \
-H "Content-Type: application/json" \
-H "Accept: application/json, text/event-stream" \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}'Note: MCP streamable-http requires the Accept: application/json, text/event-stream header.
When using Docker, mount the .tokens file to enable authentication:
# Generate token first (outside container)
python jmcp_token_manager.py generate --id "docker-client"
# Run container with token file mounted
docker run --rm -it \
-v /path/to/devices.json:/app/config/devices.json \
-v /path/to/.tokens:/app/.tokens \
-p 30030:30030 \
junos-mcp-server:latest \
python jmcp.py -f /app/config/devices.json -t streamable-http -H 0.0.0.0-
Token Security:
- Store tokens securely (password managers, environment variables)
- Use descriptive token IDs for easy management
- Regularly rotate tokens by revoking old ones and generating new ones
- Never commit tokens to version control
-
Access Control:
- Generate separate tokens for different clients/environments
- Revoke tokens immediately when no longer needed
- Monitor server logs for unauthorized access attempts
-
Network Security:
- Run streamable-http server behind reverse proxy with HTTPS in production
- Use firewall rules to restrict access to MCP server port
- Consider VPN access for remote clients
The .tokens file stores tokens in JSON format:
{
"vscode-dev": {
"token": "jmcp_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8",
"description": "VSCode development environment",
"created": "2025-01-28T10:30:00Z"
},
"prod-client": {
"token": "jmcp_x9y8z7w6v5u4t3s2r1q0p9o8n7m6l5k4j3i2",
"description": "Production client access",
"created": "2025-01-28T09:15:00Z"
}
}Important: Keep this file secure and don't commit it to version control.
JCNR is a cloud native router that runs on various cloud environments. One can use this MCP server with JCNR as well by following the steps given below. Please refer to JCNR documentation for more details on configuration.
- Configure SSH access in JCNR on a desired port other than 22. This is required because, JCNR runs as a container on shared operating system. Running SSH on default port is not recommended. By default SSH is enabled on port 24. But, it is preferred to change this to desired port depending on your networking needs.
- Enable authentication method for SSH. JCNR supports SSH key and password based authentications.
- Enable Netconf over SSH. This is enabled by default.
set system services netconf ssh
set system services ssh port 3030
set system services ssh root-login allow
set system root-authentication encrypted-password "$6$3vvMI$RNemhmu9izWXzO46msh38frIg4VoeFNJWJZugxgnU.NQso3OQ00QWOIZmzNePD.MWjDODxBBEYut/W7kfADdV." (or)
set system root-authentication load-key-file <public key>
