A Model Context Protocol (MCP) server for Juniper Junos devices that enables LLM interactions with network equipment.
Warning: This server enables LLM access to your network infrastructure. Please review these security considerations carefully.
-
Corporate Policy Compliance: Only use this server if your company's policy allows sending data of Junos devices to LLM services.
-
Server Security: Always secure your Junos MCP server before deployment in production environments.
-
Authentication: Do not use password authentication for production deployments. We strongly recommend using SSH key-based authentication for enhanced security.
-
Deployment Strategy: Until your MCP server is properly secured, only deploy locally for testing purposes. Do not deploy remote servers in production without proper security measures.
- Use SSH key authentication instead of passwords
- Implement proper network access controls
- Monitor and log all MCP server activities
- Regular security audits and updates
- Follow your organization's security policies
Warning: The Junos MCP server supports configuration changes, but please ensure you only use this functionality when you want LLM-generated configurations to be loaded and committed on your Junos router.
Always review the configuration being generated by the LLM and only allow tool execution if it's the correct configuration for your use case.
Get the code.
git clone https://github.com/Juniper/junos-mcp-server.git
cd junos-mcp-server
pip install -r requirements.txt$ python3.11 jmcp.py --help
Junos MCP Server
options:
-h, --help show this help message and exit
-f DEVICE_MAPPING, --device-mapping DEVICE_MAPPING
the name of the JSON file containing the device mapping
-H HOST, --host HOST Junos MCP Server host
-t TRANSPORT, --transport TRANSPORT
Junos MCP Server transport
-p PORT, --port PORT Junos MCP Server portJunos MCP server supports both streamable-http and stdio transport. Do not use --host with stdio transport.
{
"mcpServers": {
"jmcp": {
"type": "stdio",
"command": "python3",
"args": ["jmcp.py", "-f", "devices.json", "-t", "stdio"]
}
}
}Note: Please provide absolute path for jmcp.py and devices.json file.
{
"mcpServers": {
"jmcp": {
"type": "stdio",
"command": "/usr/local/bin/docker",
"args": [
"run",
"--rm",
"-i",
"-v",
"devices.json:/app/config/devices.json",
"-v",
"vsrx_keypair.pem:/app/config/vsrx_keypair.pem",
"junos-mcp-server:latest"
]
}
}
}$ docker build -t junos-mcp-server:latest .By default, the Docker container runs with stdio transport:
$ docker run --rm -it -v /path/to/your/devices.json:/app/config/devices.json junos-mcp-server:latestThis uses the default command: python jmcp.py -f /app/config/devices.json -t stdio
You can override any arguments by specifying the full command:
For stdio transport:
$ docker run --rm -it -v /path/to/your/devices.json:/app/config/devices.json junos-mcp-server:latest python jmcp.py -f /app/config/devices.json -t stdioFor streamable-http transport:
$ docker run --rm -it -v /path/to/your/devices.json:/app/config/devices.json -p 30030:30030 junos-mcp-server:latest python jmcp.py -f /app/config/devices.json -t streamable-http -H 0.0.0.0For streamable-http with custom port:
$ docker run --rm -it -v /path/to/your/devices.json:/app/config/devices.json -p 8080:8080 junos-mcp-server:latest python jmcp.py -f /app/config/devices.json -t streamable-http -p 8080 -H 0.0.0.0Note:
- Always mount your device configuration file using
-v /path/to/your/devices.json:/app/config/devices.json - For streamable-http transport, expose the port using
-p host_port:container_port - Mount any SSH private key files if using key-based authentication (e.g.,
-v /path/to/key.pem:/app/config/key.pem)
Build docker container for Junos MCP Server
$ docker build -t junos-mcp-server:latest .
Note: Mount your config file (devices.json) and mount any other files, in my case I am using pem file for ssh priv key authentication so I am also mounting vsrx_keypair.pem
Junos MCP server supports both password based auth as well as ssh key based auth.
{
"router-1": {
"ip": "ip-addr",
"port": 22,
"username": "user",
"auth": {
"type": "password",
"password": "pwd"
}
},
"router-2": {
"ip": "ip-addr",
"port": 22,
"username": "user",
"auth": {
"type": "ssh_key",
"private_key_path": "/path/to/private/key.pem"
}
},
"router-3": {
"ip": "ip-addr",
"port": 22,
"username": "user",
"auth": {
"type": "password",
"password": "pwd"
}
}
}Note: Port value should be an integer (typically 22 for SSH).
$ python3.11 jmcp.py -f devices.json
[06/11/25 08:26:11] INFO Starting MCP server 'jmcp-server' with transport 'streamable-http' on http://127.0.0.1:30030/mcp
INFO: Started server process [33512]
INFO: Waiting for application startup.
INFO: Application startup complete.
INFO: Uvicorn running on http://127.0.0.1:30030 (Press CTRL+C to quit){
"mcp": {
"servers": {
"my-junos-mcp-server": {
"url": "http://127.0.0.1:30030/mcp/"
}
}
}
}Note: You can use VSCode's Cmd+Shift+P to configure MCP server.
JCNR is a cloud native router that runs on various cloud environments. One can use this MCP server with JCNR as well by following the steps given below. Please refer to JCNR documentation for more details on configuration.
- Configure SSH access in JCNR on a desired port other than 22. This is required because, JCNR runs as a container on shared operating system. Running SSH on default port is not recommended. By default SSH is enabled on port 24. But, it is preferred to change this to desired port depending on your networking needs.
- Enable authentication method for SSH. JCNR supports SSH key and password based authentications.
- Enable Netconf over SSH. This is enabled by default.
set system services netconf ssh
set system services ssh port 3030
set system services ssh root-login allow
set system root-authentication encrypted-password "$6$3vvMI$RNemhmu9izWXzO46msh38frIg4VoeFNJWJZugxgnU.NQso3OQ00QWOIZmzNePD.MWjDODxBBEYut/W7kfADdV." (or)
set system root-authentication load-key-file <public key>
