io.github.shigechika/junos-mcp
This MCP server provides AI assistants with comprehensive management capabilities for Juniper Networks (JunOS) devices via NETCONF, covering device information, CLI execution, configuration management, firmware upgrades, diagnostics, pre-flight checks, and daily health monitoring — all with built-in safety features and parallel execution support.
Device Information
Retrieve basic facts (model, hostname, serial number, version)
Get JunOS version with upgrade/planning/pending status
List configured routers (optionally filtered by tags)
Run a lightweight server health check without connecting to devices
CLI Command Execution
Run a single or multiple CLI show commands in one session
Execute commands across multiple devices in parallel with tag-based filtering and server-side grep
Choose output format:
text,json, orxml
Configuration Management
Retrieve device configuration in
text,set, orxmlformatShow configuration diffs against rollback versions
Push configurations with
commit confirmed, automatic health checks, and auto-rollback on failure (dry-run by default)
Firmware Upgrade Operations
Check device upgrade readiness
Compare JunOS version strings (no device connection needed)
Get model-specific package info and checksums
List remote files on a device
Copy firmware via SCP with checksum verification (dry-run by default)
Install firmware with pre-flight checks (dry-run by default)
Rollback to a previous firmware version (dry-run by default)
Schedule device reboots (dry-run by default)
Diagnostics
Collect RSI (Request Support Information) and SCF files from a single device or multiple devices in parallel, with tag filtering
Pre-flight Checks
Probe NETCONF reachability and disk space
Verify local firmware checksums against inventory (no device connection)
Verify staged firmware checksums on remote devices after SCP copy
Daily Health Monitoring
Run a morning health check across multiple devices in parallel, covering chassis/system alarms, interface up/down events, syslog alert patterns, dual-RE redundancy faults, and optional route-count baseline validation
Returns a CRITICAL/WARNING/OK Markdown summary
Key Safety Features
All destructive operations default to
dry_run=Trueand require explicit confirmationpush_configsupportscommit confirmed, auto-rollback, and ano_commitmode for intentional rollbackTag-based host filtering with AND/OR logic for targeting device groups
Provides tools for managing Juniper Networks devices via NETCONF, including device information retrieval, CLI command execution, configuration management, firmware upgrades, diagnostics, and daily operations.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@io.github.shigechika/junos-mcprun show version on router-1"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
junos-mcp
English | 日本語
MCP (Model Context Protocol) server for junos-ops.
Exposes Juniper Networks device operations to MCP-compatible AI assistants (Claude Desktop, Claude Code, etc.) via STDIO transport. While junos-ops is the CLI tool for humans, junos-mcp is the AI-facing interface to the same powerful engine.
Features
Device Information
Tool | Description | Connection |
| Get basic device information (model, hostname, serial, version) | Yes |
| Get JUNOS version with upgrade status | Yes |
| List routers from config.ini (optionally filtered by tags) | No |
| Report server version + config status (router count, distinct tags). Lightweight; does NOT connect to any device | No |
CLI Command Execution
Tool | Description | Connection |
| Run a single CLI show command ( | Yes |
| Run multiple CLI commands in a single session ( | Yes |
| Run a command on multiple devices in parallel (supports tag filter and | Yes |
Configuration Management
Tool | Description | Connection |
| Get device configuration (text/set/xml format) | Yes |
| Show config diff against a rollback version | Yes |
| Push config with commit confirmed + health check | Yes |
Upgrade Operations
Tool | Description | Connection |
| Check if device is ready for upgrade | Yes |
| Compare two JUNOS version strings | No |
| Get model-specific package file and hash | No |
| List files on remote device path | Yes |
| Copy firmware package via SCP with checksum | Yes |
| Install firmware with pre-flight checks ( | Yes |
| Rollback to previous package version | Yes |
| Schedule device reboot at specified time | Yes |
Diagnostics
Tool | Description | Connection |
| Collect RSI/SCF with model-specific timeouts | Yes |
| Collect RSI/SCF from multiple devices in parallel (supports tag filter) | Yes |
Pre-flight Checks
Equivalent to the junos-ops check subcommand modes. All three reuse the
junos-ops display layer for table rendering.
Tool | Description | Connection |
| Probe NETCONF reachability + available disk space per host (fast: no facts, 5s TCP probe) | Yes |
| Verify local firmware checksums against config.ini inventory | No |
| Verify staged firmware checksum + available disk space on devices (post-SCP verification) | Yes |
Daily Operations
Tool | Description | Connection |
| Morning health check across multiple devices in parallel — alarms, interface up/down, syslog alert patterns within a look-back window ( | Yes |
Safety by Design
All destructive operations (push_config, copy_package, install_package,
rollback_package, schedule_reboot) default to dry-run mode (dry_run=True).
The AI assistant must explicitly set dry_run=False to make changes.
push_config provides additional safety features not found in other Junos MCP servers:
commit confirmed with configurable timeout (auto-rollback if not confirmed)
Fallback health check after commit (ping, NETCONF uptime probe, or any CLI command)
Automatic rollback if health check fails (commit is not confirmed, timer expires)
no_commit=True— issuescommit confirmedbut intentionally skips the final commit. JUNOS auto-rolls back afterconfirm_timeoutminutes. Useful for restarting services that lack arequest ...restartcommand (e.g. syslog daemon on EX3400 post-upgrade).
Related MCP server: network-mcp-server
Requirements
Python 3.12+
junos-ops with a valid
config.iniMCP Python SDK >= 1.0
Installation
pip install junos-mcpOr for development:
git clone https://github.com/shigechika/junos-mcp.git
cd junos-mcp
python3 -m venv .venv
. .venv/bin/activate
pip install -e ".[test]"CLI options
python -m junos_mcp --helpOption | Description |
| Print version and exit |
| Load config.ini, list routers, and exit (exit code 1 on error) |
| With |
| Transport protocol (default: |
--check is handy to verify JUNOS_OPS_CONFIG and config.ini are reachable before registering the server with an AI assistant. Combine with --check-host rt1 to also confirm that credentials actually authenticate against a real device.
Tag-based host filtering
run_show_command_batch, collect_rsi_batch, and get_router_list accept an optional tags argument. The grammar matches the junos-ops --tags CLI flag (since junos-mcp 0.9.0 / junos-ops 0.16.6):
Each list element is one tag group. Comma-separated tags inside a group AND together.
Multiple list elements OR together across groups.
When combined with
hostnameson batch tools, the result is the intersection (tags filter further narrowed by names). An empty intersection returns an error.
# 1 group, 1 tag — hosts tagged "main"
run_show_command_batch(command="show route summary", tags=["main"])
# 1 group, 2 tags — AND within the group: tokyo AND edge
collect_rsi_batch(tags=["tokyo,edge"])
# 2 groups — OR across groups: main OR backup
get_router_list(tags=["main", "backup"])
# Mixed: (tokyo AND core) OR backup
run_show_command_batch(command="show version", tags=["tokyo,core", "backup"])
# Intersection: among backup-tagged hosts, only rt1/rt2
run_show_command_batch(
command="show version",
hostnames=["rt1.example.jp", "rt2.example.jp"],
tags=["backup"],
)See the junos-ops tag documentation for how to tag sections in config.ini and for the matching CLI grammar.
Structured output format
run_show_command and run_show_commands accept an optional output_format parameter:
Value | Description |
| Default. Plain-text CLI output (same as typing the command) |
| NETCONF JSON output — device returns a structured dict |
| NETCONF XML output — device returns pretty-printed XML |
Note: CLI pipe stages (| match, | last, | count, etc.) are silently dropped
regardless of output_format. PyEZ's Device.cli() sends the command over NETCONF
RPC, which JunOS does not pipe-process. Run the command without pipes and filter
client-side instead. For a single command, run_show_command_batch's grep_pattern
argument (see below) offers server-side-style filtering — even against a single
host, by passing a one-element hostnames list — but it always fetches plain-text
output internally (it cannot be combined with output_format="json"/"xml"), and
it only accepts one command at a time, so it isn't a drop-in workaround for
run_show_commands' multi-command case.
# Get structured BGP summary data
run_show_command("router-a", "show bgp summary", output_format="json")Server-side output filtering
run_show_command_batch accepts an optional grep_pattern argument (Python re pattern). When set, only lines matching the pattern are kept from each host's output. Header lines (starting with #) are always preserved. Hosts with no matching lines show (no match).
This reduces large batch results — for example, 93 routers × show route summary — from hundreds of KB to a few hundred bytes by extracting just the relevant lines:
# Extract only the inet.0 destination count from 93 routers
run_show_command_batch(
command="show route summary",
tags=["main"],
grep_pattern=r"inet\.0:\s+\d+ destinations",
)Connection pool
junos-mcp maintains a per-host NETCONF connection pool. Reusing an idle
Device avoids the TCP/NETCONF handshake on every tool call; the pool
serialises concurrent operations on the same host through a per-host lock.
Environment variable | Default | Description |
|
| Set to |
|
| Idle timeout in seconds. Connections unused longer than this are closed on the next call. Set to |
Security note: pooled connections are long-lived SSH sessions. In
environments where session duration is restricted by policy, set
JUNOS_MCP_POOL_IDLE to a value shorter than the inactivity limit, or set
JUNOS_MCP_POOL=0 to disable the pool entirely.
Configuration
This server uses the same config.ini as junos-ops. See junos-ops README for details.
Each tool accepts an optional config_path parameter. If omitted, the default search order is used:
Environment variable
JUNOS_OPS_CONFIG./config.ini~/.config/junos-ops/config.ini
Usage
Claude Code
Register the MCP server with claude mcp add:
claude mcp add junos-mcp \
-e JUNOS_OPS_CONFIG=~/.config/junos-ops/config.ini \
-- python -m junos_mcpThe --scope (-s) option controls where the configuration is stored:
Scope | Description | Config location |
| Current project, current user only |
|
| Current project, shared with team |
|
| All projects, current user only |
|
Claude Desktop
Add to Claude Desktop config file:
OS | Config file |
macOS |
|
Windows |
|
Linux |
|
{
"mcpServers": {
"junos-mcp": {
"command": "python",
"args": ["-m", "junos_mcp"],
"env": {
"JUNOS_OPS_CONFIG": "/path/to/config.ini"
}
}
}
}Restart Claude Desktop after editing.
Remote Access with OAuth (via mcp-stdio)
junos-mcp supports Streamable HTTP transport, enabling remote access from Claude Desktop or Claude Code through mcp-stdio as an OAuth proxy.
graph TB
A[junos-mcp<br/>remote server] <-- "OAuth 2.1 + HTTPS" --> B[mcp-stdio<br/>proxy]
B <-- "STDIO" --> C[Claude Desktop<br/>Claude Code]Step 1: Start junos-mcp with Streamable HTTP on the remote server
JUNOS_OPS_CONFIG=~/.config/junos-ops/config.ini \
python -m junos_mcp --transport streamable-httpThe server listens on http://localhost:8000/mcp by default.
Step 2: Register mcp-stdio as the MCP server on your local machine
claude mcp add junos-mcp -- mcp-stdio https://your-server:8000/mcpmcp-stdio handles OAuth 2.1 authentication (RFC 8414 discovery, RFC 7591 dynamic client registration, PKCE) and relays STDIO ↔ Streamable HTTP.
See mcp-stdio README for detailed configuration including OAuth provider setup.
MCP Inspector (development)
mcp dev junos_mcp/server.pyTesting
pytest tests/ -v133 tests covering all 23 tools, the connection pool, helper functions, and edge cases.
Architecture
Stdout-safe by construction
Since junos-ops 0.14.1, core functions return structured dict values and never print to stdout; MCP tools render output via junos_ops.display.format_*(). No contextlib.redirect_stdout is needed, so the MCP STDIO JSON-RPC channel stays clean.
Global State Initialization
junos-ops uses common.args and common.config as global variables. The MCP server initializes these using the same pattern as the test fixtures in junos-ops (conftest.py).
Parallel Execution
Batch tools (run_show_command_batch, collect_rsi_batch) use ThreadPoolExecutor via junos-ops common.run_parallel() with configurable max_workers.
License
Apache License 2.0
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/shigechika/junos-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server