Nexus Dashboard MCP Server
Provides tools for interacting with Cisco Nexus Dashboard APIs, enabling inventory, health checks, troubleshooting, and controlled configuration changes on Nexus Dashboard infrastructure and manage services.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Nexus Dashboard MCP Servercheck the cluster health status"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Nexus Dashboard MCP Server
A local Model Context Protocol (MCP) server that allows an MCP client such as Codex to discover and call Cisco Nexus Dashboard APIs for inventory, health checks, troubleshooting, and controlled configuration changes.
The server is driven by the Nexus Dashboard OpenAPI definitions included in this repository. It does not contain 777 individually hard-coded Python functions. At startup, it reads the API definitions, builds an in-memory operation registry, and exposes that registry through a small set of generic MCP tools.
API definitions included in this repository
The complete API files are committed under src/nexus_dashboard_mcp/specs:
Together, these files describe 777 operations, including HTTP methods, paths, operation IDs, parameters, descriptions, request-body schemas, and response schemas.
The API definitions are essential runtime files. Do not remove them from a clone or release unless you provide replacements through NEXUS_OPENAPI_SPECS_DIR.
Related MCP server: MCP REST API Server
How it works
The request flow is:
User request
↓
MCP client (for example, Codex)
↓
nexus_list_operations / nexus_describe_operation
↓
OpenAPI registry selects a documented operation
↓
nexus_read or prepare/apply change workflow
↓
Nexus client builds the URL, parameters, body, and authentication headers
↓
Nexus Dashboard Infrastructure or Manage API
↓
Structured result returned to the MCP clientFor example, the Infrastructure OpenAPI file defines:
Operation ID: getClusterStatus
Method: GET
Path: /cluster/statusWhen the MCP client calls nexus_read with getClusterStatus, the server builds:
https://YOUR-DASHBOARD/api/v1/infra/cluster/statusThe service prefix is selected automatically:
Infrastructure operations use
/api/v1/infra.Manage operations use
/api/v1/manage.
Project structure
ND-External-MCP/
├── .gitignore
├── README.md
├── nexus-dashboard.env.example # Safe configuration template
├── run_server.py # Loads local settings and starts the server
├── pyproject.toml
├── setup.py
├── src/
│ └── nexus_dashboard_mcp/
│ ├── __init__.py
│ ├── server.py # MCP protocol and tool definitions
│ ├── openapi_registry.py # Loads/searches OpenAPI operations
│ ├── client.py # Authentication, HTTP, validation, safety
│ └── specs/
│ ├── nexus_dashboard_infrastructure_v_1_1_1_136.json
│ └── nexus_dashboard_manage_v_1_1_1_411.json
└── tests/
└── test_server.pyRequirements
Python 3.9 or newer
Network access from the MCP host to Nexus Dashboard
A Nexus Dashboard account, bearer JWT, or valid
AuthCookieAn MCP-compatible client
There are no third-party Python dependencies and no package-installation step is required.
Quick start
1. Clone the repository
git clone https://github.com/YOUR-ACCOUNT/ND-External-MCP.git
cd ND-External-MCP2. Create the private configuration file
cp nexus-dashboard.env.example nexus-dashboard.envnexus-dashboard.env is excluded by .gitignore. Never commit or share it.
3. Configure Nexus Dashboard authentication
Edit nexus-dashboard.env and set the dashboard URL:
NEXUS_DASHBOARD_URL=https://nd.example.comKeep https:// at the beginning. Then choose one authentication method.
Option A: local username and password
NEXUS_API_TOKEN=
NEXUS_USERNAME=your-username
NEXUS_PASSWORD=your-passwordThe server calls the documented /api/v1/infra/login endpoint and keeps the returned JWT only in memory. The password is not returned through MCP tools or written to application logs.
Option B: bearer JWT
NEXUS_API_TOKEN=paste-your-bearer-jwt-hereLeave NEXUS_USERNAME and NEXUS_PASSWORD unset when using this method.
Option C: session cookie
NEXUS_AUTH_COOKIE=paste-your-authcookie-value-hereUse only authentication methods approved by your organization. Nexus Dashboard RBAC still determines which operations the authenticated identity may perform.
4. Handle TLS certificates
Certificate validation is enabled by default. Production deployments should use a trusted certificate.
For an isolated lab using a self-signed certificate, this test-only setting is available:
NEXUS_INSECURE_TLS=trueThis disables server-certificate verification. Do not use it on an untrusted network or in production.
Plain HTTP is refused by default. NEXUS_ALLOW_HTTP=true should only be used in a controlled test environment.
5. Register the server with an MCP client
For Codex, add the following to ~/.codex/config.toml, replacing the path with the absolute path to your clone:
[mcp_servers.nexus_dashboard]
command = "python3"
args = ["/ABSOLUTE/PATH/TO/ND-External-MCP/run_server.py"]
startup_timeout_sec = 30A client using JSON-style MCP configuration can use:
{
"mcpServers": {
"nexus-dashboard": {
"command": "python3",
"args": ["/ABSOLUTE/PATH/TO/ND-External-MCP/run_server.py"]
}
}
}Restart the MCP client after changing its configuration.
MCP tools
Tool | Purpose | Can change configuration? |
| Search operation IDs, paths, summaries, and descriptions in both API definitions | No |
| Return the documented parameters and expanded JSON request-body schema | No |
| Execute a documented | No |
| Collect fabric status, switch details, configuration diff, pending configuration, deployment history, and interfaces | No |
| Validate and preview a non-GET request without sending it | No |
| Send a previously prepared, approved request | Yes |
How the MCP client discovers an API
The MCP client does not need all 777 operations in its initial tool list. It uses the generic discovery tools.
For a request such as:
Use Nexus Dashboard to get the cluster status.The workflow is:
Search the registry for
cluster statusand methodGET.Receive
infrastructure:getClusterStatusand/cluster/status.Call
nexus_readwith the discovered operation ID.Resolve authentication and construct the Infrastructure API URL.
Send the read-only request and return its response.
For a request such as:
Create a network in fabric1.The discovery process finds:
Operation ID: manage:createNetworks
Method: POST
Path: /fabrics/{fabricName}/networksThe MCP client can then use nexus_describe_operation to obtain the exact fabric parameter and request-body schema before preparing the change.
Read-only troubleshooting workflow
A typical investigation is:
Discover relevant
GEToperations.Describe an unfamiliar operation to learn its parameters.
Call
nexus_read.Review the status code and returned Nexus Dashboard data.
Continue with more targeted read operations if needed.
Prompt cookbook for Codex
The clearest results come from prompts that identify the target, requested evidence, safety boundary, and preferred output. A useful pattern is:
Using Nexus Dashboard, examine <target> for <purpose>.
Collect <specific data> using read-only operations.
Do not make configuration changes.
Summarize the result as <table/checklist/report>, and identify missing or unavailable data.Replace placeholder values such as <FABRIC>, <SWITCH_ID>, <NETWORK>, and <VRF> before using the examples below.
Cluster and platform health
Use Nexus Dashboard to get the current cluster status. Summarize the overall
state, every node, firmware versions, bootstrap state, incomplete stages, and
failed tasks. Use read-only operations only.Create a read-only Nexus Dashboard platform health report. Include cluster
status, configured nodes, software version, integration summary, licensing
status, backup status, and recent audit records. Separate healthy, warning,
failed, and unavailable checks.Check whether the Nexus Dashboard cluster is ready for troubleshooting work.
Verify that nodes are active and core infrastructure services completed. Show
the API evidence supporting each conclusion.Fabric discovery and high-level status
List every fabric known to Nexus Dashboard. Return a table with fabric name,
type, status, and important summary fields. Highlight fabrics that are not
healthy or have incomplete information. Do not make changes.Compare all fabrics using fabric summary, switch summary, interface summary,
inventory summary, segmentation summary, and policy summary. Rank the fabrics
that need investigation, and explain the evidence without changing anything.Complete fabric operational profile
Build a complete read-only operational profile for fabric <FABRIC>. Include:
- fabric status and summary;
- switch inventory and switch states;
- interface overview;
- physical and logical links;
- configured networks and VRFs;
- segmentation and policy summaries;
- traffic categories;
- cluster flow-collection settings;
- switches and interfaces eligible for flow telemetry;
- relevant flow-telemetry VRF, tenant, and L3Out information;
- recent fabric audit records.
Return an executive summary followed by detailed tables. Clearly label any
requested data that the bundled APIs cannot provide. Do not make changes.Investigate fabric <FABRIC> as if it has an intermittent traffic problem.
Collect fabric status, switches, interface overview, links, networks, VRFs,
traffic categories, flow-collection settings, and available flow-telemetry
configuration. Identify suspicious gaps and propose the next read-only checks.
Do not apply remediation.Traffic and flow-telemetry configuration
For fabric <FABRIC>, show the current traffic categories and explain their
configuration. Also list switches that support interface flow telemetry and
show the available telemetry interfaces. Use read-only operations only.For ACI fabric <FABRIC>, inventory the flow-telemetry scope: supported switches,
interfaces, tenants, VRFs, L3Outs, and encapsulations available through the
Manage API. Summarize what is configured versus merely eligible.Get the Nexus Dashboard cluster flow-collection settings and compare them with
the flow-telemetry capabilities exposed for fabric <FABRIC>. Identify obvious
configuration gaps, but do not change the settings.The bundled Infrastructure and Manage definitions expose flow-collection settings, traffic categories, and flow-telemetry configuration/capability endpoints. They do not provide the full time-series traffic analytics, top-talkers, flow records, or anomaly datasets normally associated with a separate Nexus Dashboard Analyze/Insights API collection. Codex should label that data as unavailable rather than inventing it. Add the appropriate Analyze OpenAPI definition and server support if those analytics are required.
Switch and interface troubleshooting
Collect a troubleshooting bundle for switch <SWITCH_ID> in fabric <FABRIC>.
Include fabric status, switch details, expected-versus-running configuration
diff, pending configuration, deployment history, interfaces, and interface
overview. Summarize likely issues and do not make changes.For interface <INTERFACE> on switch <SWITCH_ID> in fabric <FABRIC>, retrieve
interface details and the single-interface configuration difference. Explain
the intended configuration, running difference, and safest next step.Show every switch in fabric <FABRIC>, including its role and status. Then inspect
only switches with unhealthy or incomplete state and summarize the evidence.
Do not execute CLI commands or configuration changes without asking me first.Networks, VRFs, links, and segmentation
For fabric <FABRIC>, list all networks and VRFs. Show network-to-VRF relationships,
VLAN IDs, network status, gateway information when returned, and any obvious
duplicates or missing relationships. Use read-only operations only.Produce a segmentation review for fabric <FABRIC>. Include networks, VRFs,
segmentation resource summary, security groups, security contracts, and policy
summary. Identify potential capacity or consistency concerns without changing
configuration.List the physical and logical links associated with fabric <FABRIC>. Correlate
them with the fabric switch inventory and identify links whose endpoints cannot
be matched to known switches. Do not make changes.Configuration compliance and audit investigation
For switch <SWITCH_ID> in fabric <FABRIC>, compare expected and running
configuration, show pending configuration and deployment history, and explain
each drift item. Recommend a remediation plan but do not reconcile or deploy it.Retrieve recent audit records for fabric <FABRIC>. Summarize who changed what,
the affected resources, timestamps, and failed operations. Do not expose tokens,
passwords, cookies, or other sensitive values in the response.Find all read-only API operations related to configuration compliance,
deployment history, pending configuration, preview, and audit. Explain which
operation you would use for each troubleshooting stage before calling them.API catalogue exploration
Search the Nexus Dashboard API catalogue for read-only operations related to
<TOPIC>. Return operation ID, service, HTTP method, path, required parameters,
and a plain-language explanation. Do not call the operations yet.Describe operation <OPERATION_ID>. Explain every path parameter, query parameter,
required JSON field, and enum in plain language. Provide a safe example payload
using placeholders, not real credentials or production values.Guided change planning—no execution
Use this form when the desired outcome is known but the exact Nexus Dashboard payload is not:
I want to implement this intended state in fabric <FABRIC>:
<DESCRIBE_INTENT>
Act as a change planner. First collect the current state using read-only APIs.
Then discover and describe the relevant write operations, identify every missing
input, check for conflicts, and propose an ordered implementation and rollback
plan. Do not prepare or apply any change until I approve the plan.Plan a change for incident/change ticket <TICKET>. Compare current and intended
state, list the exact Nexus Dashboard operations that would be required, classify
their risk, state whether each operation is disruptive, and define verification
and rollback steps. This is planning only—do not prepare or apply requests.Creating and deploying a network through conversation
Start with a planning prompt:
Guide me through creating network <NETWORK> in fabric <FABRIC> with VLAN <VLAN>,
VRF <VRF>, subnet <SUBNET>, and gateway <GATEWAY>.
First read the existing fabric, VRFs, networks, and unused VLANs. Check for name,
VLAN, subnet, and VRF conflicts. Then describe the createNetworks request body
and propose an ordered plan covering creation, attachment, preview, deployment,
verification, and rollback. Do not prepare or apply anything yet.After reviewing the plan, ask Codex to prepare only the first step:
Prepare the approved network-creation request for ticket <TICKET>. Show me the
exact operation, URL, masked JSON body, fingerprint, and change_id. Do not call
nexus_apply_change yet.After independently reviewing the preview, explicitly approve that exact prepared request:
Apply only change_id <CHANGE_ID> using the configured approval code. Do not apply
any additional attachment or deployment operation. Return the complete API
status and then verify the network with a separate read-only request.Continue attachment and deployment as separate reviewed changes:
Now read the network and current attachments. Plan and prepare the attachment
of network <NETWORK> to switches/interfaces <TARGETS>. Stop after the preview.Preview the pending network configuration for <NETWORK> in fabric <FABRIC>.
Explain the expected device changes and risks. If the preview is clean, prepare
the network deployment request but do not apply it.This separation prevents a conversational approval for network creation from silently authorizing attachment or deployment as well.
Creating a VRF and dependent network
Plan a new VRF <VRF> and network <NETWORK> in fabric <FABRIC>. Read existing VRFs,
networks, segmentation capacity, and unused VLANs. Determine the dependency
order, describe createVrfs and createNetworks, and produce a rollback plan.
Do not prepare or apply changes until I approve the plan.Prepare only the VRF creation for ticket <TICKET>. Stop after returning the
masked preview and change_id. The network must remain out of scope until the VRF
is verified with a read-only call.Interface and switch intended-configuration changes
I intend to change interface <INTERFACE> on switch <SWITCH_ID> in fabric <FABRIC>
to <DESIRED_STATE>. Read the current interface, switch configuration diff, and
pending configuration. Describe the updateInterface schema, plan preview and
deployment, and stop before preparing any change.Prepare the approved interface change for ticket <TICKET>. Do not deploy it.
After I review the change_id, separately preview the interface configuration
difference, and require another explicit approval before interface deployment.Configuration-drift remediation
Investigate configuration drift on switch <SWITCH_ID> in fabric <FABRIC>. Show
the diff, inline diff, pending configuration, and deployment history. Explain
whether reconciliation would overwrite intentional device-side changes. Produce
a remediation and rollback plan, but do not reconcile or deploy anything.Prepare configuration-drift reconciliation for switch <SWITCH_ID> under ticket
<TICKET>. Return the preview and change_id only. Treat deployment as a separate
change requiring separate approval.Telemetry remediation
Investigate telemetry configuration for fabric <FABRIC>. Read cluster flow
collection settings and fabric telemetry capability/configuration. Determine
whether resync or retry is appropriate, explain the difference, and produce a
plan. Do not call telemetryResync, resyncTelemetryConfig, or retryTelemetryConfig.Prepare only the approved telemetry resync for fabric <FABRIC> under ticket
<TICKET>. Show the exact target list and masked request. Do not apply it until I
approve the returned change_id.Requesting useful output formats
These instructions can be appended to any read-only prompt:
Return a short executive summary, an evidence table with operation IDs, a list
of risks ranked by severity, and recommended next read-only checks.Separate confirmed facts from inferences. For every inference, identify the API
fields that support it. Mark unavailable data explicitly.Compare the current result with the intended state I provided. Do not assume a
missing field is healthy, and do not recommend a write operation without first
describing its schema and rollback implications.Controlled configuration workflow
Writes are disabled by default. A configuration request follows two separate stages.
Stage 1: prepare
nexus_prepare_change:
Confirms that the selected operation is not
GET.Validates path and query parameter names.
Validates high-value OpenAPI JSON-schema constraints, including basic types, required fields, enums, arrays, and objects.
Builds the final URL without sending the request.
Redacts values whose keys look like passwords, tokens, API keys, private keys, authorization values, or cookies.
Returns a request fingerprint and one-time
change_id.Stores the exact prepared request only in the running server process.
Stage 2: apply
nexus_apply_change executes only the request associated with that one-time change_id. It requires all of the following:
NEXUS_WRITE_ENABLED=true
NEXUS_WRITE_CONFIRMATION=a-private-user-controlled-approval-codeThe approval code passed to the MCP tool must match NEXUS_WRITE_CONFIRMATION exactly.
Potentially disruptive operations—such as delete, reboot, failover, restore, reload, software update, and similar actions—are additionally blocked unless this setting is present:
NEXUS_ALLOW_DISRUPTIVE=trueEnable it only for an explicitly approved maintenance action.
Example change workflow:
Ask the MCP client to find the documented operation.
Describe the operation and gather all required input.
Prepare the request with a reason and optional incident/change ticket.
Review the operation ID, method, URL, masked payload, fingerprint, and disruptive classification.
Enable writes only in the approved execution environment.
Apply the exact one-time
change_idwith the approval code.Verify the result with a separate read operation.
Environment variables
Variable | Required | Description |
| Yes | Nexus Dashboard base URL, including |
| Authentication option | Bearer JWT |
| Authentication option | Local Nexus Dashboard username; requires |
| Authentication option | Local password; requires |
| Authentication option | Value of the Nexus Dashboard |
| No | Disable certificate verification for a trusted lab using a self-signed certificate |
| No | Permit unencrypted HTTP in a controlled test environment |
| No | Enable application of prepared changes |
| Required for writes | Private approval value required by |
| No | Allow operations classified as disruptive |
| No | Override the directory containing the two expected OpenAPI JSON filenames |
Updating the API definitions
The current registry expects these exact filenames:
nexus_dashboard_infrastructure_v_1_1_1_136.json
nexus_dashboard_manage_v_1_1_1_411.jsonTo use compatible replacement documents without changing the repository, place files with those names in another directory and set:
NEXUS_OPENAPI_SPECS_DIR=/absolute/path/to/specsIf a future Nexus Dashboard release changes the filenames or API structure, update the file mapping in openapi_registry.py and rerun the tests.
Testing
Run the dependency-free test suite from the repository root:
python3 -m unittest discover -s tests -vThe tests verify:
Both API collections load and contain the expected operation count.
Infrastructure and Manage operations are classified correctly.
URLs and path parameters are constructed safely.
Local credentials are exchanged for an in-memory JWT.
Writes remain blocked unless their controls are enabled.
The expected MCP tools are exposed.
Troubleshooting
401 Key not authorized
The supplied token was rejected or does not have the required Nexus Dashboard role. Use an authorized bearer JWT, session cookie, or local username/password. Start with a least-privilege read-only role when possible.
CERTIFICATE_VERIFY_FAILED
The dashboard is using an untrusted or self-signed certificate. The preferred solution is to install a properly trusted certificate. For an isolated lab only, use NEXUS_INSECURE_TLS=true.
Nexus Dashboard could not be reached
Check the URL, routing, firewall policy, VPN connection, DNS resolution, and whether the MCP host can reach TCP port 443 on Nexus Dashboard.
Unknown operation_id
Use nexus_list_operations to search the bundled API catalogue. The requested operation may not exist in these API versions.
Change ID is unknown or expired
Prepared changes are held only in memory and are single use. Restarting the server clears them. Prepare the exact change again and review the new preview.
Current limitations
The server supports JSON request bodies. File uploads, multipart forms, and CSV import bodies are not implemented.
Responses are limited to 1 MB per call and report whether truncation occurred.
HTTP calls use a 30-second timeout.
A username/password JWT is cached in memory for the lifetime of the server; restart the MCP server if the session expires.
The operation catalogue is limited to the two bundled API versions.
The server performs high-value request-schema validation but is not a complete OpenAPI validation engine.
Security and repository sharing
Never commit
nexus-dashboard.env.Never place real URLs, usernames, passwords, cookies, JWTs, or approval codes in README files, source code, examples, tests, issues, or screenshots.
Review staged files with
git statusbefore every commit.Rotate a credential immediately if it is accidentally disclosed.
Keep writes disabled unless there is an approved need to modify Nexus Dashboard.
Treat self-signed-certificate bypass and disruptive-action enablement as temporary lab or maintenance controls.
The example environment file contains placeholders only. The authenticated Nexus Dashboard instance remains the authority for RBAC and operation authorization.
Disclaimer
This project is an independent MCP integration built from supplied Nexus Dashboard API definitions. Validate it in a non-production environment and follow your organization's change-control, credential-management, and security requirements before using write operations.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/amikum0504/ND-External-MCP'
If you have feedback or need assistance with the MCP directory API, please join our Discord server