Skip to main content
Glama
amikum0504

Nexus Dashboard MCP Server

by amikum0504

Nexus Dashboard MCP Server

A local Model Context Protocol (MCP) server that allows an MCP client such as Codex to discover and call Cisco Nexus Dashboard APIs for inventory, health checks, troubleshooting, and controlled configuration changes.

The server is driven by the Nexus Dashboard OpenAPI definitions included in this repository. It does not contain 777 individually hard-coded Python functions. At startup, it reads the API definitions, builds an in-memory operation registry, and exposes that registry through a small set of generic MCP tools.

API definitions included in this repository

The complete API files are committed under src/nexus_dashboard_mcp/specs:

Together, these files describe 777 operations, including HTTP methods, paths, operation IDs, parameters, descriptions, request-body schemas, and response schemas.

The API definitions are essential runtime files. Do not remove them from a clone or release unless you provide replacements through NEXUS_OPENAPI_SPECS_DIR.

Related MCP server: MCP REST API Server

How it works

The request flow is:

User request
    ↓
MCP client (for example, Codex)
    ↓
nexus_list_operations / nexus_describe_operation
    ↓
OpenAPI registry selects a documented operation
    ↓
nexus_read or prepare/apply change workflow
    ↓
Nexus client builds the URL, parameters, body, and authentication headers
    ↓
Nexus Dashboard Infrastructure or Manage API
    ↓
Structured result returned to the MCP client

For example, the Infrastructure OpenAPI file defines:

Operation ID: getClusterStatus
Method:       GET
Path:         /cluster/status

When the MCP client calls nexus_read with getClusterStatus, the server builds:

https://YOUR-DASHBOARD/api/v1/infra/cluster/status

The service prefix is selected automatically:

  • Infrastructure operations use /api/v1/infra.

  • Manage operations use /api/v1/manage.

Project structure

ND-External-MCP/
├── .gitignore
├── README.md
├── nexus-dashboard.env.example     # Safe configuration template
├── run_server.py                    # Loads local settings and starts the server
├── pyproject.toml
├── setup.py
├── src/
│   └── nexus_dashboard_mcp/
│       ├── __init__.py
│       ├── server.py                # MCP protocol and tool definitions
│       ├── openapi_registry.py      # Loads/searches OpenAPI operations
│       ├── client.py                # Authentication, HTTP, validation, safety
│       └── specs/
│           ├── nexus_dashboard_infrastructure_v_1_1_1_136.json
│           └── nexus_dashboard_manage_v_1_1_1_411.json
└── tests/
    └── test_server.py

Requirements

  • Python 3.9 or newer

  • Network access from the MCP host to Nexus Dashboard

  • A Nexus Dashboard account, bearer JWT, or valid AuthCookie

  • An MCP-compatible client

There are no third-party Python dependencies and no package-installation step is required.

Quick start

1. Clone the repository

git clone https://github.com/YOUR-ACCOUNT/ND-External-MCP.git
cd ND-External-MCP

2. Create the private configuration file

cp nexus-dashboard.env.example nexus-dashboard.env

nexus-dashboard.env is excluded by .gitignore. Never commit or share it.

3. Configure Nexus Dashboard authentication

Edit nexus-dashboard.env and set the dashboard URL:

NEXUS_DASHBOARD_URL=https://nd.example.com

Keep https:// at the beginning. Then choose one authentication method.

Option A: local username and password

NEXUS_API_TOKEN=
NEXUS_USERNAME=your-username
NEXUS_PASSWORD=your-password

The server calls the documented /api/v1/infra/login endpoint and keeps the returned JWT only in memory. The password is not returned through MCP tools or written to application logs.

Option B: bearer JWT

NEXUS_API_TOKEN=paste-your-bearer-jwt-here

Leave NEXUS_USERNAME and NEXUS_PASSWORD unset when using this method.

NEXUS_AUTH_COOKIE=paste-your-authcookie-value-here

Use only authentication methods approved by your organization. Nexus Dashboard RBAC still determines which operations the authenticated identity may perform.

4. Handle TLS certificates

Certificate validation is enabled by default. Production deployments should use a trusted certificate.

For an isolated lab using a self-signed certificate, this test-only setting is available:

NEXUS_INSECURE_TLS=true

This disables server-certificate verification. Do not use it on an untrusted network or in production.

Plain HTTP is refused by default. NEXUS_ALLOW_HTTP=true should only be used in a controlled test environment.

5. Register the server with an MCP client

For Codex, add the following to ~/.codex/config.toml, replacing the path with the absolute path to your clone:

[mcp_servers.nexus_dashboard]
command = "python3"
args = ["/ABSOLUTE/PATH/TO/ND-External-MCP/run_server.py"]
startup_timeout_sec = 30

A client using JSON-style MCP configuration can use:

{
  "mcpServers": {
    "nexus-dashboard": {
      "command": "python3",
      "args": ["/ABSOLUTE/PATH/TO/ND-External-MCP/run_server.py"]
    }
  }
}

Restart the MCP client after changing its configuration.

MCP tools

Tool

Purpose

Can change configuration?

nexus_list_operations

Search operation IDs, paths, summaries, and descriptions in both API definitions

No

nexus_describe_operation

Return the documented parameters and expanded JSON request-body schema

No

nexus_read

Execute a documented GET operation

No

nexus_troubleshoot_switch

Collect fabric status, switch details, configuration diff, pending configuration, deployment history, and interfaces

No

nexus_prepare_change

Validate and preview a non-GET request without sending it

No

nexus_apply_change

Send a previously prepared, approved request

Yes

How the MCP client discovers an API

The MCP client does not need all 777 operations in its initial tool list. It uses the generic discovery tools.

For a request such as:

Use Nexus Dashboard to get the cluster status.

The workflow is:

  1. Search the registry for cluster status and method GET.

  2. Receive infrastructure:getClusterStatus and /cluster/status.

  3. Call nexus_read with the discovered operation ID.

  4. Resolve authentication and construct the Infrastructure API URL.

  5. Send the read-only request and return its response.

For a request such as:

Create a network in fabric1.

The discovery process finds:

Operation ID: manage:createNetworks
Method:       POST
Path:         /fabrics/{fabricName}/networks

The MCP client can then use nexus_describe_operation to obtain the exact fabric parameter and request-body schema before preparing the change.

Read-only troubleshooting workflow

A typical investigation is:

  1. Discover relevant GET operations.

  2. Describe an unfamiliar operation to learn its parameters.

  3. Call nexus_read.

  4. Review the status code and returned Nexus Dashboard data.

  5. Continue with more targeted read operations if needed.

Prompt cookbook for Codex

The clearest results come from prompts that identify the target, requested evidence, safety boundary, and preferred output. A useful pattern is:

Using Nexus Dashboard, examine <target> for <purpose>.
Collect <specific data> using read-only operations.
Do not make configuration changes.
Summarize the result as <table/checklist/report>, and identify missing or unavailable data.

Replace placeholder values such as <FABRIC>, <SWITCH_ID>, <NETWORK>, and <VRF> before using the examples below.

Cluster and platform health

Use Nexus Dashboard to get the current cluster status. Summarize the overall
state, every node, firmware versions, bootstrap state, incomplete stages, and
failed tasks. Use read-only operations only.
Create a read-only Nexus Dashboard platform health report. Include cluster
status, configured nodes, software version, integration summary, licensing
status, backup status, and recent audit records. Separate healthy, warning,
failed, and unavailable checks.
Check whether the Nexus Dashboard cluster is ready for troubleshooting work.
Verify that nodes are active and core infrastructure services completed. Show
the API evidence supporting each conclusion.

Fabric discovery and high-level status

List every fabric known to Nexus Dashboard. Return a table with fabric name,
type, status, and important summary fields. Highlight fabrics that are not
healthy or have incomplete information. Do not make changes.
Compare all fabrics using fabric summary, switch summary, interface summary,
inventory summary, segmentation summary, and policy summary. Rank the fabrics
that need investigation, and explain the evidence without changing anything.

Complete fabric operational profile

Build a complete read-only operational profile for fabric <FABRIC>. Include:
- fabric status and summary;
- switch inventory and switch states;
- interface overview;
- physical and logical links;
- configured networks and VRFs;
- segmentation and policy summaries;
- traffic categories;
- cluster flow-collection settings;
- switches and interfaces eligible for flow telemetry;
- relevant flow-telemetry VRF, tenant, and L3Out information;
- recent fabric audit records.

Return an executive summary followed by detailed tables. Clearly label any
requested data that the bundled APIs cannot provide. Do not make changes.
Investigate fabric <FABRIC> as if it has an intermittent traffic problem.
Collect fabric status, switches, interface overview, links, networks, VRFs,
traffic categories, flow-collection settings, and available flow-telemetry
configuration. Identify suspicious gaps and propose the next read-only checks.
Do not apply remediation.

Traffic and flow-telemetry configuration

For fabric <FABRIC>, show the current traffic categories and explain their
configuration. Also list switches that support interface flow telemetry and
show the available telemetry interfaces. Use read-only operations only.
For ACI fabric <FABRIC>, inventory the flow-telemetry scope: supported switches,
interfaces, tenants, VRFs, L3Outs, and encapsulations available through the
Manage API. Summarize what is configured versus merely eligible.
Get the Nexus Dashboard cluster flow-collection settings and compare them with
the flow-telemetry capabilities exposed for fabric <FABRIC>. Identify obvious
configuration gaps, but do not change the settings.

The bundled Infrastructure and Manage definitions expose flow-collection settings, traffic categories, and flow-telemetry configuration/capability endpoints. They do not provide the full time-series traffic analytics, top-talkers, flow records, or anomaly datasets normally associated with a separate Nexus Dashboard Analyze/Insights API collection. Codex should label that data as unavailable rather than inventing it. Add the appropriate Analyze OpenAPI definition and server support if those analytics are required.

Switch and interface troubleshooting

Collect a troubleshooting bundle for switch <SWITCH_ID> in fabric <FABRIC>.
Include fabric status, switch details, expected-versus-running configuration
diff, pending configuration, deployment history, interfaces, and interface
overview. Summarize likely issues and do not make changes.
For interface <INTERFACE> on switch <SWITCH_ID> in fabric <FABRIC>, retrieve
interface details and the single-interface configuration difference. Explain
the intended configuration, running difference, and safest next step.
Show every switch in fabric <FABRIC>, including its role and status. Then inspect
only switches with unhealthy or incomplete state and summarize the evidence.
Do not execute CLI commands or configuration changes without asking me first.
For fabric <FABRIC>, list all networks and VRFs. Show network-to-VRF relationships,
VLAN IDs, network status, gateway information when returned, and any obvious
duplicates or missing relationships. Use read-only operations only.
Produce a segmentation review for fabric <FABRIC>. Include networks, VRFs,
segmentation resource summary, security groups, security contracts, and policy
summary. Identify potential capacity or consistency concerns without changing
configuration.
List the physical and logical links associated with fabric <FABRIC>. Correlate
them with the fabric switch inventory and identify links whose endpoints cannot
be matched to known switches. Do not make changes.

Configuration compliance and audit investigation

For switch <SWITCH_ID> in fabric <FABRIC>, compare expected and running
configuration, show pending configuration and deployment history, and explain
each drift item. Recommend a remediation plan but do not reconcile or deploy it.
Retrieve recent audit records for fabric <FABRIC>. Summarize who changed what,
the affected resources, timestamps, and failed operations. Do not expose tokens,
passwords, cookies, or other sensitive values in the response.
Find all read-only API operations related to configuration compliance,
deployment history, pending configuration, preview, and audit. Explain which
operation you would use for each troubleshooting stage before calling them.

API catalogue exploration

Search the Nexus Dashboard API catalogue for read-only operations related to
<TOPIC>. Return operation ID, service, HTTP method, path, required parameters,
and a plain-language explanation. Do not call the operations yet.
Describe operation <OPERATION_ID>. Explain every path parameter, query parameter,
required JSON field, and enum in plain language. Provide a safe example payload
using placeholders, not real credentials or production values.

Guided change planning—no execution

Use this form when the desired outcome is known but the exact Nexus Dashboard payload is not:

I want to implement this intended state in fabric <FABRIC>:
<DESCRIBE_INTENT>

Act as a change planner. First collect the current state using read-only APIs.
Then discover and describe the relevant write operations, identify every missing
input, check for conflicts, and propose an ordered implementation and rollback
plan. Do not prepare or apply any change until I approve the plan.
Plan a change for incident/change ticket <TICKET>. Compare current and intended
state, list the exact Nexus Dashboard operations that would be required, classify
their risk, state whether each operation is disruptive, and define verification
and rollback steps. This is planning only—do not prepare or apply requests.

Creating and deploying a network through conversation

Start with a planning prompt:

Guide me through creating network <NETWORK> in fabric <FABRIC> with VLAN <VLAN>,
VRF <VRF>, subnet <SUBNET>, and gateway <GATEWAY>.

First read the existing fabric, VRFs, networks, and unused VLANs. Check for name,
VLAN, subnet, and VRF conflicts. Then describe the createNetworks request body
and propose an ordered plan covering creation, attachment, preview, deployment,
verification, and rollback. Do not prepare or apply anything yet.

After reviewing the plan, ask Codex to prepare only the first step:

Prepare the approved network-creation request for ticket <TICKET>. Show me the
exact operation, URL, masked JSON body, fingerprint, and change_id. Do not call
nexus_apply_change yet.

After independently reviewing the preview, explicitly approve that exact prepared request:

Apply only change_id <CHANGE_ID> using the configured approval code. Do not apply
any additional attachment or deployment operation. Return the complete API
status and then verify the network with a separate read-only request.

Continue attachment and deployment as separate reviewed changes:

Now read the network and current attachments. Plan and prepare the attachment
of network <NETWORK> to switches/interfaces <TARGETS>. Stop after the preview.
Preview the pending network configuration for <NETWORK> in fabric <FABRIC>.
Explain the expected device changes and risks. If the preview is clean, prepare
the network deployment request but do not apply it.

This separation prevents a conversational approval for network creation from silently authorizing attachment or deployment as well.

Creating a VRF and dependent network

Plan a new VRF <VRF> and network <NETWORK> in fabric <FABRIC>. Read existing VRFs,
networks, segmentation capacity, and unused VLANs. Determine the dependency
order, describe createVrfs and createNetworks, and produce a rollback plan.
Do not prepare or apply changes until I approve the plan.
Prepare only the VRF creation for ticket <TICKET>. Stop after returning the
masked preview and change_id. The network must remain out of scope until the VRF
is verified with a read-only call.

Interface and switch intended-configuration changes

I intend to change interface <INTERFACE> on switch <SWITCH_ID> in fabric <FABRIC>
to <DESIRED_STATE>. Read the current interface, switch configuration diff, and
pending configuration. Describe the updateInterface schema, plan preview and
deployment, and stop before preparing any change.
Prepare the approved interface change for ticket <TICKET>. Do not deploy it.
After I review the change_id, separately preview the interface configuration
difference, and require another explicit approval before interface deployment.

Configuration-drift remediation

Investigate configuration drift on switch <SWITCH_ID> in fabric <FABRIC>. Show
the diff, inline diff, pending configuration, and deployment history. Explain
whether reconciliation would overwrite intentional device-side changes. Produce
a remediation and rollback plan, but do not reconcile or deploy anything.
Prepare configuration-drift reconciliation for switch <SWITCH_ID> under ticket
<TICKET>. Return the preview and change_id only. Treat deployment as a separate
change requiring separate approval.

Telemetry remediation

Investigate telemetry configuration for fabric <FABRIC>. Read cluster flow
collection settings and fabric telemetry capability/configuration. Determine
whether resync or retry is appropriate, explain the difference, and produce a
plan. Do not call telemetryResync, resyncTelemetryConfig, or retryTelemetryConfig.
Prepare only the approved telemetry resync for fabric <FABRIC> under ticket
<TICKET>. Show the exact target list and masked request. Do not apply it until I
approve the returned change_id.

Requesting useful output formats

These instructions can be appended to any read-only prompt:

Return a short executive summary, an evidence table with operation IDs, a list
of risks ranked by severity, and recommended next read-only checks.
Separate confirmed facts from inferences. For every inference, identify the API
fields that support it. Mark unavailable data explicitly.
Compare the current result with the intended state I provided. Do not assume a
missing field is healthy, and do not recommend a write operation without first
describing its schema and rollback implications.

Controlled configuration workflow

Writes are disabled by default. A configuration request follows two separate stages.

Stage 1: prepare

nexus_prepare_change:

  1. Confirms that the selected operation is not GET.

  2. Validates path and query parameter names.

  3. Validates high-value OpenAPI JSON-schema constraints, including basic types, required fields, enums, arrays, and objects.

  4. Builds the final URL without sending the request.

  5. Redacts values whose keys look like passwords, tokens, API keys, private keys, authorization values, or cookies.

  6. Returns a request fingerprint and one-time change_id.

  7. Stores the exact prepared request only in the running server process.

Stage 2: apply

nexus_apply_change executes only the request associated with that one-time change_id. It requires all of the following:

NEXUS_WRITE_ENABLED=true
NEXUS_WRITE_CONFIRMATION=a-private-user-controlled-approval-code

The approval code passed to the MCP tool must match NEXUS_WRITE_CONFIRMATION exactly.

Potentially disruptive operations—such as delete, reboot, failover, restore, reload, software update, and similar actions—are additionally blocked unless this setting is present:

NEXUS_ALLOW_DISRUPTIVE=true

Enable it only for an explicitly approved maintenance action.

Example change workflow:

  1. Ask the MCP client to find the documented operation.

  2. Describe the operation and gather all required input.

  3. Prepare the request with a reason and optional incident/change ticket.

  4. Review the operation ID, method, URL, masked payload, fingerprint, and disruptive classification.

  5. Enable writes only in the approved execution environment.

  6. Apply the exact one-time change_id with the approval code.

  7. Verify the result with a separate read operation.

Environment variables

Variable

Required

Description

NEXUS_DASHBOARD_URL

Yes

Nexus Dashboard base URL, including https://

NEXUS_API_TOKEN

Authentication option

Bearer JWT

NEXUS_USERNAME

Authentication option

Local Nexus Dashboard username; requires NEXUS_PASSWORD

NEXUS_PASSWORD

Authentication option

Local password; requires NEXUS_USERNAME

NEXUS_AUTH_COOKIE

Authentication option

Value of the Nexus Dashboard AuthCookie

NEXUS_INSECURE_TLS

No

Disable certificate verification for a trusted lab using a self-signed certificate

NEXUS_ALLOW_HTTP

No

Permit unencrypted HTTP in a controlled test environment

NEXUS_WRITE_ENABLED

No

Enable application of prepared changes

NEXUS_WRITE_CONFIRMATION

Required for writes

Private approval value required by nexus_apply_change

NEXUS_ALLOW_DISRUPTIVE

No

Allow operations classified as disruptive

NEXUS_OPENAPI_SPECS_DIR

No

Override the directory containing the two expected OpenAPI JSON filenames

Updating the API definitions

The current registry expects these exact filenames:

nexus_dashboard_infrastructure_v_1_1_1_136.json
nexus_dashboard_manage_v_1_1_1_411.json

To use compatible replacement documents without changing the repository, place files with those names in another directory and set:

NEXUS_OPENAPI_SPECS_DIR=/absolute/path/to/specs

If a future Nexus Dashboard release changes the filenames or API structure, update the file mapping in openapi_registry.py and rerun the tests.

Testing

Run the dependency-free test suite from the repository root:

python3 -m unittest discover -s tests -v

The tests verify:

  • Both API collections load and contain the expected operation count.

  • Infrastructure and Manage operations are classified correctly.

  • URLs and path parameters are constructed safely.

  • Local credentials are exchanged for an in-memory JWT.

  • Writes remain blocked unless their controls are enabled.

  • The expected MCP tools are exposed.

Troubleshooting

401 Key not authorized

The supplied token was rejected or does not have the required Nexus Dashboard role. Use an authorized bearer JWT, session cookie, or local username/password. Start with a least-privilege read-only role when possible.

CERTIFICATE_VERIFY_FAILED

The dashboard is using an untrusted or self-signed certificate. The preferred solution is to install a properly trusted certificate. For an isolated lab only, use NEXUS_INSECURE_TLS=true.

Nexus Dashboard could not be reached

Check the URL, routing, firewall policy, VPN connection, DNS resolution, and whether the MCP host can reach TCP port 443 on Nexus Dashboard.

Unknown operation_id

Use nexus_list_operations to search the bundled API catalogue. The requested operation may not exist in these API versions.

Change ID is unknown or expired

Prepared changes are held only in memory and are single use. Restarting the server clears them. Prepare the exact change again and review the new preview.

Current limitations

  • The server supports JSON request bodies. File uploads, multipart forms, and CSV import bodies are not implemented.

  • Responses are limited to 1 MB per call and report whether truncation occurred.

  • HTTP calls use a 30-second timeout.

  • A username/password JWT is cached in memory for the lifetime of the server; restart the MCP server if the session expires.

  • The operation catalogue is limited to the two bundled API versions.

  • The server performs high-value request-schema validation but is not a complete OpenAPI validation engine.

Security and repository sharing

  • Never commit nexus-dashboard.env.

  • Never place real URLs, usernames, passwords, cookies, JWTs, or approval codes in README files, source code, examples, tests, issues, or screenshots.

  • Review staged files with git status before every commit.

  • Rotate a credential immediately if it is accidentally disclosed.

  • Keep writes disabled unless there is an approved need to modify Nexus Dashboard.

  • Treat self-signed-certificate bypass and disruptive-action enablement as temporary lab or maintenance controls.

The example environment file contains placeholders only. The authenticated Nexus Dashboard instance remains the authority for RBAC and operation authorization.

Disclaimer

This project is an independent MCP integration built from supplied Nexus Dashboard API definitions. Validate it in a non-production environment and follow your organization's change-control, credential-management, and security requirements before using write operations.

F
license - not found
-
quality - not tested
B
maintenance

Maintenance

Maintainers
Response time
Release cycle
Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/amikum0504/ND-External-MCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server