Skip to main content
Glama

centralmcp — HPE Networking MCP toolkit

License Python MCP

Low-token Model Context Protocol (MCP) server for HPE Networking automation: Aruba Central, HPE GreenLake Platform, ClearPass, Juniper Mist, Apstra, ArubaOS 8, EdgeConnect, and HPE Aruba UXI.

centralmcp gives MCP-capable AI clients a low-token way to search Aruba/HPE docs, look up exact OpenAPI details, inspect Central health, run troubleshooting workflows, manage configuration, and use guarded GreenLake Platform operations.

It is built around direct REST calls with httpx.

flowchart LR
    client["MCP clients<br/>Cursor, VS Code, Claude, local agents<br/>or any MCP-capable model"]
    router["aruba-tool-router<br/>find_tool<br/>invoke_read_tool<br/>invoke_tool"]
    rag["Embedded RAG<br/>LanceDB docs<br/>SQLite OpenAPI lookup"]
    core["Core Aruba backends<br/>Central monitoring/config/NAC/ops<br/>GreenLake Platform"]
    optional["Optional starters<br/>ClearPass, Mist, Apstra<br/>AOS8, EdgeConnect, UXI"]

    client -->|"stdio or streamable HTTP"| router
    router -->|"search_docs / ask_docs / lookup_api"| rag
    router -->|"async httpx REST"| core
    router -->|"opt-in only"| optional

Search keywords

HPE Networking MCP server, HPE Aruba Networking MCP server, HPE Aruba Central MCP server, Aruba Central AI tools, HPE GreenLake Platform MCP, GreenLake Platform MCP, GreenLake service catalog MCP, GreenLake reporting status MCP, FastMCP network automation, Model Context Protocol networking, network configuration MCP, Aruba API RAG, Aruba Central OpenAPI lookup, ClearPass MCP, Juniper Mist MCP, Apstra MCP, ArubaOS 8 MCP, AOS8 automation, HPE Aruba EdgeConnect MCP, EdgeConnect SD-WAN MCP, HPE Aruba UXI MCP, UXI sensor status MCP, guarded read/write lab automation, EdgeConnect zones, EdgeConnect interface labels, zone-based firewall MCP, Python httpx network automation, EdgeConnect ACL object groups, EdgeConnect services, EdgeConnect bypass mode, EdgeConnect link integrity diagnostics.

Related MCP server: network-mcp

Who this is for

You want to...

Use centralmcp to...

Connect an MCP-capable AI client to Aruba Central

Run the low-token aruba-tool-router over stdio or streamable HTTP

Ask questions about Aruba/HPE docs and APIs

Use embedded LanceDB + SQLite RAG/OpenAPI lookup without Docker

Inspect Central health, devices, clients, alerts, events, or sites

Discover tools with find_tool and call read-only tools through invoke_read_tool

Automate migrations or SSID workflows

Use the 8-stage migration pipeline and SSID helpers

Experiment with ClearPass, Mist, Apstra, AOS8, EdgeConnect, or UXI

Enable optional starter backends only when needed

Need

Start here

Documentation site

centralmcp GitHub Pages

Guided setup

scripts/setup_wizard.py

Try without API credentials

Try it locally without credentials

Try it quickly

Quick start

Check your local setup

scripts/doctor.py

Install and connect an MCP client

docs/getting-started.md

Copy/paste MCP client setup

docs/mcp-client-recipes.md

Enable optional products

docs/optional-products.md

See typed product workflow roadmap

docs/product-workflows.md

Download prebuilt RAG/OpenAPI indexes

docs/release-indexes.md

Fix setup or HTTP issues

docs/troubleshooting.md

Try useful prompts

docs/example-prompts.md

Understand the low-token router

docs/tool-router.md

Run with any MCP-capable AI client/model

Streamable HTTP mode

See the architecture diagrams

docs/architecture/system-overview.md

Browse the documentation map

docs/README.md

Review the RAG design

docs/architecture/RAG-ARCHITECTURE.md

Run validation before pushing

scripts/validate_release.py

Get support or report issues

SUPPORT.md

Contribute safely

CONTRIBUTING.md, CODE_OF_CONDUCT.md, and SECURITY.md

Agent/developer conventions

CLAUDE.md

What is included

Area

Current coverage

MCP tools

213 core tools / 312 read-only optional starters / 346 read-write optional starters indexed

Core servers

Central monitoring, configuration, operations, NAC, GLP, and RAG

Router

find_tool, invoke_read_tool, invoke_tool, optional convenience wrappers, and MCP prompts

RAG

Embedded LanceDB docs index + SQLite OpenAPI lookup; no Docker required

GLP

Devices, subscriptions, users, audit logs, workspaces, reporting statuses, service catalog, guarded read-only GLP GET, and feature-gated writes

Optional products

ClearPass, Mist, Apstra, AOS8, EdgeConnect, and UXI starter backends

Pipeline

8-stage migration flow plus SSID build/delete helpers

Why the router matters

Point your MCP client at one server: mcp_servers/tool_router.py.

The recommended minimal router profile keeps the MCP tool list small while still giving access to the larger backend catalog:

  1. Use find_tool to discover the right backend tool.

  2. Use invoke_read_tool for read-only calls.

  3. Use invoke_tool only for intentional write/destructive calls.

invoke_tool is deliberately marked destructive because it can dispatch destructive backend tools. This gives MCP clients a safer warning boundary without loading hundreds of direct tools into context.

Try it locally without credentials

You can verify the install, build the router catalog, and start the MCP HTTP server before adding Aruba Central or GreenLake credentials. API-backed tools will need credentials later, but the local setup path is safe to test first.

git clone https://github.com/secure-ssid/centralmcp.git
cd centralmcp
python3 scripts/setup_wizard.py --yes --skip-credentials
uv run python scripts/doctor.py
MCP_PORT=8010 bash scripts/run_http_router.sh

Then connect an MCP-capable AI client to:

http://127.0.0.1:8010/mcp

Quick start

git clone https://github.com/secure-ssid/centralmcp.git
cd centralmcp

python3 scripts/setup_wizard.py

The wizard can run uv sync, write local MCP client configs, pick a Central API gateway region, fill credentials without echoing secrets, enable optional products, build the router catalog, and run the local doctor.

Review:

  • config/credentials.yaml with your Central / GLP OAuth credentials.

  • .env if you enabled ClearPass, Mist, Apstra, AOS8, EdgeConnect, or UXI.

  • .mcp.json if you want to tune the generated stdio MCP client config.

  • .mcp.http.json if your MCP client connects to an already-running streamable HTTP server instead of launching stdio.

  • .claude/launch.json if you use those launch profiles; choose the minimal aruba-tool-router profile for daily use.

Build the lightweight router tool index:

uv run python scripts/ingest_tools.py

For optional product starters too:

uv run python scripts/ingest_tools.py --products all

For full RAG docs/API search, download the prebuilt release index:

uv run python scripts/download_indexes.py

To rebuild locally, populate the git-ignored ingestion/sources/ tree with scraped docs/API source files first, then run:

uv run python ingestion/ingest_docs.py

RAG source targets are tracked in ingestion/source_manifest.json, including DevHub, New Central techdocs, and the Switching Feature Navigator seeds.

Check the local setup without making API calls:

uv run python scripts/doctor.py

The doctor reports missing local stdio/HTTP MCP config copies, index files, RAG source-manifest drift, placeholder stdio paths, low-token router profile drift, HTTP config URL or transport mismatches, optional product env, and HTTP listener status without calling Central or GLP APIs.

See docs/getting-started.md for the full setup path.

Default MCP client profile

The committed client examples are intentionally lean:

CENTRALMCP_ROUTER_MODE=minimal
CENTRALMCP_TOOLSETS=central,glp,rag

Enable optional products only when needed:

CENTRALMCP_PRODUCTS=clearpass,mist,apstra,aos8,edgeconnect,uxi
CENTRALMCP_PRODUCT_ACCESS=read-only

The setup wizard can enable a subset for you, write the matching local .env, and add only the product selector to local stdio MCP configs so tokens stay in one local file:

python3 scripts/setup_wizard.py --products clearpass,mist

The optional product starter tools are lab-friendly. Write-capable products include guarded writes that default to dry_run=True with confirm=True required for execution; UXI starts as compact read-only workflows for sensors, agents, groups, networks, service tests, and assignments. Optional product access defaults to read-only, which hides and blocks optional product write tools. Set CENTRALMCP_PRODUCT_ACCESS=read-write or run the wizard with --product-access read-write only for trusted lab write workflows.

Streamable HTTP mode

The MCP server is model-agnostic: any AI client/model that supports MCP streamable HTTP can connect to the same router endpoint.

Start the low-token HTTP router in the foreground. The helper defaults to port 8010, matching the HTTP client example:

MCP_PORT=8010 bash scripts/run_http_router.sh

Then point your MCP client at:

http://127.0.0.1:8010/mcp

Use .mcp.http.json.example as a generic HTTP client snippet. Plain curl is only useful for checking that the server is listening; real MCP clients use streaming headers such as Accept: text/event-stream. The helper loads local .env assignments first, so optional product settings created by the wizard are available to HTTP mode too. If the port is already in use, the helper exits before starting another router and prints the listener details plus the kill <PID> stop command.

Common environment variables

Variable

Purpose

Default

CREDS_PATH

Credentials YAML path

config/credentials.yaml

TOKEN_CACHE_DIR

OAuth token cache directory

~/.cache/centralmcp/

CENTRALMCP_ROUTER_MODE

Router mode: minimal or default; examples use minimal for low-token clients

default

CENTRALMCP_TOOLSETS

Loaded backend profiles; examples use central,glp,rag

all core Aruba backends

CENTRALMCP_PRODUCTS

Optional product backends

empty

CENTRALMCP_PRODUCT_ACCESS

Optional product write-tool visibility: read-write or read-only

read-only

CENTRALMCP_GLP_V2BETA1_WRITES

Enable guarded GLP write tools

off

CENTRALMCP_NORMALIZE_MACS

Normalize outbound MAC strings in router responses

off

GLP_TOKEN_URL

Override GLP SSO token URL

HPE default

GLP_BASE_URL

Override GLP API base URL

HPE default

MCP_TRANSPORT

stdio or streamable-http

stdio

MCP_HOST

HTTP bind address for streamable HTTP mode

127.0.0.1

MCP_PORT

HTTP port for streamable HTTP mode; scripts/run_http_router.sh defaults to 8010

8010

Product starter backends also use product-specific URL/token variables. See docs/getting-started.md.

Project layout

.claude/                 Optional launch profiles and repo agent notes
.cursor/                 Cursor MCP profiles: router default and direct-server dev mode
.vscode/                 VS Code MCP example config
config/                  Credentials template; real credentials stay git-ignored
docker-compose.yml       Optional localhost-only Redis/Ollama server backend for power users

mcp_servers/
  tool_router.py        Low-token MCP entrypoint
  prompts.py            Guided MCP prompt templates
  monitoring.py         Central health, alerts, events, clients, devices
  config.py             SSIDs, VLANs, profiles, webhooks, firmware
  ops.py                Ping, traceroute, show, reboot, PoE, cable test
  nac.py                MAC reg, MPSK, visitors, AAA, auth policies
  glp.py                GreenLake Platform tools
  rag.py                ask_docs, search_docs, lookup_api
  clearpass.py          Optional ClearPass starter backend
  mist.py               Optional Mist starter backend
  apstra.py             Optional Apstra starter backend
  aos8.py               Optional ArubaOS 8 starter backend
  edgeconnect.py        Optional EdgeConnect starter backend
  uxi.py                Optional HPE Aruba UXI starter backend

ingestion/
  ingest_docs.py        Build docs/API indexes into LanceDB + SQLite

pipeline/
  clients/              httpx clients, token manager, LanceDB, SQLite specs
  stages/               8-stage migration pipeline

docs/
  getting-started.md    Setup and MCP connection guide
  tool-router.md        Router modes and low-token usage
  architecture/         System overview and RAG design notes

inputs/                  Example CSV inputs for migration workflows
resources/               Postman/API reference material and resource notes
ingestion/source_manifest.json  RAG source seed URLs and source folders
scripts/                 Tool catalog ingest, local doctor, HTTP router helper, release validation
tests/                   Unit, integration, and RAG eval tests

.mcp.json.example        Generic stdio MCP client example using the minimal router
.mcp.http.json.example   Generic streamable HTTP MCP client example
run_pipeline.py          Migration pipeline CLI
run_ssid.py              SSID helper CLI

RAG and API lookup

The default RAG stack is embedded:

Index

File

Tool

Purpose

Docs

data/docs.lance

search_docs, ask_docs

Hybrid retrieval over Aruba/HPE docs

API specs

data/specs.sqlite

lookup_api

Exact endpoint/schema/enum lookup

Tools

data/tools.lance

find_tool

Semantic router tool discovery

Measured on the bundled eval set:

Metric

Result

api_exact

1.00

howto_recall@5

0.90

mrr

0.90

Safety model

  • Credentials stay in config/credentials.yaml or environment variables; do not commit real credentials.

  • Token caches live under ~/.cache/centralmcp/ by default with 0600 permissions.

  • GLP v2beta1 writes fail closed unless CENTRALMCP_GLP_V2BETA1_WRITES=1.

  • Optional product writes fail closed unless CENTRALMCP_PRODUCT_ACCESS=read-write.

  • Destructive Central operations use MCP elicitation/confirmation where supported.

  • The router's invoke_read_tool blocks non-read-only backend tools.

  • The generic router invoke_tool is marked destructive because it can reach write/destructive tools.

  • find_tool omits full JSON schemas by default; request include_schema=true only when needed.

  • Generic GLP and optional product GET tools bound list responses with limit / offset.

  • MCP tool list defaults are capped at 200 items to protect client context windows.

  • Report vulnerabilities and accidental credential exposure through SECURITY.md; do not publish real tokens, tenant IDs, or customer data in issues or PRs.

Validation

Run unit tests:

uv run pytest tests/unit -q

Run the local release gate:

uv run python scripts/validate_release.py

The release helper runs unit tests, optional RAG/API eval when indexes exist, tool catalog floor checks, and local tool-index freshness checks. Unit tests also include static guards for the active MCP/pipeline code, committed low-token MCP config examples, local-only config files, router product/toolset docs, bounded generic read-only GET tools, MCP list default bounds, RAG/search top_k bounds, public tool-count claims, tool-count docstrings, tracked Markdown local links and images, Pages sitemap and robots metadata, documented router example arguments, product workflow tool-name tables, and wizard optional-product env tables.

With appreciation to these projects and maintainers for official APIs, MCP patterns, and community references that helped shape centralmcp's low-token, lab-friendly direction:

Disclaimer

This is an independent community project. It is not an official HPE or HPE Aruba Networking product and is not endorsed by or supported by HPE.

License

MIT - see LICENSE.

A
license - permissive license
-
quality - not tested
A
maintenance

Maintenance

Maintainers
Response time
3dRelease cycle
9Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/secure-ssid/centralmcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server