Query Registry (v1)

The standard API surface for questioning the network graph.

The v1 registry contains 25 queries across 7 categories. Queries marked Pro+ require a Pro or Enterprise license.

License Requirements for Query Execution

Pro or Enterprise plan required for all POST /queries/{name}/execute calls. Community and Starter plans receive 403 Forbidden.
Firewall category queries (firewall_rules_by_device, firewall_rules_by_zone_pair, path_analysis, all_firewall_devices, deny_rules_summary) additionally require the firewall_queries plan flag.
update_device_metadata (NetBox pull) additionally requires the netbox_sync plan flag.
The 403 response body includes the query name for easier debugging.

Check your plan and expiry at any time: GET /health/license (no auth required) or meshq license.

Topology

device_neighbors

topology

Devices directly connected to a given device (via CDP/LLDP).

Input: device_name (string)

interface_neighbors

topology

Interfaces connecting two specific devices.

Input: device_a (string), device_b (string)

topology_neighborhood

topology

N-hop BFS subgraph rooted at a given device. Returns all devices and links within the specified hop depth. Pro+

Input: device (string), depth (integer, default 2)

Endpoints

locate_endpoint_by_ip

endpoints

Trace the physical switch port location of an endpoint by IP address. Results include the vrf field.

Input: ip (string), vrf (string, optional)

locate_endpoint_by_mac

endpoints

Trace the physical switch port location of an endpoint by MAC address.

Input: mac (string)

endpoints_on_interface

endpoints

List all endpoints (MAC/IP) connected to a specific interface.

Input: device (string), interface (string)

Blast Radius

blast_radius_interface

blast_radius

Identify all endpoints that would be impacted if an interface goes down.

Input: device (string), interface (string)

blast_radius_device

blast_radius

Identify all endpoints that would be impacted if a device goes down.

Input: device (string)

blast_radius_vlan

blast_radius

List all endpoints operating within a specific VLAN.

Input: vlan (integer)

blast_radius_subnet

blast_radius

List all endpoints dependent on a specific IP subnet.

Input: cidr (string)

Addressing

ips_in_subnet

addressing

List all IP addresses currently allocated within a subnet. Results include the vrf field; pass vrf to filter to a specific routing instance.

Input: cidr (string), vrf (string, optional)

subnets_on_device

addressing

List Layer-3 subnets present on a specific device.

Input: device (string)

orphaned_ips

addressing

Identify IPs configured on interfaces that do not belong to any known subnet. Results include the vrf field.

Input: vrf (string, optional)

Hygiene

devices_without_neighbors

hygiene

Identify isolated devices that have no detected neighbors (potential config issue).

Input: None

interfaces_without_ips

hygiene

List Layer-3 interfaces that are up but have no IP address assigned.

Input: None

endpoints_without_location

hygiene

List endpoints that could not be traced to a physical switch port.

Input: None

Firewall Pro+

Firewall policy queries require a Pro or Enterprise license.

firewall_rules_by_device

firewall

Retrieve all firewall rules for a specific device, ordered by rule sequence number.

Input: hostname (string)

firewall_rules_by_zone_pair

firewall

Return rules across all firewalls that match a given source and destination zone pair.

Input: src_zone (string), dst_zone (string)

path_analysis

firewall

Find the first-matching firewall rule per device for traffic between two IP addresses. Protocol and destination port are optional filters.

Input: src_ip (string), dst_ip (string)

all_firewall_devices

firewall

Return all devices that have at least one collected firewall rule, with rule counts.

Input: None

deny_rules_summary

firewall

Return all deny/drop/reject rules across every firewall, with device and rule metadata.

Input: None