Chapter 9
MCP Server
The MeshOptixIQ MCP (Model Context Protocol) server enables AI assistants — Claude Desktop, Claude Code, and any MCP-compatible client — to query the network graph directly using natural language, without requiring manual REST API calls.
License Requirement
The MCP server requires a Pro or Enterprise license. It will not start on a Starter plan.9.1 Overview & Requirements
The MCP server connects directly to Neo4j or PostgreSQL using the same query files as the REST API. It runs as a stdio transport process — the AI client starts it as a subprocess and communicates over stdin/stdout. No HTTP server or port is required.
Install the MCP Extras
pip install "meshoptixiq-network-discovery[mcp]"
# Or with PostgreSQL support
pip install "meshoptixiq-network-discovery[postgres,mcp]"Environment Variables (MCP)
| Variable | Required | Description |
|---|---|---|
MESHOPTIXIQ_LICENSE_KEY | Required | Pro or Enterprise license key |
GRAPH_BACKEND | Optional | neo4j (default) or postgres |
NEO4J_URI | If Neo4j | Bolt connection URI |
NEO4J_PASSWORD | Required | Neo4j password |
MCP_MAX_RESULT_ROWS | Optional | Row cap per tool call (default 1000) |
Test the MCP Server
GRAPH_BACKEND=neo4j \
NEO4J_URI=bolt://localhost:7687 \
NEO4J_PASSWORD=your-password \
MESHOPTIXIQ_LICENSE_KEY=mq-prod-xxxxxxxxxx \
meshq-mcpThe server will print its initialisation options to stderr and then wait for MCP protocol messages on stdin. Use Ctrl+C to stop.
9.2 Claude Desktop Setup
What is the blast radius if core-sw-01 goes down?
Using tool: meshq_blast_radius_device
47 endpoints would be affected
core-sw-01 serves as the primary uplink for 3 distribution switches (dist-sw-01, dist-sw-02, dist-sw-03).
Impacted VLANs: 10 (23 endpoints), 20 (18 endpoints), 100 (6 endpoints).
Recommendation: Schedule a 2-hour maintenance window outside business hours and ensure a backup uplink is available before proceeding.
Impacted VLANs: 10 (23 endpoints), 20 (18 endpoints), 100 (6 endpoints).
Recommendation: Schedule a 2-hour maintenance window outside business hours and ensure a backup uplink is available before proceeding.
Figure 9.1 — Claude Desktop using the meshq_blast_radius_device MCP tool to answer a blast radius question
Add MeshOptixIQ to your Claude Desktop configuration file:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json - Windows:
%APPDATA%\Claude\claude_desktop_config.json
Python Installation
{
"mcpServers": {
"meshoptixiq": {
"command": "meshq-mcp",
"env": {
"GRAPH_BACKEND": "neo4j",
"NEO4J_URI": "bolt://localhost:7687",
"NEO4J_USER": "neo4j",
"NEO4J_PASSWORD": "your-password",
"MESHOPTIXIQ_LICENSE_KEY": "mq-prod-xxxxxxxxxx"
}
}
}
}Docker
{
"mcpServers": {
"meshoptixiq": {
"command": "docker",
"args": [
"run", "--rm", "-i",
"--network", "host",
"-e", "GRAPH_BACKEND=neo4j",
"-e", "NEO4J_URI=bolt://localhost:7687",
"-e", "NEO4J_PASSWORD=your-password",
"-e", "MESHOPTIXIQ_LICENSE_KEY=mq-prod-xxxxxxxxxx",
"meshoptixiq/meshoptixiq:latest",
"meshq-mcp"
]
}
}
}Restart Claude Desktop after editing the config. MeshOptixIQ should appear in the tool panel (plug icon).
9.3 Claude Code Setup
Add MeshOptixIQ as an MCP server in your Claude Code project:
# In your project directory
claude mcp add meshoptixiq meshq-mcp \
--env GRAPH_BACKEND=neo4j \
--env NEO4J_URI=bolt://localhost:7687 \
--env NEO4J_PASSWORD=your-password \
--env MESHOPTIXIQ_LICENSE_KEY=mq-prod-xxxxxxxxxxOr add it globally (available in all projects):
claude mcp add --global meshoptixiq meshq-mcp \
--env MESHOPTIXIQ_LICENSE_KEY=mq-prod-xxxxxxxxxx \
--env NEO4J_PASSWORD=your-password9.4 Available Tools, Resources & Prompts
Tools (134 total)
| Tool Name | Key Parameters | Gate |
|---|---|---|
meshq_inventory_summary_stats | (none) | api_access |
meshq_inventory_all_devices | limit? | api_access |
meshq_topology_device_neighbors | device_name | api_access |
meshq_topology_interface_neighbors | device_a, device_b | api_access |
meshq_topology_topology_edges | limit? | advanced_queries |
meshq_endpoints_locate_by_ip | ip | api_access |
meshq_endpoints_locate_by_mac | mac | api_access |
meshq_endpoints_endpoints_on_interface | device, interface | api_access |
meshq_blast_radius_interface | device, interface | advanced_queries |
meshq_blast_radius_device | device | advanced_queries |
meshq_blast_radius_vlan | vlan | advanced_queries |
meshq_blast_radius_subnet | cidr | advanced_queries |
meshq_addressing_ips_in_subnet | cidr | api_access |
meshq_addressing_subnets_on_device | device | api_access |
meshq_addressing_orphaned_ips | (none) | api_access |
meshq_hygiene_devices_without_neighbors | (none) | api_access |
meshq_hygiene_interfaces_without_ips | (none) | api_access |
meshq_hygiene_endpoints_without_location | (none) | api_access |
meshq_hygiene_devices_missing_os_version | (none) | api_access |
meshq_hygiene_devices_missing_hostname | (none) | api_access |
meshq_hygiene_interfaces_no_description | (none) | api_access |
meshq_hygiene_duplicate_ip_addresses | (none) | api_access |
meshq_firewall_all_firewall_devices | (none) | api_access |
meshq_firewall_rules_by_device | device | api_access |
meshq_firewall_deny_rules_summary | (none) | api_access |
meshq_firewall_rules_by_zone_pair | source_zone, destination_zone | advanced_queries |
meshq_firewall_path_analysis | source_ip, destination_ip, protocol?, destination_port? | advanced_queries |
meshq_ebpf_metrics | host?, limit? | ebpf_telemetry |
meshq_ebpf_events | host?, event_type? | ebpf_telemetry |
meshq_nvlink_topology | device? | nccl_silicon_mapping |
meshq_nvlink_edges | device? | nccl_silicon_mapping |
meshq_tracing_spans_ingest | spans | token_path_tracing |
meshq_tracing_slo_violations | service?, threshold_ms? | token_path_tracing |
meshq_tracing_correlations | trace_id | token_path_tracing |
meshq_chaos_simulate | device, failure_type? | chaos_engineering |
meshq_chaos_results | simulation_id | chaos_engineering |
meshq_ai_query_conversation | message, session_id? | ai_query |
meshq_ai_query_parameters | message | ai_query |
meshq_anomalies_list | device?, limit? | api_access |
meshq_anomalies_detect | device | api_access |
meshq_capacity_forecast | device?, horizon_days? | api_access |
meshq_capacity_tenants | (none) | api_access |
meshq_compliance_expand_run | framework, device? | compliance_reporting |
meshq_compliance_expand_results | framework | compliance_reporting |
meshq_nac_sessions | device? | api_access |
meshq_nac_violations | (none) | api_access |
meshq_itsm_incidents | device? | api_access |
meshq_routing_igp_adjacencies | device? | api_access |
meshq_routing_igp_topology | (none) | api_access |
meshq_routing_mpls_lsps | device? | api_access |
meshq_sdwan_sites | (none) | api_access |
meshq_sdwan_tunnels | site? | api_access |
meshq_security_ops_events | severity?, limit? | api_access |
meshq_security_ops_cves | device? | vulnerability_correlation |
meshq_sites_list | (none) | api_access |
meshq_sites_devices | site_id | api_access |
meshq_telemetry_gnmi_metrics | device?, path? | api_access |
meshq_telemetry_netconf_state | device | api_access |
meshq_vxlan_vteps | (none) | api_access |
meshq_vxlan_evpn_routes | vni? | api_access |
meshq_wireless_aps | site? | api_access |
meshq_wireless_clients | ap? | api_access |
meshq_flows_top_talkers | limit? | api_access |
meshq_influxdb_interface_metrics | device, interface? | api_access |
meshq_k8s_pods | namespace? | api_access |
meshq_k8s_services | namespace? | api_access |
meshq_k8s_node_topology | (none) | api_access |
Resources (6 total)
Resources expose read-only network data as background context for AI reasoning.
| URI | Description |
|---|---|
network://inventory/summary | Device/interface/endpoint/VLAN counts |
network://inventory/devices | Full device inventory (capped at 500) |
network://topology/edges | All device-to-device connections |
network://health/hygiene | Merged hygiene report (7 hygiene queries) |
network://schema/queries | All 109 query definitions from registry.yaml (no DB call) |
network://firewall/policies | All firewall devices + deny-rule summary |
Prompts (6 pre-defined templates)
| Prompt Name | Arguments | Purpose |
|---|---|---|
network_incident_triage | affected_device, incident_description? | Blast radius + neighbours for active incident |
network_change_impact_assessment | device, interface?, change_description? | Pre-maintenance impact report |
network_endpoint_hunt | identifier, identifier_type | Locate endpoint by IP or MAC, trace to port |
network_addressing_audit | cidr? | IP addressing gaps and orphaned IPs |
network_hygiene_report | (none) | Full hygiene check with remediation checklist |
network_firewall_audit | device? | Audit security policies: any/any permits, zone pairs, deny hits |
9.4.1 Tool Count by Category
The 134 tools span 36 modules covering Topology, Endpoints, Blast Radius, Addressing, Hygiene, Inventory, Firewall, Routing, IGP/MPLS, InfiniBand, DCGM GPU, NVLink, NCCL Operations, eBPF Telemetry, Interface Metrics, SD-WAN, VXLAN/EVPN, Wireless, NAC/ITSM, Sites, Alerts, Compliance, Compliance Expand, Flows, Kubernetes, Synthetic Monitors, Vulnerabilities, Security Ops, Anomaly Detection, Capacity Planning, Tracing, Chaos Engineering, AI Query, Tenant Management, Cert Scanner, and Event Streaming.
9.4.2 MCP Resources
Six read-only resources expose key network state to AI assistants:
network://inventory/summary— aggregate device/interface/endpoint countsnetwork://topology/edges— all device-to-device connection edgesnetwork://health/platform— platform health (API, graph, Redis, license)network://firewall/devices— all devices with collected firewall rulesnetwork://alerts/active— currently fired (unacknowledged) alertsnetwork://compliance/latest— most recent compliance scan results
9.4.3 MCP Prompts
Six structured prompts guide Claude through common network operations workflows:
| Prompt | Use Case |
|---|---|
network_incident_triage | Structured network incident response workflow |
network_change_impact_assessment | Blast radius assessment before a maintenance window |
network_endpoint_hunt | Locate a specific endpoint by IP or MAC |
network_addressing_audit | Audit IP addressing for orphans and inconsistencies |
network_hygiene_report | Generate a network hygiene report |
network_firewall_audit | Audit firewall rules for deny-heavy policies |
Example Conversations
User: "What would be the impact if sw-core-01 went offline right now?"
Claude: [calls meshq_blast_radius_device with device="sw-core-01"]
[calls meshq_topology_device_neighbors with device_name="sw-core-01"]
"If sw-core-01 went offline, 47 endpoints would lose connectivity,
distributed across VLANs 10, 20, and 100. Three distribution
switches — dist-sw-01, dist-sw-02, and dist-sw-03 — would lose
their uplink..."