NSO Device Operations
MCP Server
-
Command: cisco-nso-mcp-server (pip-installed, stdio transport)
-
Requires: NSO_ADDRESS , NSO_USERNAME , NSO_PASSWORD environment variables
-
Optional: NSO_SCHEME (default: http), NSO_PORT (default: 8080), NSO_VERIFY , NSO_TIMEOUT
-
API: RESTCONF (RFC 8040)
Available Tools
Tool Parameters What It Does
get_device_config
device_name
Get the full configuration for a device from NSO's CDB
get_device_state
device_name
Get operational state data for a device (interfaces, counters, status)
check_device_sync
device_name
Check if NSO's copy of the device config is in sync with the actual device
sync_from_device
device_name
Pull the current config from the device into NSO's CDB (sync-from)
get_device_platform
device_name
Get platform info: model, OS version, serial number, hardware details
get_device_ned_ids
none List all Network Element Driver (NED) IDs — shows what device types NSO can manage
get_device_groups
none List all device groups defined in NSO
MCP Resource
Resource URI What It Returns
https://resources.cisco-nso-mcp.io/environment
NSO environment summary: device count, OS distribution, unique models, device series, group membership
Workflow: Device Configuration Audit
When a user asks "show me R1's config from NSO" or "what does NSO have for the core routers":
-
Get device groups: get_device_groups to see how devices are organized
-
Get config: get_device_config for each target device
-
Present: Format the configuration in a readable way
-
Cross-reference: Compare with pyATS live config if discrepancies suspected
Workflow: Sync Check and Remediation
When a user asks "are my devices in sync?" or "is NSO up to date?":
-
Check sync: check_device_sync for the target device(s)
-
If out of sync: Report which devices are out of sync and why
-
Remediate: Use sync_from_device to pull current config from the device into NSO
-
Verify: Run check_device_sync again to confirm sync is restored
-
Record in GAIT: Log the sync operation for audit trail
Workflow: NSO Environment Overview
When a user asks "what's in NSO?" or "show me the NSO inventory":
-
Environment resource: Read the NSO environment resource for the summary
-
Device groups: get_device_groups to see organizational structure
-
NED IDs: get_device_ned_ids to see what device types are managed
-
Platform details: get_device_platform for specific devices of interest
-
Report: Summary table of devices, OS types, models, and group membership
Workflow: Pre-Change Baseline from NSO
Before making configuration changes:
-
Get current config: get_device_config to capture the NSO baseline
-
Check sync: check_device_sync to ensure NSO is current
-
If out of sync: sync_from_device first to get the latest state
-
Save baseline: Commit the config to GAIT or GitHub for audit trail
-
Proceed with change: Use pyATS or NSO services to apply changes
Workflow: Device Platform Inventory
When a user needs hardware/software details:
-
Get platform: get_device_platform for each device
-
Compile report: Model, serial, OS version, hardware
-
Cross-reference: Check NVD for CVEs against OS versions (use nvd-cve skill)
-
Cross-reference: Compare with NetBox records for accuracy (use netbox-reconcile skill)
NSO Concepts
Concept Meaning
CDB Configuration Database — NSO's copy of all device configs
NED Network Element Driver — plugin that translates between NSO's model and device CLI/NETCONF
sync-from Pull config from device into NSO CDB
sync-to Push NSO CDB config to device (not available in this MCP — use services instead)
Device Group Logical grouping of devices for bulk operations
Service NSO service instance that provisions config across devices (see nso-service-mgmt skill)
Integration with Other Skills
Scenario Integration
Config differs from NSO Compare get_device_config (NSO) vs pyATS show running-config (live)
Device inventory audit Compare get_device_platform (NSO) vs NetBox records
Pre-change validation NSO config baseline → ServiceNow CR → pyATS apply → NSO sync verify
Vulnerability scanning get_device_platform (OS version) → NVD CVE search
Config backup to GitHub get_device_config → github-ops commit to repo
Important Rules
-
NSO is the orchestration layer — it manages device configs through RESTCONF/NETCONF, not CLI
-
Always check sync before trusting config — check_device_sync first
-
sync_from_device pulls FROM the device — it overwrites NSO's CDB with what's actually on the device
-
Read-heavy operations are safe — get_device_config, get_device_state, check_device_sync are non-destructive
-
sync_from_device modifies NSO CDB — it's safe for the device but changes NSO's database
-
Record in GAIT — log all NSO operations for audit trail
Environment Variables
-
NSO_SCHEME — http or https (default: http)
-
NSO_ADDRESS — NSO server address (default: localhost)
-
NSO_PORT — RESTCONF port (default: 8080)
-
NSO_USERNAME — NSO username (default: admin)
-
NSO_PASSWORD — NSO password (default: admin)
-
NSO_VERIFY — Verify SSL certificate (default: true)
-
NSO_TIMEOUT — Connection timeout in seconds (default: 10)