Nornir MCP Server: An Open-Source Tool for Large Language Models to Directly Manage Network Devices

This article introduces Nornir MCP Server, an open-source project that bridges large language models (LLMs) with network automation. Through the Model Context Protocol (MCP), this project enables AI assistants like Claude to directly query network device statuses, perform configuration backups, and manage tasks, providing network engineers with a new natural language interaction experience for network operations and maintenance.

Network operations and maintenance have always been one of the most complex and time-consuming aspects of IT infrastructure management. Traditional network management requires engineers to master CLI commands from various vendors, and this complexity multiplies in multi-vendor environments. With the rapid development of large language model (LLM) technology, a natural question arises: Can AI assistants directly understand and operate network devices?

Nornir MCP Server was created to address this problem. Developed by sydasif, this project implements a Model Context Protocol (MCP) server, successfully opening up the capabilities of the Nornir network automation framework to LLMs like Claude. This means network engineers can now converse with AI in natural language, allowing AI to automatically perform tasks such as device queries, configuration backups, and status monitoring.

The core architecture of Nornir MCP Server uses a dual-engine design, combining two powerful network automation tools:

NAPALM (Network Automation and Programmability Abstraction Layer with Multivendor support) provides a standardized data acquisition interface. It supports over 100 network device platforms such as Cisco IOS/NX-OS/XR, Arista EOS, and Juniper Junos, and can convert proprietary commands from different vendors into a unified data structure.

Netmiko is responsible for flexible SSH command execution. When specific show commands or configuration changes are needed, Netmiko provides reliable connection management and command sending mechanisms.

This dual-engine architecture’s advantage lies in retaining both NAPALM’s standardized data abstraction capabilities and Netmiko’s flexibility, allowing it to handle various edge cases and special requirements.

MCP is an open protocol launched by Anthropic, aiming to standardize the interaction between large language models and external tools. Nornir MCP Server fully implements the MCP specification and exposes 7 core tools to LLMs:

• list_devices: Lists all hosts, groups, and metadata
• get_facts: Retrieves basic device information (vendor, model, uptime)
• get_configs: Retrieves running, startup, or candidate configurations
• run_napalm_getter: General NAPALM data acquisition interface (ARP tables, VLAN information, etc.)
• run_show_commands: Safely executes arbitrary show commands
• send_config_commands: Deploys configuration changes and performs verification
• backup_device_configs: Safely backs up configurations to local disk

Each tool call reloads the configuration file and inventory data to ensure operations are based on the latest network topology information.

Operations on network devices are highly risky; a single incorrect configuration can lead to severe network outages. Nornir MCP Server prioritizes security in its design and implements multi-layer protection mechanisms.

The server has a built-in multi-layer command validation engine that performs three checks before executing commands:

Exact command matching: Directly blocks known dangerous commands such as reload, write erase, erase startup-config, etc.

Keyword filtering: Identifies and blocks commands containing dangerous keywords like erase, format, delete, etc.

Pattern matching: Prevents command chaining and redirection operations, blocking the use of shell metacharacters such as ;, &&, >, >>.

The configuration backup function is restricted to a predefined root directory to prevent path traversal attacks. Even if the AI or user attempts to access sensitive files via relative paths, the system will refuse execution.

All inputs are validated via Pydantic models to ensure data types and formats meet expectations and prevent injection attacks.