sdwan-ops
$
npx mdskill add automateyournetwork/netclaw/sdwan-opsPerforms read-only Cisco SD-WAN vManage operations for monitoring and troubleshooting.
- Checks SD-WAN fabric health and audits policies, templates, and alarms.
- Uses vManage APIs and requires environment variables for authentication.
- Executes commands to retrieve device status, interface stats, and BFD session data.
- Returns structured JSON output for integration with monitoring or automation workflows.
SKILL.md
.github/skills/sdwan-opsView on GitHub ↗
---
name: sdwan-ops
description: "Cisco SD-WAN vManage read-only operations — fabric devices, WAN Edge inventory, templates, policies, alarms, events, interface stats, BFD sessions, OMP routes, control connections, running config. Use when checking SD-WAN fabric health, viewing vManage alarms, auditing SD-WAN policies and templates, or troubleshooting BFD tunnels."
license: Apache-2.0
user-invocable: true
metadata:
{ "openclaw": { "requires": { "bins": ["python3"], "env": ["VMANAGE_IP", "VMANAGE_USERNAME", "VMANAGE_PASSWORD"] } } }
---
# Cisco SD-WAN Operations
## MCP Server
- **Source**: [siddhartha2303/cisco-sdwan-mcp](https://github.com/siddhartha2303/cisco-sdwan-mcp)
- **Command**: `python3 -u $SDWAN_MCP_SCRIPT --transport stdio` (stdio transport)
- **Requires**: `VMANAGE_IP`, `VMANAGE_USERNAME`, `VMANAGE_PASSWORD` environment variables
- **Python**: 3.10+
- **Dependencies**: `fastmcp`, `requests`, `python-dotenv`
## How to Call Tools
```bash
python3 $MCP_CALL "python3 -u $SDWAN_MCP_SCRIPT --transport stdio" <tool_name> '<args_json>'
```
## Available Tools (12)
| Tool | Parameters | What It Does |
|------|-----------|--------------|
| `get_devices` | none | List all fabric devices — vManage, vSmart, vBond, vEdge with status |
| `get_wan_edge_inventory` | none | WAN Edge details: serial number, chassis ID, model, version |
| `get_device_templates` | none | All device templates with attached device count |
| `get_feature_templates` | none | All feature templates (VPN, interface, routing, security) |
| `get_centralized_policies` | none | Centralized policy definitions (traffic engineering, QoS, security) |
| `get_alarms` | none | Active alarms across the fabric with severity |
| `get_events` | none | Recent audit events and operational logs |
| `get_interface_stats` | `device_ip` | Interface statistics for a specific device (throughput, errors, drops) |
| `get_bfd_sessions` | `device_ip` | BFD session status for device-to-device connectivity health |
| `get_omp_routes` | `device_ip` | OMP routes — received and advertised routes per device |
| `get_control_connections` | `device_ip` | DTLS/TLS control connections between fabric nodes |
| `get_running_config` | `device_ip` | Full running configuration for a device |
## Workflow: SD-WAN Fabric Health Check
When a user asks about SD-WAN health or status:
1. **Fabric overview**: `get_devices` — verify all controllers and edges are reachable
2. **WAN Edge inventory**: `get_wan_edge_inventory` — check serial numbers, versions
3. **Alarms**: `get_alarms` — identify active issues (CRITICAL, MAJOR, MINOR)
4. **Control plane**: `get_control_connections` for key devices — verify DTLS/TLS tunnels
5. **BFD health**: `get_bfd_sessions` for key devices — check tunnel health
6. **Report**: Fabric status summary with severity-sorted findings
7. **GAIT**: Record all queries in audit trail
### Example: Fabric Health
```bash
# List all fabric devices
python3 $MCP_CALL "python3 -u $SDWAN_MCP_SCRIPT --transport stdio" get_devices '{}'
# Check active alarms
python3 $MCP_CALL "python3 -u $SDWAN_MCP_SCRIPT --transport stdio" get_alarms '{}'
# Check BFD sessions on a WAN edge
python3 $MCP_CALL "python3 -u $SDWAN_MCP_SCRIPT --transport stdio" get_bfd_sessions '{"device_ip":"10.10.10.100"}'
# Check OMP routes on a WAN edge
python3 $MCP_CALL "python3 -u $SDWAN_MCP_SCRIPT --transport stdio" get_omp_routes '{"device_ip":"10.10.10.100"}'
```
## Workflow: SD-WAN Policy Audit
When auditing SD-WAN templates and policies:
1. **Device templates**: `get_device_templates` — list all templates with device counts
2. **Feature templates**: `get_feature_templates` — inspect VPN, interface, routing, security templates
3. **Centralized policies**: `get_centralized_policies` — review traffic engineering and security policies
4. **Config verification**: `get_running_config` for target device — confirm template-applied config
5. **Report**: Template and policy audit with recommendations
### Example: Policy Audit
```bash
# List device templates
python3 $MCP_CALL "python3 -u $SDWAN_MCP_SCRIPT --transport stdio" get_device_templates '{}'
# List centralized policies
python3 $MCP_CALL "python3 -u $SDWAN_MCP_SCRIPT --transport stdio" get_centralized_policies '{}'
# Get running config for a specific device
python3 $MCP_CALL "python3 -u $SDWAN_MCP_SCRIPT --transport stdio" get_running_config '{"device_ip":"10.10.10.100"}'
```
## Workflow: SD-WAN Troubleshooting
When investigating SD-WAN connectivity or performance:
1. **Device status**: `get_devices` — is the device reachable via vManage?
2. **Control connections**: `get_control_connections` — DTLS/TLS tunnel state
3. **BFD sessions**: `get_bfd_sessions` — tunnel health between sites
4. **OMP routes**: `get_omp_routes` — are routes being exchanged?
5. **Interface stats**: `get_interface_stats` — throughput, errors, drops
6. **Events**: `get_events` — recent operational events for timeline correlation
7. **Running config**: `get_running_config` — verify configuration matches intent
## Integration with Other Skills
| Skill | Integration |
|-------|-------------|
| **pyats-network** | CLI-level verification of SD-WAN edge devices via SSH |
| **gait-session-tracking** | Record all vManage queries in GAIT audit trail |
| **markmap-viz** | Visualize SD-WAN fabric topology as mind map |
| **uml-diagram** | Generate SD-WAN architecture diagrams (nwdiag, sequence) |
| **servicenow-change-workflow** | Reference SD-WAN audit findings in CRs |
## Important Rules
- **All operations are read-only** — no configuration changes can be made through this MCP server
- **GAIT audit mandatory** — record all vManage queries in the session audit trail
- **Cross-reference with pyATS** — use CLI-level verification alongside vManage API data for complete visibility
- **SSL verification** — vManage API uses HTTPS; SSL certificate warnings are suppressed by the MCP server for lab/self-signed certs
- **API rate limits** — vManage may rate-limit API requests; avoid rapid polling
## Error Handling
- **Auth fails (401/403)**: Check `VMANAGE_IP`, `VMANAGE_USERNAME`, `VMANAGE_PASSWORD` in `~/.openclaw/.env`
- **Connection timeout**: Verify vManage is reachable from the NetClaw host (`ping $VMANAGE_IP`)
- **Device IP not found**: Use `get_devices` to list all devices and find correct system IP
- **Empty results**: Device may not be onboarded or may be unreachable from vManage
## Environment Variables
- `VMANAGE_IP` — vManage IP address or hostname
- `VMANAGE_USERNAME` — vManage API username
- `VMANAGE_PASSWORD` — vManage API password
- `SDWAN_MCP_SCRIPT` — Path to the Python MCP server script (set by install.sh)
- `MCP_CALL` — Path to mcp-call.py wrapper (set by install.sh)
More from automateyournetwork/netclaw
- aap-automationRed Hat Ansible Automation Platform — inventory management, job template execution, project SCM sync, ad-hoc commands, host management, Galaxy content discovery. Use when automating infrastructure with Ansible, running playbooks, managing inventories, or searching for Ansible collections and roles.
- aap-edaEvent-Driven Ansible (EDA) — activation lifecycle, rulebook management, decision environments, event stream monitoring. Use when managing event-driven automation triggers, enabling/disabling activations, or reviewing EDA rulebooks.
- aap-lintansible-lint playbook and role validation — syntax checking, best practice enforcement, project-wide analysis, rule filtering. Use when validating Ansible playbooks, checking code quality, or enforcing automation best practices before deployment.
- aci-change-deploySafe ACI policy change deployment - ServiceNow CR lifecycle, pre/post-change fault baselines, APIC policy application, automatic rollback on fault delta, and GAIT audit trail. Use when deploying ACI policy changes, creating tenants or EPGs, pushing config to APIC, or running a change window with rollback protection.
- aci-fabric-auditComprehensive Cisco ACI fabric health audit - node status, tenant/VRF/BD/EPG policy review, contract analysis, fault triage, and endpoint learning verification. Use when auditing ACI fabric health, checking for faults, reviewing tenant policies, or running pre/post-change baselines on APIC.
- arista-cvpArista CloudVision Portal (CVP) automation via REST API — device inventory, events, connectivity monitoring, tag management (4 tools). Use when managing Arista devices, checking CloudVision events, monitoring network connectivity probes, or tagging devices in CVP.
- aruba-cx-configView and manage Aruba CX switch configurations, perform ISSU upgrades, and firmware operations
- aruba-cx-interfacesMonitor Aruba CX switch interface status, LLDP neighbors, and optical transceiver health
- aruba-cx-switchingView and manage Aruba CX switch VLANs and MAC address tables for Layer 2 operations
- aruba-cx-systemDiscover Aruba CX switch system information, firmware versions, and VSF topology