Skip to content
mcp-unifi

Network Tools

The Network module is loaded by default (MCP_UNIFI_MODULES_ENABLED=network). It exposes 46 tools covering devices, networks/VLANs, WLANs, firewall rules, switch port profiles, per-client commands, static DHCP leases, port forwards, observability, plus composites with rollback and config drift / backup utilities.

Every tool accepts an optional controller: str = "default" parameter that names which UniFi controller to target. Every destructive tool also accepts dry_run: bool = False; setting it to True returns the predicted change set without writing to the controller.

Every tool returns a JSON string. Errors are returned as {"error": "...", "stub_mode": bool} so the MCP loop never crashes on a controller hiccup.

Devices

Section titled “Devices”
ToolTypedry_runDescription
list_devicesreadList adopted gateways, APs, and switches with state, uptime, and per-radio info.
restart_devicewriteyesRestart an adopted device by MAC.
locate_devicewriteyesToggle the LED locate beacon on a device.
set_port_statewriteyesOverride one switch port (PoE, enable, profile). Preserves other port overrides in real mode.

Networks / VLANs

Section titled “Networks / VLANs”
ToolTypedry_runDescription
list_networksreadList all configured networks/VLANs (subnet, DHCP range, VLAN ID).
create_vlanwriteyesCreate a new VLAN-tagged network.
update_vlanwriteyesPatch fields on an existing VLAN.
delete_vlanwriteyesDelete a VLAN.

WLANs

Section titled “WLANs”
ToolTypedry_runDescription
list_wlansreadList all WiFi SSIDs.
create_wlanwriteyesCreate a new SSID bound to a specific VLAN.
update_wlanwriteyesPatch fields on an existing SSID.
delete_wlanwriteyesDelete a WiFi SSID.

Firewall

Section titled “Firewall”
ToolTypedry_runDescription
list_firewall_rulesreadList all firewall rules.
create_firewall_rulewriteyesCreate a firewall rule.
update_firewall_rulewriteyesPatch fields on an existing firewall rule.
delete_firewall_rulewriteyesDelete a firewall rule.

Port Profiles

Section titled “Port Profiles”
ToolTypedry_runDescription
list_port_profilesreadList switch port profiles (PoE mode, native VLAN, forwarding).
create_port_profilewriteyesCreate a switch port profile.
update_port_profilewriteyesPatch fields on a port profile.
delete_port_profilewriteyesDelete a port profile.

Clients

Section titled “Clients”
ToolTypedry_runDescription
list_clientsreadList connected wireless and wired clients (MAC, hostname, IP, signal, AP or switch port, uptime).
block_clientwriteyesBlock a client by MAC.
unblock_clientwriteyesUnblock a previously-blocked client.
reconnect_clientwriteyesForce a client to reconnect (kick-sta).

DHCP

Section titled “DHCP”
ToolTypedry_runDescription
list_dhcp_leasesreadList static DHCP reservations.
create_static_dhcp_leasewriteyesReserve a fixed IP for a client.
delete_static_dhcp_leasewriteyesDelete a static reservation.

Port Forwards

Section titled “Port Forwards”
ToolTypedry_runDescription
list_port_forwardsreadList all port-forward (DNAT) rules.
create_port_forwardwriteyesCreate a port-forward rule.
update_port_forwardwriteyesPatch a port-forward rule.
delete_port_forwardwriteyesDelete a port-forward rule.

Observability

Section titled “Observability”
ToolTypedry_runDescription
get_site_healthreadPer-subsystem health (wan, lan, wlan, www, vpn).
get_wan_statusreadWAN subsystem record (link, ISP, public IP, throughput, latency).
list_eventsreadRecent controller events.
list_alarmsreadActive or archived alarms.
trigger_speedtestwriteKick off a UniFi WAN speed test. (Read-side-effects only; no config mutation.)
get_speedtest_resultsreadRecent speed-test results, newest first.
list_top_talkersreadTop clients by total bytes (DPI by-station report).

Composites (with rollback)

Section titled “Composites (with rollback)”

These tools chain primitive operations into one call and roll back on partial failure. The response includes partial and rolled_back keys describing exactly what was undone.

ToolTypedry_runDescription
create_iot_networkwriteyesVLAN + SSID + isolation rule in one call.
create_guest_networkwriteyesGuest VLAN + guest SSID + isolation rule.
provision_homelab_servicewriteyesStatic lease + LAN_LOCAL accept rule + (optional) port forwards.
quarantine_clientwriteyesBlock client + structured warning log carrying the reason.
audit_open_portsreadRead-only review of WAN-facing exposure (active port forwards + non-boilerplate WAN accept rules).

Drift, backup, restore

Section titled “Drift, backup, restore”
ToolTypedry_runDescription
audit_network_driftreadCompare current controller state to a declared YAML spec; returns structured diff.
backup_configreadSnapshot controller state into a versioned JSON envelope (schema=1). WLAN passphrases stripped to a sentinel; envelope flagged secrets_stripped: true.
restore_configwriteyesCompute an action plan from a backup envelope and apply it with rollback on partial failure. Restored WLANs from a secrets-stripped envelope are recreated with enabled=False so the operator resets passphrases before they go live.

Response envelope shape

Section titled “Response envelope shape”

Every tool returns a JSON string. Three shapes to expect:

Success (read or write):

{ "result": { ... tool-specific payload ... }, "stub_mode": false }

Dry-run preview (write tools with dry_run=true):

{
  "dry_run": true,
  "would_create": { "name": "iot", "vlan": 40, "subnet": "10.0.40.0/24" },
  "preconditions_ok": true,
  "stub_mode": false
}

Composite partial failure (rollback engaged):

{
  "partial": true,
  "applied": ["vlan_created", "ssid_created"],
  "failed_step": "isolation_rule",
  "failed_reason": "controller returned 400: rule slot exhausted",
  "rolled_back": ["ssid_deleted", "vlan_deleted"],
  "stub_mode": false
}

Structured error (no mutation occurred):

{ "error": "controller unreachable", "stub_mode": false }

The LLM-facing tool descriptions all reference these keys explicitly, which is what drives reliable composite-rollback handling from Claude / Cursor / Cline.

Common scenarios

Section titled “Common scenarios”

Block a guest device by MAC.

// Tool: block_client
{ "mac": "aa:bb:cc:dd:ee:ff", "controller": "default", "dry_run": false }

Stand up a fully-isolated IoT network in one call (VLAN + SSID + isolation rule).

// Tool: create_iot_network
{
  "vlan_id": 40,
  "subnet": "10.0.40.0/24",
  "ssid": "iot",
  "passphrase": "rotate-me",
  "isolate_from_default": true,
  "dry_run": true
}

Run it with dry_run=true first to inspect the predicted change set. Re-run with dry_run=false to apply. If the isolation rule fails, the SSID and VLAN are rolled back automatically.

Snapshot the controller before a risky change, then audit drift.

// 1. Take a backup (secrets stripped)
{ "tool": "backup_config", "args": { "controller": "default" } }


// 2. Audit drift against a declared YAML spec
{ "tool": "audit_network_drift", "args": { "spec_path": "./network-spec.yml" } }

Pin a homelab service: static lease + LAN-local accept rule + (optional) port forward.

// Tool: provision_homelab_service
{
  "mac": "11:22:33:44:55:66",
  "ip": "192.168.1.40",
  "hostname": "nas",
  "tcp_ports": [445, 5000],
  "wan_forward": false,
  "dry_run": false
}

Notes

Section titled “Notes”
  • Stub mode: every tool works in stub mode. The in-memory state machine is seeded with one gateway, one AP, one switch, one network, one SSID, one firewall rule, two port profiles, and four clients. Create/update/delete persist for the lifetime of the process and reset on restart.
  • WLAN passphrases: scrubbed [REDACTED] from every response (including stub), and <scrubbed> in audit logs.
  • Composite descriptions include a Rollback: contract line describing what gets undone if a sub-step fails.
  • LLM tool selection: tool descriptions follow a verb-first one-line purpose + Side effects: + Example: pattern that drives reliable selection from Claude / Cursor / Cline on first touch.