Harness the Power of MCP Servers: Revolutionize Network Automation with AI-Driven Solutions
Available Languages
Contents
Introduction
This document describes a comprehensive reference architecture for building production-ready Model Context Protocol (MCP) servers using industry best practices, demonstrated through a real-world implementation that integrates Cisco Catalyst Center, ServiceNow, and other enterprise systems. The MCP represents a paradigm shift in how AI systems interact with external services and data sources. However, moving from prototype to production requires implementing enterprise-grade patterns including authentication, authorization, monitoring, and scalability.
Background Information
As organizations increasingly adopt AI-driven automation, the need for robust, secure, and scalable integration platforms becomes critical. Traditional point-to-point integrations create maintenance overhead and security vulnerabilities. The Model Context Protocol (MCP) offers a standardized approach to AI-system integrations, but production deployments require enterprise-grade capabilities that go beyond basic MCP implementations.
This article demonstrates how to build a production-ready MCP server platform that incorporates:
- Enterprise Authentication: OpenID Connect (OIDC) integration with Cisco Duo
- Fine-Grained Authorization: Policy-as-code using Open Policy Agent (OPA)
- Secure Secret Management: HashiCorp Vault for credentials and configuration
- Comprehensive Monitoring: ELK Stack for observability and troubleshooting
- Workflow Orchestration: Temporal.io for complex, long-running processes
- Legacy Integration: REST API proxies for existing systems
Why This Matters
Traditional integration approaches suffer from several limitations:
- Security Gaps: Hard-coded credentials and overprivileged access
- Operational Complexity: Difficult to monitor and troubleshoot distributed systems
- Scalability Issues: Point-to-point integrations do not scale with growing requirements
- Maintenance Overhead: Each integration requires custom authentication and error handling
The MCP approach with enterprise patterns addresses these challenges while providing a standardized, reusable foundation for AI-driven automation.
Architecture Overview
The reference architecture implements a layered approach that separates client applications from the MCP server platform, enabling multiple applications to leverage the same enterprise-grade MCP infrastructure.
Component Architecture
1. Client Application Layer
The client layer provides user interfaces and orchestration logic:
- Frontend: Angular application using Cisco Polarity UI framework
- Backend: LangGraph multi-agent system for workflow orchestration
- Authentication: OIDC integration with enterprise identity providers
2. MCP Server Platform Layer
The platform layer implements enterprise-grade MCP servers with shared services:
Core MCP Servers:
mcp-catalyst-center: Cisco network device managementmcp-service-now: ITSM integration and ticket managementmcp-github: Source code and repository managementmcp-radkit: Network analytics and monitoringmcp-rest-api-proxy: Legacy system integration
Enterprise Services:
- Authentication Service: OIDC token validation and user management
- Authorization Service: OPA-based policy enforcement
- Secret Management: Vault-based credential and configuration storage
- <Monitoring Stack: ELK for logging, metrics, and alerting
- Workflow Engine: Temporal for complex process orchestration
Enterprise Security Implementation
OpenID Connect Authentication
The platform implements enterprise-grade authentication using OpenID Connect, providing seamless integration with existing identity providers while supporting multi-factor authentication through Cisco Duo.
Key Benefits
- Single Sign-On (SSO): Users authenticate once across all MCP services
- Multi-Factor Authentication: Integrated Cisco Duo for enhanced security
- Token-Based Security: Stateless authentication using JWT tokens
- Centralized Management: User provisioning and deprovisioning through existing IdP
Implementation Overview
File: mcp-common-app/src/mcp_common/oidc_auth.py
"""OIDC Authentication Module - Enterprise-grade token validation with Vault integration"""
import requests
from typing import Dict, Any, Optional
from fastapi import HTTPException
def get_oidc_config_from_vault() -> Dict[str, Any]:
"""Retrieve OIDC configuration from Vault with caching."""
vault_client = get_vault_client_with_retry()
config = vault_client.get_secret("oidc/config")
if not config:
raise ValueError("OIDC configuration not found in Vault")
# Validate required fields
required_fields = ["issuer", "client_id", "user_info_endpoint"]
missing_fields = [field for field in required_fields if field not in config]
if missing_fields:
raise ValueError(f"Missing required OIDC config fields: {missing_fields}")
return config
def verify_token_with_oidc(token: str) -> Dict[str, Any]:
"""Verify OIDC token and extract user information."""
config = get_oidc_config_from_vault()
response = requests.get(
config["user_info_endpoint"],
headers={"Authorization": f"Bearer {token}"},
timeout=10
)
if response.status_code == 200:
user_info = response.json()
if "sub" not in user_info:
raise HTTPException(status_code=401, detail="Invalid token: missing subject")
return user_info
else:
raise HTTPException(status_code=401, detail="Token validation failed")
Fine-Grained Authorization with Open Policy Agent
OPA provides flexible, policy-as-code authorization that enables fine-grained access control based on user attributes, resource types, and contextual information.
Authorization Policy Structure
File: common-services/opa/config/policy.rego
# Authorization Policy for MCP Server Platform - RBAC Implementation
package authz
default allow = false
# Administrative access - full permissions
allow {
group := input.groups[_]
group == "admin"
}
# Network engineers - Catalyst Center access
allow {
group := input.groups[_]
group == "network-engineers"
input.resource == "catalyst-center"
allowed_actions := ["read", "write", "execute"]
allowed_actions[_] == input.action
}
# Service desk - ServiceNow and read-only network access
allow {
group := input.groups[_]
group == "service-desk"
input.resource in ["servicenow", "catalyst-center"]
input.resource == "servicenow" or input.action == "read"
}
# Developers - GitHub and REST API proxy access
allow {
group := input.groups[_]
group == "developers"
input.resource in ["github", "rest-api-proxy"]
}
Python OPA Integration
<File: mcp-common-app/src/mcp_common/opa.py
"""OPA Integration - Centralized authorization with audit logging"""
import os
import json
import requests
from typing import List, Dict, Any
from dataclasses import dataclass
@dataclass
class AuthorizationRequest:
"""Structure for authorization requests to OPA."""
user_groups: List[str]
resource: str
action: str
context: Dict[str, Any] = None
class OPAClient:
"""Client for interacting with Open Policy Agent (OPA) for authorization decisions."""
def __init__(self, opa_addr: str = None):
self.opa_addr = opa_addr or os.getenv("OPA_ADDR", "http://opa:8181")
self.opa_url = f"{self.opa_addr}/v1/data/authz/allow"
def check_permission(self, auth_request: AuthorizationRequest) -> bool:
"""Check if a user has permission to perform an action on a resource."""
try:
opa_input = {
"input": {
"groups": auth_request.user_groups,
"resource": auth_request.resource,
"action": auth_request.action
}
}
if auth_request.context:
opa_input["input"]["context"] = auth_request.context
response = requests.post(self.opa_url, json=opa_input, timeout=5)
if response.status_code == 200:
result = response.json()
allowed = result.get("result", False)
self._audit_log(auth_request, allowed)
return allowed
else:
print(f"OPA authorization check failed: {response.status_code}")
return False # Fail secure
except requests.RequestException as e:
print(f"OPA connection error: {e}")
return False # Fail secure
def _audit_log(self, auth_request: AuthorizationRequest, allowed: bool):
"""Log authorization decisions for audit purposes."""
log_entry = {
"user_groups": auth_request.user_groups,
"resource": auth_request.resource,
"action": auth_request.action,
"allowed": allowed
}
print(f"Authorization Decision: {json.dumps(log_entry)}")
# Usage decorator for MCP server methods
def require_permission(resource: str, action: str):
"""Decorator for MCP server methods that require authorization."""
def decorator(func):
async def wrapper(self, *args, **kwargs):
user_groups = getattr(self, 'user_groups', [])
if not user_groups:
raise Exception("User groups not found in request context")
opa_client = OPAClient()
auth_request = AuthorizationRequest(
user_groups=user_groups, resource=resource, action=action
)
if not opa_client.check_permission(auth_request):
raise Exception(f"Access denied for {action} on {resource}")
return await func(self, *args, **kwargs)
return wrapper
return decorator
Secure Secret Management with HashiCorp Vault
HashiCorp Vault provides enterprise-grade secret management with encryption, access control, and audit logging. The MCP platform integrates Vault to securely store and retrieve sensitive information including API credentials, database passwords, and configuration data.
Key Features
- Encryption at Rest and in Transit: All secrets are encrypted using AES 256-bit encryption
- Dynamic Secrets: Generate time-limited credentials for external services
- Access Control: Fine-grained policies control who can access which secrets
- Audit Logging: Complete audit trail of all secret access operations
- Secret Rotation: Automated rotation of credentials and certificates
Implementation
File: mcp-common-app/src/mcp_common/vault.py
"""HashiCorp Vault Integration - Secure secret management with audit logging"""
import os
import json
import requests
from typing import Dict, Any, Optional, List
from datetime import datetime
class VaultClient:
"""Enterprise HashiCorp Vault client for secure secret management."""
def __init__(self, vault_addr: str = None, vault_token: str = None,
mount_point: str = "secret"):
self.vault_addr = vault_addr or os.getenv("VAULT_ADDR", "http://vault:8200")
self.vault_token = vault_token or os.getenv("VAULT_TOKEN")
self.mount_point = mount_point
self.headers = {"X-Vault-Token": self.vault_token}
if not self.vault_token:
raise ValueError("Vault token must be provided or set in VAULT_TOKEN")
def set_secret(self, path: str, secret_data: Dict[str, Any]) -> bool:
"""Store a secret in Vault KV store."""
try:
response = requests.post(
f"{self.vault_addr}/v1/{self.mount_point}/data/{path}",
headers=self.headers,
json={"data": secret_data},
timeout=10
)
success = response.status_code in [200, 204]
self._audit_log("set_secret", path, success)
return success
except requests.RequestException as e:
self._audit_log("set_secret", path, False, error=str(e))
return False
def get_secret(self, path: str) -> Optional[Dict[str, Any]]:
"""Retrieve a secret from Vault KV store."""
try:
response = requests.get(
f"{self.vault_addr}/v1/{self.mount_point}/data/{path}",
headers=self.headers,
timeout=10
)
success = response.status_code == 200
self._audit_log("get_secret", path, success)
if success:
return response.json()["data"]["data"]
return None
except requests.RequestException as e:
self._audit_log("get_secret", path, False, error=str(e))
return None
def _audit_log(self, operation: str, path: str, success: bool, error: str = None):
"""Log secret operations for audit purposes."""
log_entry = {
"timestamp": datetime.utcnow().isoformat(),
"operation": operation,
"path": f"{self.mount_point}/{path}",
"success": success
}
if error:
log_entry["error"] = error
print(f"Vault Audit: {json.dumps(log_entry)}")
# Usage mixin for MCP servers
class MCPSecretMixin:
"""Mixin class for MCP servers to easily access Vault secrets."""
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
self._vault_client = None
@property
def vault_client(self) -> VaultClient:
if self._vault_client is None:
self._vault_client = VaultClient()
return self._vault_client
def get_api_credentials(self, service_name: str) -> Optional[Dict[str, Any]]:
"""Get API credentials for a specific service."""
return self.vault_client.get_secret(f"api/{service_name}")
Core MCP Server Structure
Each MCP server contains a consistent pattern with enterprise security integration:
File: mcp-catalyst-center/src/main.py
"""Cisco Catalyst Center MCP Server - Enterprise implementation"""
from mcp_common import VaultClient, OPAClient, get_logger, require_permission
from fastmcp import FastMCP
import os
app = FastMCP("Cisco Catalyst Center MCP Server")
logger = get_logger(__name__)
# Initialize enterprise services
vault_client = VaultClient()
opa_client = OPAClient()
@app.tool()
@require_permission("catalyst-center", "read")
async def get_all_templates(request) -> str:
"""Fetch all configuration templates from Catalyst Center."""
# Get credentials from Vault
credentials = vault_client.get_secret("api/catalyst-center")
if not credentials:
raise Exception("Catalyst Center credentials not found")
try:
# API call implementation
templates = await fetch_templates_from_api(credentials)
logger.info(f"Retrieved {len(templates)} templates")
return {
"templates": templates,
"status": "success",
"count": len(templates)
}
except Exception as e:
logger.error(f"Failed to fetch templates: {e}")
raise Exception(f"Template fetch failed: {str(e)}")
@app.tool()
@require_permission("catalyst-center", "write")
async def deploy_template(template_id: str, device_id: str) -> str:
"""Deploy configuration template to network device."""
credentials = vault_client.get_secret("api/catalyst-center")
# Implementation details...
logger.info(f"Deployed template {template_id} to device {device_id}")
return {"status": "deployed", "template_id": template_id, "device_id": device_id}
REST API Proxy for Legacy Integration
The platform includes a REST API proxy to support non-MCP clients:
File: mcp-rest-api-proxy/main.py
"""REST API Proxy - Bridge between REST clients and MCP servers"""
from fastapi import FastAPI, HTTPException, Request
from langchain_mcp_adapters.client import MultiServerMCPClient
app = FastAPI()
# MCP server configurations
MCP_SERVERS = {
"servicenow": "http://mcp-servicenow:8080/mcp/",
"catalyst-center": "http://mcp-catalyst-center:8002/mcp/",
"github": "http://mcp-github:8000/mcp/"
}
client = MultiServerMCPClient({
server_name: {"url": url, "transport": "streamable_http"}
for server_name, url in MCP_SERVERS.items()
})
@app.post("/api/v1/mcp/{server_name}/tools/{tool_name}")
async def execute_tool(server_name: str, tool_name: str, request: Request):
"""Execute MCP tool via REST API for legacy clients."""
try:
body = await request.json()
result = await client.call_tool(
server_name=server_name,
tool_name=tool_name,
arguments=body.get("arguments", {})
)
return {
"status": "success",
"result": result,
"server": server_name,
"tool": tool_name
}
except Exception as e:
raise HTTPException(status_code=500, detail=f"Tool execution failed: {str(e)}")
@app.get("/api/v1/mcp/{server_name}/tools")
async def list_tools(server_name: str):
"""List available tools for a specific MCP server."""
tools = await client.list_tools(server_name)
return {"server": server_name, "tools": tools}
Monitoring and Observability
ELK Stack Integration
The platform implements comprehensive logging using the ELK stack:
File: mcp-common-app/src/mcp_common/logger.py
"""Structured Logging for ELK Stack Integration"""
import logging
import json
from datetime import datetime
from pythonjsonlogger import jsonlogger
class StructuredLogger:
def __init__(self, name: str, level: str = "INFO"):
self.logger = logging.getLogger(name)
self.logger.setLevel(getattr(logging, level.upper()))
# JSON formatter for ELK ingestion
formatter = jsonlogger.JsonFormatter(
fmt='%(asctime)s %(name)s %(levelname)s %(message)s'
)
handler = logging.StreamHandler()
handler.setFormatter(formatter)
self.logger.addHandler(handler)
def log_mcp_call(self, tool_name: str, user: str, duration: float, status: str):
"""Log MCP tool invocation with structured data."""
self.logger.info("MCP tool executed", extra={
"tool_name": tool_name,
"user": user,
"duration_ms": duration,
"status": status,
"service_type": "mcp_server"
})
def get_logger(name: str) -> StructuredLogger:
"""Get configured logger instance."""
return StructuredLogger(name)
Key Monitoring Metrics
The platform tracks essential metrics for enterprise operations:
- Request Latency: Per-tool execution time and percentiles
- Authentication Metrics: Success/failure rates and response times
- Authorization Decisions: Policy evaluation frequency and outcomes
- Secret Access: Vault operations and credential usage patterns
- Error Rates: Service-level error tracking and alerting thresholds
- Resource Utilization: CPU, memory, and network usage per service
Temporal Workflow Integration
For complex, long-running processes, the platform leverages Temporal.io:
File: temporal-service/src/workflows/template_deployment.py
"""Template Deployment Workflow - Orchestrated automation with error handling"""
from temporalio import workflow, activity
from datetime import timedelta
@workflow.defn
class TemplateDeploymentWorkflow:
@workflow.run
async def run(self, deployment_request: dict) -> dict:
"""Orchestrate template deployment with proper error handling."""
# Step 1: Validate template and device
validation_result = await workflow.execute_activity(
validate_deployment, deployment_request,
start_to_close_timeout=timedelta(minutes=5)
)
if not validation_result["valid"]:
return {"status": "failed", "reason": "Validation failed"}
# Step 2: Create ServiceNow ticket
ticket_result = await workflow.execute_activity(
create_servicenow_ticket, validation_result,
start_to_close_timeout=timedelta(minutes=2)
)
# Step 3: Deploy template
deployment_result = await workflow.execute_activity(
deploy_template, {
**deployment_request,
"ticket_id": ticket_result["ticket_id"]
},
start_to_close_timeout=timedelta(minutes=30)
)
# Step 4: Close ticket
await workflow.execute_activity(
close_servicenow_ticket, {
"ticket_id": ticket_result["ticket_id"],
"deployment_result": deployment_result
},
start_to_close_timeout=timedelta(minutes=2)
)
return {
"status": "completed",
"ticket_id": ticket_result["ticket_id"],
"deployment_id": deployment_result["deployment_id"]
}
@activity.defn
async def validate_deployment(request: dict) -> dict:
"""Validate deployment request against business rules."""
# Validation logic implementation
return {"valid": True, "validated_request": request}
@activity.defn
async def deploy_template(request: dict) -> dict:
"""Execute template deployment via Catalyst Center."""
# Template deployment logic
return {"deployment_id": "deploy_123", "status": "success"}
Deployment and Scalability
Container Orchestration
The platform uses Docker Compose for development. Kubernetes can be used for production:
File: docker-compose.yml (excerpt)
version: '3.8'
services:
mcp-catalyst-center:
build: ./mcp-catalyst-center
environment:
- VAULT_ADDR=http://vault:8200
- OPA_ADDR=http://opa:8181
- ELASTICSEARCH_URL=http://elasticsearch:9200
depends_on: [vault, opa, elasticsearch]
networks: [mcp-network]
vault:
image: hashicorp/vault:latest
environment:
VAULT_DEV_ROOT_TOKEN_ID: myroot
VAULT_DEV_LISTEN_ADDRESS: 0.0.0.0:8200
cap_add: [IPC_LOCK]
networks: [mcp-network]
opa:
image: openpolicyagent/opa:latest-envoy
command: ["run", "--server", "--config-file=/config/config.yaml", "/policies"]
volumes: ["./common-services/opa/config:/policies"]
networks: [mcp-network]
Performance and Security Considerations
Security Best Practices
- Zero-Trust Architecture: Every request is authenticated and authorized
- Secret Rotation: Automated secret rotation via Vault
- Network Segmentation: Service mesh with mTLS
- Audit Logging: Comprehensive audit trail in ELK
Performance Optimizations
- Connection Pooling: Reuse HTTP connections to external APIs
- Caching: Redis-based caching for frequently accessed data
- Async Processing: Non-blocking I/O throughout the stack
- Load Balancing: Distribute load across multiple MCP server instances
Monitoring Metrics
Key metrics tracked include:
- Request latency per MCP tool
- Authentication success/failure rates
- Authorization decisions per resource
- Secret retrieval frequency
- Error rates by service component
Performance Metrics and Results
During performance testing, the platform achieved:
- Sub-100ms latency for authentication decisions
- 99.9% uptime across all MCP services
- Linear scalability up to 1000 concurrent users
- 90% reduction in integration development time
Lessons Learned and Best Practices
Key Success Factors
- Standardization: Common libraries reduce duplication and bugs
- Observability: Comprehensive logging enables rapid troubleshooting
- Security by Design: Authentication and authorization from day one
- Modularity: Independent MCP servers enable targeted scaling
- Documentation: Clear API documentation accelerates adoption
Common Pitfalls to Avoid
- Over-Engineering: Start simple and add complexity as needed
- Tight Coupling: Keep MCP servers loosely coupled
- Security Afterthought: Build security in from the beginning
- Insufficient Testing: Implement comprehensive testing strategies
- Poor Error Handling: Ensure graceful degradation
Future Enhancements
The platform roadmap includes:
- AI-Driven Insights: ML-based anomaly detection
- Multi-Cloud Support: Deployment across cloud providers
- Workflow Marketplace: Reusable workflow templates
- Advanced Analytics: Real-time dashboards and reporting
Conclusion
Building production-grade MCP servers requires careful consideration of enterprise requirements including security, scalability, monitoring, and maintainability. This reference architecture demonstrates how to implement these capabilities using industry-standard tools and patterns.
The modular design enables organizations to adopt MCP gradually while ensuring enterprise-grade security and operations from day one. By leveraging proven technologies like OIDC, OPA, Vault, and ELK, teams can focus on business logic rather than infrastructure concerns.
About the Authors
This article was developed by the MCP Fusioners team as part of Cisco's internal innovation initiatives, demonstrating practical approaches to enterprise AI system integration.
References
- Model Context Protocol Specification - https://modelcontextprotocol.io/
- OpenID Connect Core 1.0 - https://openid.net/specs/openid-connect-core-1_0.html
- Open Policy Agent Documentation - https://www.openpolicyagent.org/docs
- HashiCorp Vault Documentation - https://www.vaultproject.io/docs
- Temporal.io Documentation - https://docs.temporal.io/
- ELK Stack Guide - https://www.elastic.co/elastic-stack/
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
18-Jul-2025
|
Initial Release |
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)