de en es ja ko ru zh

VMware NSX

Author: Wei Zhou, VMware by Broadcom — wei-wz.zhou@broadcom.com This is a community-driven project by a VMware engineer, not an official VMware product. For official VMware developer tools see developer.broadcom.com.

English | 中文

VMware NSX networking management: segments, gateways, NAT, routing, IPAM — 31 MCP tools, domain-focused.

NSX Policy API skill for NSX-T 3.0+ and NSX 4.x.

👁 License: MIT

Companion Skills

Skill	Scope	Tools	Install
vmware-aiops ⭐ entry point	VM lifecycle, deployment, guest ops, clusters	31	`uv tool install vmware-aiops`
vmware-monitor	Read-only monitoring, alarms, events, VM info	8	`uv tool install vmware-monitor`
vmware-storage	Datastores, iSCSI, vSAN	11	`uv tool install vmware-storage`
vmware-vks	Tanzu Namespaces, TKC cluster lifecycle	20	`uv tool install vmware-vks`
vmware-nsx-security	DFW microsegmentation, security groups, Traceflow	20	`uv tool install vmware-nsx-security`
vmware-aria	Aria Ops metrics, alerts, capacity planning	18	`uv tool install vmware-aria`

Related MCP server: vmware-vks

Quick Install

# Via PyPI
uv tool install vmware-nsx-mgmt

# Or pip
pip install vmware-nsx-mgmt

Configuration

mkdir -p ~/.vmware-nsx
cp config.example.yaml ~/.vmware-nsx/config.yaml
# Edit with your NSX Manager credentials

echo "VMWARE_NSX_PROD_PASSWORD=your_password" > ~/.vmware-nsx/.env
chmod 600 ~/.vmware-nsx/.env

# Verify
vmware-nsx doctor

What This Skill Does

Category	Tools	Count
Segments	list, get, create, update, delete, ports	6
Tier-0 Gateways	list, get, BGP neighbors, route table	4
Tier-1 Gateways	list, get, create, update, delete, route table	6
NAT	list, get, create, update, delete	5
Static Routes	list, create, delete	3
IP Pools	list, allocations, create, add subnet	4
Health & Troubleshooting	alarms, transport nodes, edge clusters, manager status, port status, VM-to-segment	6

Common Workflows

Create an App Network (Segment + T1 Gateway + NAT)

Create gateway: vmware-nsx gateway create-t1 app-t1 --edge-cluster edge-cluster-01 --tier0 tier0-gw
Create segment: vmware-nsx segment create app-web-seg --gateway app-t1 --subnet 10.10.1.1/24 --transport-zone tz-overlay
Add SNAT: vmware-nsx nat create app-t1 --action SNAT --source 10.10.1.0/24 --translated 172.16.0.10
Verify: vmware-nsx segment list and vmware-nsx nat list app-t1

Use --dry-run to preview any write command first.

Check Network Health

Manager status: vmware-nsx health manager-status
Transport nodes: vmware-nsx health transport-nodes
Edge clusters: vmware-nsx health edge-clusters
Alarms: vmware-nsx health alarms --severity HIGH (exact-match filter; query each severity separately)

Troubleshoot VM Connectivity

Find VM's segment: vmware-nsx troubleshoot vm-segment <vm-display-name>
Check port realized state: vmware-nsx troubleshoot port-status <segment-id> (all ports on the segment: attachment, realized bindings, transport nodes)
Check routes: vmware-nsx gateway routes-t1 app-t1
Check BGP: vmware-nsx gateway bgp-neighbors tier0-gw

MCP Tools (31)

Category	Tools	Type
Segments	`list_segments`, `get_segment`, `create_segment`, `update_segment`, `delete_segment`, `list_segment_ports`	Read/Write
Tier-0 GW	`list_tier0_gateways`, `get_tier0_gateway`, `get_tier0_bgp_neighbors`, `get_tier0_route_table`	Read
Tier-1 GW	`list_tier1_gateways`, `get_tier1_gateway`, `create_tier1_gateway`, `update_tier1_gateway`, `delete_tier1_gateway`, `get_tier1_route_table`	Read/Write
NAT	`list_nat_rules`, `get_nat_rule`, `create_nat_rule`, `update_nat_rule`, `delete_nat_rule`	Read/Write
Static Routes	`list_static_routes`, `create_static_route`, `delete_static_route`	Read/Write
IP Pools	`list_ip_pools`, `get_ip_pool_allocations`, `create_ip_pool`, `create_ip_pool_subnet`	Read/Write
Health	`list_nsx_alarms` (per-severity, exact match), `get_transport_node_status`, `get_edge_cluster_status`, `get_nsx_manager_status`	Read
Troubleshoot	`get_logical_port_status` (realized state of all ports on a segment), `get_segment_port_for_vm` (lookup by VM display name)	Read

CLI

# Segments
vmware-nsx segment list
vmware-nsx segment get app-web-seg
vmware-nsx segment create app-web-seg --gateway app-t1 --subnet 10.10.1.1/24 --transport-zone tz-overlay
vmware-nsx segment delete app-web-seg

# Gateways
vmware-nsx gateway list-t0
vmware-nsx gateway list-t1
vmware-nsx gateway create-t1 app-t1 --edge-cluster edge-cluster-01 --tier0 tier0-gw
vmware-nsx gateway bgp-neighbors tier0-gw
vmware-nsx gateway routes-t1 app-t1

# NAT
vmware-nsx nat list app-t1
vmware-nsx nat create app-t1 --action SNAT --source 10.10.1.0/24 --translated 172.16.0.10
vmware-nsx nat delete app-t1 rule-01

# Static Routes
vmware-nsx route list app-t1
vmware-nsx route create app-t1 --network 192.168.100.0/24 --next-hop 10.10.1.254

# IP Pools
vmware-nsx ippool list
vmware-nsx ippool create tep-pool
vmware-nsx ippool add-subnet tep-pool --start 192.168.100.10 --end 192.168.100.50 --cidr 192.168.100.0/24

# Health & Troubleshooting
vmware-nsx health alarms --severity HIGH # exact match: LOW | MEDIUM | HIGH | CRITICAL
vmware-nsx health transport-nodes
vmware-nsx health manager-status
vmware-nsx troubleshoot vm-segment my-vm-01 # VM display name
vmware-nsx troubleshoot port-status app-web-seg # segment ID

# Diagnostics
vmware-nsx doctor

MCP Server

After uv tool install vmware-nsx-mgmt, start the MCP server with one command (v1.5.15+):

# Recommended — single command, no network re-resolve
vmware-nsx mcp

# Or via Docker
docker compose up -d

Agent Configuration

Add to your AI agent's MCP config:

{
 "mcpServers": {
 "vmware-nsx": {
 "command": "vmware-nsx",
 "args": ["mcp"],
 "env": {
 "VMWARE_NSX_CONFIG": "~/.vmware-nsx/config.yaml"
 }
 }
 }
}

# Run without installing (requires PyPI access each launch)
uvx --from vmware-nsx-mgmt vmware-nsx mcp

# Legacy entry point (still works, kept for backward compatibility)
vmware-nsx-mcp

Behind a corporate TLS proxy? uvx may fail with invalid peer certificate: UnknownIssuer. Use the recommended vmware-nsx mcp form above (no network needed), or set UV_NATIVE_TLS=true.

More agent config templates (Claude Code, Cursor, Goose, Continue, etc.) in examples/mcp-configs/.

Version Compatibility

NSX Version	Support	Notes
NSX 9.1	Full	Policy API supported. Note: VDS 7.0+ required (N-VDS removed in NSX 9).
NSX 9.0	Full	Policy API supported. Note: bare-metal agent / physical-server L2 overlay removed.
NSX 4.x	Full	Latest Policy API, all features
NSX-T 3.2	Full	All features work
NSX-T 3.1	Full	Minor route table format differences
NSX-T 3.0	Compatible	IP pool subnet API introduced here
NSX-T 2.5	Limited	Policy API incomplete; some tools may fail
NSX-V (6.x)	Not supported	Different API (SOAP-based)

VCF Compatibility

VCF Version	Bundled NSX	Support
VCF 9.1	NSX 9.1	Full
VCF 9.0	NSX 9.0	Full
VCF 5.x	NSX 4.x	Full
VCF 4.3-4.5	NSX-T 3.1-3.2	Full

Official Broadcom References

SDKs: https://developer.broadcom.com/sdks — VMware NSX for Python SDK (official; future migration target), VCF Python SDK
REST APIs: https://developer.broadcom.com/xapis — NSX-T Data Center REST API (this skill uses the Policy API subset)
CLI Tools: https://developer.broadcom.com/tools — VCF PowerCLI 9.1 (includes NSX cmdlets)

Safety

Feature	Description
Read-heavy	18/31 tools are read-only
Double confirmation	CLI write commands require two prompts
Dry-run mode	All write commands support `--dry-run` preview
Dependency checks	Delete operations validate no connected resources
Input validation	CIDR, IP, VLAN IDs, gateway existence validated
Audit logging	All operations logged to `~/.vmware-nsx/audit.log`
No firewall ops	Cannot create/modify DFW rules or security groups
Credential safety	Passwords only from environment variables
Prompt injection defense	NSX object names sanitized before output

Troubleshooting

Problem	Cause & Fix
"Segment not found"	Policy API uses segment `id`, not `display_name`. Run `segment list` to get the exact ID.
NAT creation fails "gateway not found"	NAT requires a Tier-1 (or Tier-0) gateway. Verify with `gateway list-t1`. Gateway must have an edge cluster.
BGP neighbor stuck in Connect/Active	Peer unreachable, ASN mismatch, TCP 179 blocked, or MD5 password mismatch.
Transport node "degraded"	TEP unreachable (check MTU >= 1600), NTP sync issues, or host switch config mismatch.
"Password not found"	Variable naming: `VMWARE_<TARGET_UPPER>_PASSWORD` (hyphens to underscores). Check `~/.vmware-nsx/.env`.
Connection timeout	Use `vmware-nsx doctor --skip-auth` to bypass auth checks on high-latency networks.

License

MIT

Install Server

license - permissive license

quality

maintenance

How are these scores calculated?

Maintenance

–Maintainers

4hResponse time

1dRelease cycle

45Releases (12mo)

Commit activity

Issues opened vs closed

Resources

GitHub Repository

Need Help?

Related Servers

Tools

View all tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/zw008/VMware-NSX'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

URL: https://glama.ai/mcp/servers/zw008/VMware-NSX

⇱ vmware-nsx by zw008 | Glama