VMware NSX
English | 中文
VMware NSX networking management: segments, gateways, NAT, routing, IPAM — 31 MCP tools, domain-focused.
NSX Policy API skill for NSX-T 3.0+ and NSX 4.x.
Companion Skills
| Skill | Scope | Tools | Install |
|---|
| vmware-aiops ⭐ entry point | VM lifecycle, deployment, guest ops, clusters | 31 | uv tool install vmware-aiops |
| vmware-monitor | Read-only monitoring, alarms, events, VM info | 8 | uv tool install vmware-monitor |
| vmware-storage | Datastores, iSCSI, vSAN | 11 | uv tool install vmware-storage |
| vmware-vks | Tanzu Namespaces, TKC cluster lifecycle | 20 | uv tool install vmware-vks |
| vmware-nsx-security | DFW microsegmentation, security groups, Traceflow | 20 | uv tool install vmware-nsx-security |
| vmware-aria | Aria Ops metrics, alerts, capacity planning | 18 | uv tool install vmware-aria |
Quick Install
# Via PyPI
uv tool install vmware-nsx-mgmt
# Or pip
pip install vmware-nsx-mgmt
Configuration
mkdir -p ~/.vmware-nsx
cp config.example.yaml ~/.vmware-nsx/config.yaml
# Edit with your NSX Manager credentials
echo "VMWARE_NSX_PROD_PASSWORD=your_password" > ~/.vmware-nsx/.env
chmod 600 ~/.vmware-nsx/.env
# Verify
vmware-nsx doctor
What This Skill Does
| Category | Tools | Count |
|---|
| Segments | list, get, create, update, delete, ports | 6 |
| Tier-0 Gateways | list, get, BGP neighbors, route table | 4 |
| Tier-1 Gateways | list, get, create, update, delete, route table | 6 |
| NAT | list, get, create, update, delete | 5 |
| Static Routes | list, create, delete | 3 |
| IP Pools | list, allocations, create, add subnet | 4 |
| Health & Troubleshooting | alarms, transport nodes, edge clusters, manager status, port status, VM-to-segment | 6 |
Common Workflows
Create an App Network (Segment + T1 Gateway + NAT)
- Create gateway:
vmware-nsx gateway create-t1 app-t1 --edge-cluster edge-cluster-01 --tier0 tier0-gw
- Create segment:
vmware-nsx segment create app-web-seg --gateway app-t1 --subnet 10.10.1.1/24 --transport-zone tz-overlay
- Add SNAT:
vmware-nsx nat create app-t1 --action SNAT --source 10.10.1.0/24 --translated 172.16.0.10
- Verify:
vmware-nsx segment list and vmware-nsx nat list app-t1
Use --dry-run to preview any write command first.
Check Network Health
- Manager status:
vmware-nsx health manager-status
- Transport nodes:
vmware-nsx health transport-nodes
- Edge clusters:
vmware-nsx health edge-clusters
- Alarms:
vmware-nsx health alarms
Troubleshoot VM Connectivity
- Find VM's segment:
vmware-nsx troubleshoot vm-segment my-vm-01
- Check port status:
vmware-nsx troubleshoot port-status <port-id>
- Check routes:
vmware-nsx gateway routes-t1 app-t1
- Check BGP:
vmware-nsx gateway bgp-neighbors tier0-gw
MCP Tools (31)
| Category | Tools | Type |
|---|
| Segments | list_segments, get_segment, create_segment, update_segment, delete_segment, list_segment_ports | Read/Write |
| Tier-0 GW | list_tier0_gateways, get_tier0_gateway, get_tier0_bgp_neighbors, get_tier0_route_table | Read |
| Tier-1 GW | list_tier1_gateways, get_tier1_gateway, create_tier1_gateway, update_tier1_gateway, delete_tier1_gateway, get_tier1_route_table | Read/Write |
| NAT | list_nat_rules, get_nat_rule, create_nat_rule, update_nat_rule, delete_nat_rule | Read/Write |
| Static Routes | list_static_routes, create_static_route, delete_static_route | Read/Write |
| IP Pools | list_ip_pools, get_ip_pool_allocations, create_ip_pool, create_ip_pool_subnet | Read/Write |
| Health | get_nsx_alarms, get_transport_node_status, get_edge_cluster_status, get_manager_cluster_status | Read |
| Troubleshoot | get_logical_port_status, find_vm_segment | Read |
CLI
# Segments
vmware-nsx segment list
vmware-nsx segment get app-web-seg
vmware-nsx segment create app-web-seg --gateway app-t1 --subnet 10.10.1.1/24 --transport-zone tz-overlay
vmware-nsx segment delete app-web-seg
# Gateways
vmware-nsx gateway list-t0
vmware-nsx gateway list-t1
vmware-nsx gateway create-t1 app-t1 --edge-cluster edge-cluster-01 --tier0 tier0-gw
vmware-nsx gateway bgp-neighbors tier0-gw
vmware-nsx gateway routes-t1 app-t1
# NAT
vmware-nsx nat list app-t1
vmware-nsx nat create app-t1 --action SNAT --source 10.10.1.0/24 --translated 172.16.0.10
vmware-nsx nat delete app-t1 rule-01
# Static Routes
vmware-nsx route list app-t1
vmware-nsx route create app-t1 --network 192.168.100.0/24 --next-hop 10.10.1.254
# IP Pools
vmware-nsx ippool list
vmware-nsx ippool create tep-pool
vmware-nsx ippool add-subnet tep-pool --start 192.168.100.10 --end 192.168.100.50 --cidr 192.168.100.0/24
# Health & Troubleshooting
vmware-nsx health alarms
vmware-nsx health transport-nodes
vmware-nsx health manager-status
vmware-nsx troubleshoot vm-segment my-vm-01
# Diagnostics
vmware-nsx doctor
MCP Server
# Run directly
uvx --from vmware-nsx-mgmt vmware-nsx-mcp
# Or via Docker
docker compose up -d
Agent Configuration
Add to your AI agent's MCP config:
{
"mcpServers": {
"vmware-nsx": {
"command": "vmware-nsx-mcp",
"env": {
"VMWARE_NSX_CONFIG": "~/.vmware-nsx/config.yaml"
}
}
}
}
More agent config templates (Claude Code, Cursor, Goose, Continue, etc.) in examples/mcp-configs/.
Version Compatibility
| NSX Version | Support | Notes |
|---|
| NSX 4.x | Full | Latest Policy API, all features |
| NSX-T 3.2 | Full | All features work |
| NSX-T 3.1 | Full | Minor route table format differences |
| NSX-T 3.0 | Compatible | IP pool subnet API introduced here |
| NSX-T 2.5 | Limited | Policy API incomplete; some tools may fail |
| NSX-V (6.x) | Not supported | Different API (SOAP-based) |
VCF Compatibility
| VCF Version | Bundled NSX | Support |
|---|
| VCF 5.x | NSX 4.x | Full |
| VCF 4.3-4.5 | NSX-T 3.1-3.2 | Full |
Safety
| Feature | Description |
|---|
| Read-heavy | 18/31 tools are read-only |
| Double confirmation | CLI write commands require two prompts |
| Dry-run mode | All write commands support --dry-run preview |
| Dependency checks | Delete operations validate no connected resources |
| Input validation | CIDR, IP, VLAN IDs, gateway existence validated |
| Audit logging | All operations logged to ~/.vmware-nsx/audit.log |
| No firewall ops | Cannot create/modify DFW rules or security groups |
| Credential safety | Passwords only from environment variables |
| Prompt injection defense | NSX object names sanitized before output |
Troubleshooting
| Problem | Cause & Fix |
|---|
| "Segment not found" | Policy API uses segment id, not display_name. Run segment list to get the exact ID. |
| NAT creation fails "gateway not found" | NAT requires a Tier-1 (or Tier-0) gateway. Verify with gateway list-t1. Gateway must have an edge cluster. |
| BGP neighbor stuck in Connect/Active | Peer unreachable, ASN mismatch, TCP 179 blocked, or MD5 password mismatch. |
| Transport node "degraded" | TEP unreachable (check MTU >= 1600), NTP sync issues, or host switch config mismatch. |
| "Password not found" | Variable naming: VMWARE_<TARGET_UPPER>_PASSWORD (hyphens to underscores). Check ~/.vmware-nsx/.env. |
| Connection timeout | Use vmware-nsx doctor --skip-auth to bypass auth checks on high-latency networks. |
License
MIT