vmware-nsx
AI-powered VMware NSX networking management. Configure segments, gateways, NAT, routing, and IPAM via natural language with 31 MCP tools.
README
<!-- mcp-name: io.github.zw008/vmware-nsx -->
VMware NSX
VMware NSX networking management: segments, gateways, NAT, routing, IPAM — 31 MCP tools, domain-focused.
NSX Policy API skill for NSX-T 3.0+ and NSX 4.x.
Companion Skills
| Skill | Scope | Tools | Install |
|---|---|---|---|
| vmware-aiops ⭐ entry point | VM lifecycle, deployment, guest ops, clusters | 31 | uv tool install vmware-aiops |
| vmware-monitor | Read-only monitoring, alarms, events, VM info | 8 | uv tool install vmware-monitor |
| vmware-storage | Datastores, iSCSI, vSAN | 11 | uv tool install vmware-storage |
| vmware-vks | Tanzu Namespaces, TKC cluster lifecycle | 20 | uv tool install vmware-vks |
| vmware-nsx-security | DFW microsegmentation, security groups, Traceflow | 20 | uv tool install vmware-nsx-security |
| vmware-aria | Aria Ops metrics, alerts, capacity planning | 18 | uv tool install vmware-aria |
Quick Install
# Via PyPI
uv tool install vmware-nsx-mgmt
# Or pip
pip install vmware-nsx-mgmt
Configuration
mkdir -p ~/.vmware-nsx
cp config.example.yaml ~/.vmware-nsx/config.yaml
# Edit with your NSX Manager credentials
echo "VMWARE_NSX_PROD_PASSWORD=your_password" > ~/.vmware-nsx/.env
chmod 600 ~/.vmware-nsx/.env
# Verify
vmware-nsx doctor
What This Skill Does
| Category | Tools | Count |
|---|---|---|
| Segments | list, get, create, update, delete, ports | 6 |
| Tier-0 Gateways | list, get, BGP neighbors, route table | 4 |
| Tier-1 Gateways | list, get, create, update, delete, route table | 6 |
| NAT | list, get, create, update, delete | 5 |
| Static Routes | list, create, delete | 3 |
| IP Pools | list, allocations, create, add subnet | 4 |
| Health & Troubleshooting | alarms, transport nodes, edge clusters, manager status, port status, VM-to-segment | 6 |
Common Workflows
Create an App Network (Segment + T1 Gateway + NAT)
- Create gateway:
vmware-nsx gateway create-t1 app-t1 --edge-cluster edge-cluster-01 --tier0 tier0-gw - Create segment:
vmware-nsx segment create app-web-seg --gateway app-t1 --subnet 10.10.1.1/24 --transport-zone tz-overlay - Add SNAT:
vmware-nsx nat create app-t1 --action SNAT --source 10.10.1.0/24 --translated 172.16.0.10 - Verify:
vmware-nsx segment listandvmware-nsx nat list app-t1
Use --dry-run to preview any write command first.
Check Network Health
- Manager status:
vmware-nsx health manager-status - Transport nodes:
vmware-nsx health transport-nodes - Edge clusters:
vmware-nsx health edge-clusters - Alarms:
vmware-nsx health alarms
Troubleshoot VM Connectivity
- Find VM's segment:
vmware-nsx troubleshoot vm-segment my-vm-01 - Check port status:
vmware-nsx troubleshoot port-status <port-id> - Check routes:
vmware-nsx gateway routes-t1 app-t1 - Check BGP:
vmware-nsx gateway bgp-neighbors tier0-gw
MCP Tools (31)
| Category | Tools | Type |
|---|---|---|
| Segments | list_segments, get_segment, create_segment, update_segment, delete_segment, list_segment_ports |
Read/Write |
| Tier-0 GW | list_tier0_gateways, get_tier0_gateway, get_tier0_bgp_neighbors, get_tier0_route_table |
Read |
| Tier-1 GW | list_tier1_gateways, get_tier1_gateway, create_tier1_gateway, update_tier1_gateway, delete_tier1_gateway, get_tier1_route_table |
Read/Write |
| NAT | list_nat_rules, get_nat_rule, create_nat_rule, update_nat_rule, delete_nat_rule |
Read/Write |
| Static Routes | list_static_routes, create_static_route, delete_static_route |
Read/Write |
| IP Pools | list_ip_pools, get_ip_pool_allocations, create_ip_pool, create_ip_pool_subnet |
Read/Write |
| Health | get_nsx_alarms, get_transport_node_status, get_edge_cluster_status, get_manager_cluster_status |
Read |
| Troubleshoot | get_logical_port_status, find_vm_segment |
Read |
CLI
# Segments
vmware-nsx segment list
vmware-nsx segment get app-web-seg
vmware-nsx segment create app-web-seg --gateway app-t1 --subnet 10.10.1.1/24 --transport-zone tz-overlay
vmware-nsx segment delete app-web-seg
# Gateways
vmware-nsx gateway list-t0
vmware-nsx gateway list-t1
vmware-nsx gateway create-t1 app-t1 --edge-cluster edge-cluster-01 --tier0 tier0-gw
vmware-nsx gateway bgp-neighbors tier0-gw
vmware-nsx gateway routes-t1 app-t1
# NAT
vmware-nsx nat list app-t1
vmware-nsx nat create app-t1 --action SNAT --source 10.10.1.0/24 --translated 172.16.0.10
vmware-nsx nat delete app-t1 rule-01
# Static Routes
vmware-nsx route list app-t1
vmware-nsx route create app-t1 --network 192.168.100.0/24 --next-hop 10.10.1.254
# IP Pools
vmware-nsx ippool list
vmware-nsx ippool create tep-pool
vmware-nsx ippool add-subnet tep-pool --start 192.168.100.10 --end 192.168.100.50 --cidr 192.168.100.0/24
# Health & Troubleshooting
vmware-nsx health alarms
vmware-nsx health transport-nodes
vmware-nsx health manager-status
vmware-nsx troubleshoot vm-segment my-vm-01
# Diagnostics
vmware-nsx doctor
MCP Server
# Run directly
uvx --from vmware-nsx-mgmt vmware-nsx-mcp
# Or via Docker
docker compose up -d
Agent Configuration
Add to your AI agent's MCP config:
{
"mcpServers": {
"vmware-nsx": {
"command": "vmware-nsx-mcp",
"env": {
"VMWARE_NSX_CONFIG": "~/.vmware-nsx/config.yaml"
}
}
}
}
More agent config templates (Claude Code, Cursor, Goose, Continue, etc.) in examples/mcp-configs/.
Version Compatibility
| NSX Version | Support | Notes |
|---|---|---|
| NSX 4.x | Full | Latest Policy API, all features |
| NSX-T 3.2 | Full | All features work |
| NSX-T 3.1 | Full | Minor route table format differences |
| NSX-T 3.0 | Compatible | IP pool subnet API introduced here |
| NSX-T 2.5 | Limited | Policy API incomplete; some tools may fail |
| NSX-V (6.x) | Not supported | Different API (SOAP-based) |
VCF Compatibility
| VCF Version | Bundled NSX | Support |
|---|---|---|
| VCF 5.x | NSX 4.x | Full |
| VCF 4.3-4.5 | NSX-T 3.1-3.2 | Full |
Safety
| Feature | Description |
|---|---|
| Read-heavy | 18/31 tools are read-only |
| Double confirmation | CLI write commands require two prompts |
| Dry-run mode | All write commands support --dry-run preview |
| Dependency checks | Delete operations validate no connected resources |
| Input validation | CIDR, IP, VLAN IDs, gateway existence validated |
| Audit logging | All operations logged to ~/.vmware-nsx/audit.log |
| No firewall ops | Cannot create/modify DFW rules or security groups |
| Credential safety | Passwords only from environment variables |
| Prompt injection defense | NSX object names sanitized before output |
Troubleshooting
| Problem | Cause & Fix |
|---|---|
| "Segment not found" | Policy API uses segment id, not display_name. Run segment list to get the exact ID. |
| NAT creation fails "gateway not found" | NAT requires a Tier-1 (or Tier-0) gateway. Verify with gateway list-t1. Gateway must have an edge cluster. |
| BGP neighbor stuck in Connect/Active | Peer unreachable, ASN mismatch, TCP 179 blocked, or MD5 password mismatch. |
| Transport node "degraded" | TEP unreachable (check MTU >= 1600), NTP sync issues, or host switch config mismatch. |
| "Password not found" | Variable naming: VMWARE_<TARGET_UPPER>_PASSWORD (hyphens to underscores). Check ~/.vmware-nsx/.env. |
| Connection timeout | Use vmware-nsx doctor --skip-auth to bypass auth checks on high-latency networks. |
License
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.