Skip to main content
Glama

Server Configuration

Describes the environment variables required to run the server.

NameRequiredDescriptionDefault
VMWARE_NSX_CONFIGYesPath to the NSX configuration YAML file.~/.vmware-nsx/config.yaml
VMWARE_NSX_PROD_PASSWORDNoThe password for the VMware NSX Manager. Note: The environment variable name depends on the target name defined in your config (VMWARE_<TARGET_UPPER>_PASSWORD).

Capabilities

Features and capabilities supported by this server

CapabilityDetails
tools
{
  "listChanged": false
}
prompts
{
  "listChanged": false
}
resources
{
  "subscribe": false,
  "listChanged": false
}
experimental
{}

Tools

Functions exposed to the LLM to take actions

NameDescription
create_tier1_gatewayA

[WRITE] Create a Tier-1 gateway for routing segments, with optional Tier-0 uplink.

For north-south reachability, link it to a Tier-0 (get the path from list_tier0_gateways). Side effect to note: if route_advertisement is omitted, nothing is advertised to the Tier-0, so connected subnets stay unreachable from outside until advertisement types are set (here or via update_tier1_gateway). Re-running with the same tier1_id overwrites it (PUT semantics). Returns the created gateway dict; on failure returns {"error", "hint"}. Recorded in the audit log (~/.vmware/audit.db).

Args: tier1_id: Unique gateway identifier (alphanumerics, hyphens, underscores only); becomes policy path /infra/tier-1s/. display_name: Human-readable name shown in the NSX UI. tier0_path: Parent Tier-0 policy path, e.g. "/infra/tier-0s/". Omit to create a standalone (unlinked) gateway. edge_cluster_path: Edge cluster policy path for stateful services such as NAT, e.g. "/infra/sites/default/enforcement-points/default/ edge-clusters/". Optional. route_advertisement: Comma-separated advertisement types. Valid values: TIER1_CONNECTED, TIER1_STATIC_ROUTES, TIER1_NAT, TIER1_LB_VIP, TIER1_LB_SNAT, TIER1_DNS_FORWARDER_IP, TIER1_IPSEC_LOCAL_ENDPOINT. target: NSX Manager name from config.yaml. Uses the default target if omitted.

update_tier1_gatewayA

[WRITE] Partially update an existing Tier-1 gateway via PATCH.

Only the fields you pass change; omitted fields keep their current values. Use get_tier1_gateway first to inspect current config. Typical uses: relink the gateway to a different Tier-0, or enable route advertisement on a gateway created without it. Re-applying identical values is harmless. Returns the updated gateway dict; on failure returns {"error", "hint"}. Recorded in the audit log (~/.vmware/audit.db).

Args: tier1_id: Tier-1 gateway ID to update, as returned by list_tier1_gateways. display_name: New display name. Optional. tier0_path: New parent Tier-0 policy path, e.g. "/infra/tier-0s/". Optional. route_advertisement: Comma-separated advertisement types. Valid values: TIER1_CONNECTED, TIER1_STATIC_ROUTES, TIER1_NAT, TIER1_LB_VIP, TIER1_LB_SNAT, TIER1_DNS_FORWARDER_IP, TIER1_IPSEC_LOCAL_ENDPOINT. target: NSX Manager name from config.yaml. Uses the default target if omitted.

delete_tier1_gatewayA

[WRITE] Delete a Tier-1 gateway. WARNING: This removes all attached segments and NAT rules.

Also removes the gateway's "default" locale-service first (the Policy API refuses to delete a Tier-1 that still has children); a missing locale-service is ignored.

Args: tier1_id: The Tier-1 gateway ID to delete. target: Optional NSX Manager target name from config. Uses default if omitted.

configure_tier0_bgpA

[WRITE] Configure BGP settings on a Tier-0 gateway's locale-service.

Note: This configures BGP settings (local AS, ECMP, graceful restart). BGP neighbor creation is a separate Policy API object and not exposed here.

Args: tier0_id: The Tier-0 gateway ID. local_as_num: Local AS number as a string (e.g. "65001"). enabled: Enable or disable BGP on the locale-service (default True). ecmp: Enable ECMP for BGP routes (default True). inter_sr_ibgp: Enable inter-SR iBGP (default True). locale_service_id: Locale-service identifier (default "default"). target: Optional NSX Manager target name from config. Uses default if omitted.

list_nsx_alarmsA

[READ] Get active NSX alarms at one severity, with feature, description, and entity.

Note: the NSX severity filter is an EXACT match — "MEDIUM" returns only MEDIUM alarms, not MEDIUM-and-above. Query each severity separately to build a full picture. Results follow pagination cursors (all alarms at that severity are returned).

Args: severity: Exact severity to filter on: LOW, MEDIUM, HIGH, or CRITICAL (default "MEDIUM"). target: Optional NSX Manager target name from config. Uses default if omitted.

get_transport_node_statusA

[READ] Get realized runtime status of one transport node (ESXi host or Edge node).

No side effects. Use after list_transport_nodes (which supplies node IDs) when a node looks degraded or overlay tunnels are suspect; for cluster-wide edge health use get_edge_cluster_status instead. Returns: node_id, status (e.g. UP, DEGRADED, DOWN, UNKNOWN), control_connection_status and mgmt_connection_status (controller/manager connectivity), tunnel_status (status plus up/down/degraded tunnel counts and BFD counters), and pnic_status (up/down/degraded pNIC counts). On failure returns {"error", "hint"} instead of raising.

Args: node_id: Transport node UUID, as returned by list_transport_nodes. target: NSX Manager name from config.yaml. Uses the default target if omitted.

get_edge_cluster_statusA

[READ] Check status of an edge cluster (member health, overall status).

Args: cluster_id: The edge cluster ID. target: Optional NSX Manager target name from config. Uses default if omitted.

get_nsx_manager_statusA

[READ] Get NSX Manager cluster status (node health, cluster status, version).

Args: target: Optional NSX Manager target name from config. Uses default if omitted.

list_segmentsA

[READ] List all NSX network segments with type, subnet, admin state, and port count.

Args: target: Optional NSX Manager target name from config. Uses default if omitted.

get_segmentA

[READ] Get full details for one network segment, including its attached ports.

No side effects. Use after list_segments to inspect a single segment — e.g. check port_count before delete_segment (segments with attached ports refuse deletion). Returns: id, display_name, type, admin_state, subnets, transport_zone_path, connectivity_path (linked gateway), vlan_ids, port_count, and the first 50 ports (id, display_name, attachment). On failure returns {"error", "hint"} instead of raising.

Args: segment_id: Segment ID — the final component of the policy path /infra/segments/, as returned by list_segments. target: NSX Manager name from config.yaml. Uses the default target if omitted.

list_tier0_gatewaysA

[READ] List all Tier-0 gateways with HA mode and transit subnets.

Args: target: Optional NSX Manager target name from config. Uses default if omitted.

get_tier0_gatewayA

[READ] Get configuration details for one Tier-0 gateway (north-south edge router).

No side effects. Use after list_tier0_gateways to inspect HA configuration, or to build the tier0_path ("/infra/tier-0s/") that create_tier1_gateway needs. For BGP peering state use get_bgp_neighbors instead. Returns: id, display_name, ha_mode (ACTIVE_ACTIVE or ACTIVE_STANDBY), failover_mode (PREEMPTIVE or NON_PREEMPTIVE), transit_subnets, internal_transit_subnets, rd_admin_field. On failure returns {"error", "hint"} instead of raising.

Args: tier0_id: Tier-0 gateway ID, as returned by list_tier0_gateways. target: NSX Manager name from config.yaml. Uses the default target if omitted.

list_tier1_gatewaysA

[READ] List all Tier-1 gateways with linked Tier-0 path and route advertisement.

Args: target: Optional NSX Manager target name from config. Uses default if omitted.

get_tier1_gatewayA

[READ] Get detailed info for a specific Tier-1 gateway.

Args: tier1_id: The Tier-1 gateway ID. target: Optional NSX Manager target name from config. Uses default if omitted.

list_transport_zonesA

[READ] List all NSX transport zones — the overlay/VLAN boundaries that segments attach to.

No side effects. Primary use: discover the transport zone required by create_segment, whose transport_zone_path is "/infra/sites/default/enforcement-points/default/transport-zones/" using the id returned here. Returns one dict per zone: id, display_name, transport_type (e.g. OVERLAY_STANDARD or VLAN_BACKED). All zones are returned (typically under 20; no pagination). On failure returns a single-element list containing {"error", "hint"}.

Args: target: NSX Manager name from config.yaml. Uses the default target if omitted.

list_transport_nodesA

[READ] List all transport nodes with type and status.

Args: target: Optional NSX Manager target name from config. Uses default if omitted.

list_edge_clustersA

[READ] List all edge clusters with member count and deployment type.

Args: target: Optional NSX Manager target name from config. Uses default if omitted.

create_ip_poolA

[WRITE] Create an IP address pool with one static subnet and allocation range.

IP pools supply addresses to NSX consumers such as tunnel endpoints (TEPs). Check list_ip_pools first to avoid overlapping ranges; start_ip and end_ip must both fall inside cidr. Re-running with the same pool_id overwrites it (PUT semantics). Returns the created pool dict; verify consumption later with get_ip_pool_usage. On failure returns {"error", "hint"}. Recorded in the audit log (~/.vmware/audit.db).

Args: pool_id: Unique pool identifier (alphanumerics, hyphens, underscores only); becomes policy path /infra/ip-pools/. display_name: Human-readable name shown in the NSX UI. start_ip: First allocatable IPv4 address, e.g. "192.168.1.10". end_ip: Last allocatable IPv4 address, e.g. "192.168.1.100". cidr: Subnet containing the range, in CIDR notation, e.g. "192.168.1.0/24". gateway_ip: Default gateway IP for the subnet, e.g. "192.168.1.1". Optional. target: NSX Manager name from config.yaml. Uses the default target if omitted.

delete_ip_poolA

[WRITE] Permanently delete an IP address pool.

Irreversible: consumers (e.g. transport endpoints) that draw addresses from this pool can no longer allocate, and NSX rejects the delete if the pool still has active allocations. Run list_ip_pools and get_ip_pool_usage on the same pool_id first to confirm the pool is unused, and confirm with the user before deleting. Returns a confirmation string on success, or an "Error: ..." string (pool not found, still in use, connectivity failure). Recorded in the audit log (~/.vmware/audit.db).

Args: pool_id: IP pool ID to delete, as returned by list_ip_pools. target: NSX Manager name from config.yaml. Uses the default target if omitted.

create_nat_ruleA

[WRITE] Create a NAT rule on a Tier-1 gateway.

Args: tier1_id: The Tier-1 gateway ID. rule_id: Unique ID for the NAT rule. action: NAT action: "SNAT", "DNAT", or "REFLEXIVE" (default "DNAT"). source_network: Source network CIDR (required for SNAT). destination_network: Destination network CIDR (required for DNAT). translated_network: Translated network/IP address (required for SNAT, DNAT, and REFLEXIVE). target: Optional NSX Manager target name from config. Uses default if omitted.

delete_nat_ruleA

[WRITE] Permanently delete a NAT rule from a Tier-1 gateway's USER NAT section.

Irreversible: traffic matched by the rule stops being translated immediately, which can break inbound (DNAT) or outbound (SNAT) connectivity. Run list_nat_rules on the same tier1_id first to confirm the rule_id and review its action and networks, and confirm with the user before deleting. Returns a confirmation string on success, or an "Error: ..." string (rule or gateway not found, connectivity failure). Recorded in the audit log (~/.vmware/audit.db).

Args: tier1_id: Tier-1 gateway that owns the rule, as returned by list_tier1_gateways. rule_id: NAT rule ID to delete, as returned by list_nat_rules. target: NSX Manager name from config.yaml. Uses the default target if omitted.

list_nat_rulesA

[READ] List NAT rules on a Tier-1 gateway.

Args: tier1_id: The Tier-1 gateway ID. target: Optional NSX Manager target name from config. Uses default if omitted.

get_bgp_neighborsA

[READ] Get BGP configuration and neighbor status for a Tier-0 gateway.

No side effects. Use to verify dynamic routing after configure_tier0_bgp or when troubleshooting north-south connectivity. Reads the gateway's first locale-service, its BGP config and configured neighbors (Policy API), plus realized neighbor session state (Management API) where available. Returns tier0_id, locale-service info, BGP config (local AS, enabled, ECMP), neighbors (peer IP, remote ASN, hold_down_time, keep_alive_time), and session status (connection_state, in/out prefix counts); includes a hint when the gateway has no locale-services. On failure returns {"error", "hint"}.

Args: tier0_id: Tier-0 gateway ID, as returned by list_tier0_gateways. target: NSX Manager name from config.yaml. Uses the default target if omitted.

list_static_routesA

[READ] List static routes on a Tier-0 or Tier-1 gateway.

Args: tier1_id: The gateway ID (Tier-0 or Tier-1, per gateway_type). gateway_type: Either "tier0" or "tier1" (default "tier1"). target: Optional NSX Manager target name from config. Uses default if omitted.

list_ip_poolsA

[READ] List all IP address pools with subnets and usage summary.

Args: target: Optional NSX Manager target name from config. Uses default if omitted.

get_ip_pool_usageA

[READ] Get current IP allocations for one IP address pool.

No side effects. Use after list_ip_pools to see how much of a pool is consumed — e.g. when diagnosing TEP address exhaustion or before retiring a pool. Returns: pool_id, allocation_count, and allocations — one entry per allocated IP with id, display_name, allocation_ip (all allocations returned, no pagination). An empty allocations list means the pool is unused. On failure returns {"error", "hint"} instead of raising.

Args: pool_id: IP pool ID, as returned by list_ip_pools. target: NSX Manager name from config.yaml. Uses the default target if omitted.

create_static_routeA

[WRITE] Create a static route on a Tier-0 or Tier-1 gateway via the Policy API.

Use for destinations not covered by connected or advertised routes (e.g. reaching a VPN or external subnet). Note: for the Tier-0 to advertise this route upstream, the gateway needs TIER1_STATIC_ROUTES route advertisement (set via update_tier1_gateway). Re-running with the same route_id overwrites it (PUT semantics). Returns the created route dict; on failure returns {"error", "hint"}. Recorded in the audit log (~/.vmware/audit.db).

Args: tier1_id: Gateway ID (Tier-0 or Tier-1, per gateway_type), as returned by list_tier0_gateways / list_tier1_gateways. route_id: Unique route identifier (alphanumerics, hyphens, underscores only). network: Destination network in CIDR notation, e.g. "10.0.0.0/8". next_hop: Next-hop IPv4 address, e.g. "192.168.1.254". gateway_type: Either "tier0" or "tier1" (default "tier1"). target: NSX Manager name from config.yaml. Uses the default target if omitted.

delete_static_routeA

[WRITE] Permanently delete a static route from a Tier-0 or Tier-1 gateway.

Irreversible: traffic to the route's destination CIDR immediately falls back to remaining routes or is dropped. Run list_static_routes on the same tier1_id first to confirm the route_id, destination network, and next hops, and confirm with the user before deleting. Returns a confirmation string on success, or an "Error: ..." string (route or gateway not found, connectivity failure). Recorded in the audit log (~/.vmware/audit.db).

Args: tier1_id: Gateway that owns the route (Tier-0 or Tier-1, per gateway_type), as returned by list_tier0_gateways / list_tier1_gateways. route_id: Static route ID to delete, as returned by list_static_routes. gateway_type: Either "tier0" or "tier1" (default "tier1"). target: NSX Manager name from config.yaml. Uses the default target if omitted.

create_segmentA

[WRITE] Create a new NSX network segment (overlay or VLAN-backed) via the Policy API.

Prerequisite: get the transport zone from list_transport_zones first. Pass subnet for overlay routed segments, or vlan_ids for VLAN-backed transport zones. Re-running with the same segment_id overwrites that segment (PUT semantics). Returns the created segment dict (id, display_name, subnets, transport_zone_path); on failure returns {"error", "hint"}. The operation is recorded in the audit log (~/.vmware/audit.db).

Args: segment_id: Unique segment identifier (alphanumerics, hyphens, underscores only); becomes policy path /infra/segments/. display_name: Human-readable name shown in the NSX UI. transport_zone_path: Full transport zone policy path, e.g. "/infra/sites/default/enforcement-points/default/transport-zones/". vlan_ids: VLAN ID(s) for VLAN-backed segments, comma- or hyphen-separated individual IDs (e.g. "100" or "100,200"). Omit for overlay. subnet: Gateway IP in CIDR notation, e.g. "192.168.1.1/24" (the gateway address, not the network address). Omit for VLAN-backed segments. target: NSX Manager name from config.yaml. Uses the default target if omitted.

update_segmentA

[WRITE] Update an existing network segment (partial update via PATCH).

Args: segment_id: The segment ID to update. display_name: New display name (optional). subnet: New gateway CIDR (optional). target: Optional NSX Manager target name from config. Uses default if omitted.

delete_segmentA

[WRITE] Delete a network segment. WARNING: This will disconnect all attached VMs.

Args: segment_id: The segment ID to delete. target: Optional NSX Manager target name from config. Uses default if omitted.

get_logical_port_statusA

[READ] Check realized state of all ports on a segment (first 50 ports).

For each port returns admin_state, attachment (type/id), and the realized state from the Policy API: attached (attachment present), realized_bindings_count, and transport_node_ids (nodes realizing the port). NSX does not expose a single UP/DOWN flag per segment port — an attached port with realized bindings on at least one transport node is healthy.

Args: segment_id: The segment ID whose ports to inspect, as returned by list_segments. target: Optional NSX Manager target name from config. Uses default if omitted.

get_segment_port_for_vmA

[READ] Find which segment(s) a VM is attached to via its VIF attachments.

Looks up the VM in the NSX fabric inventory by display name, fetches its VIFs (/api/v1/fabric/vifs), and matches segment ports whose attachment id equals a VIF's lport_attachment_id. Returns VM info (external_id, host, power state) and matched_ports (segment id/name, port id/name).

Args: vm_display_name: The VM display name as shown in vCenter/NSX inventory. target: Optional NSX Manager target name from config. Uses default if omitted.

Prompts

Interactive templates invoked by user choice

NameDescription

No prompts

Resources

Contextual data attached and managed by the client

NameDescription

No resources

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/zw008/VMware-NSX'

If you have feedback or need assistance with the MCP directory API, please join our Discord server