vmware-nsx
Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| VMWARE_NSX_CONFIG | Yes | Path to the NSX configuration YAML file. | ~/.vmware-nsx/config.yaml |
| VMWARE_NSX_PROD_PASSWORD | No | The password for the VMware NSX Manager. Note: The environment variable name depends on the target name defined in your config (VMWARE_<TARGET_UPPER>_PASSWORD). |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": false
} |
| prompts | {
"listChanged": false
} |
| resources | {
"subscribe": false,
"listChanged": false
} |
| experimental | {} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| create_tier1_gatewayA | [WRITE] Create a Tier-1 gateway for routing segments, with optional Tier-0 uplink. For north-south reachability, link it to a Tier-0 (get the path from list_tier0_gateways). Side effect to note: if route_advertisement is omitted, nothing is advertised to the Tier-0, so connected subnets stay unreachable from outside until advertisement types are set (here or via update_tier1_gateway). Re-running with the same tier1_id overwrites it (PUT semantics). Returns the created gateway dict; on failure returns {"error", "hint"}. Recorded in the audit log (~/.vmware/audit.db). Args: tier1_id: Unique gateway identifier (alphanumerics, hyphens, underscores only); becomes policy path /infra/tier-1s/. display_name: Human-readable name shown in the NSX UI. tier0_path: Parent Tier-0 policy path, e.g. "/infra/tier-0s/". Omit to create a standalone (unlinked) gateway. edge_cluster_path: Edge cluster policy path for stateful services such as NAT, e.g. "/infra/sites/default/enforcement-points/default/ edge-clusters/". Optional. route_advertisement: Comma-separated advertisement types. Valid values: TIER1_CONNECTED, TIER1_STATIC_ROUTES, TIER1_NAT, TIER1_LB_VIP, TIER1_LB_SNAT, TIER1_DNS_FORWARDER_IP, TIER1_IPSEC_LOCAL_ENDPOINT. target: NSX Manager name from config.yaml. Uses the default target if omitted. |
| update_tier1_gatewayA | [WRITE] Partially update an existing Tier-1 gateway via PATCH. Only the fields you pass change; omitted fields keep their current values. Use get_tier1_gateway first to inspect current config. Typical uses: relink the gateway to a different Tier-0, or enable route advertisement on a gateway created without it. Re-applying identical values is harmless. Returns the updated gateway dict; on failure returns {"error", "hint"}. Recorded in the audit log (~/.vmware/audit.db). Args: tier1_id: Tier-1 gateway ID to update, as returned by list_tier1_gateways. display_name: New display name. Optional. tier0_path: New parent Tier-0 policy path, e.g. "/infra/tier-0s/". Optional. route_advertisement: Comma-separated advertisement types. Valid values: TIER1_CONNECTED, TIER1_STATIC_ROUTES, TIER1_NAT, TIER1_LB_VIP, TIER1_LB_SNAT, TIER1_DNS_FORWARDER_IP, TIER1_IPSEC_LOCAL_ENDPOINT. target: NSX Manager name from config.yaml. Uses the default target if omitted. |
| delete_tier1_gatewayA | [WRITE] Delete a Tier-1 gateway. WARNING: This removes all attached segments and NAT rules. Also removes the gateway's "default" locale-service first (the Policy API refuses to delete a Tier-1 that still has children); a missing locale-service is ignored. Args: tier1_id: The Tier-1 gateway ID to delete. target: Optional NSX Manager target name from config. Uses default if omitted. |
| configure_tier0_bgpA | [WRITE] Configure BGP settings on a Tier-0 gateway's locale-service. Note: This configures BGP settings (local AS, ECMP, graceful restart). BGP neighbor creation is a separate Policy API object and not exposed here. Args: tier0_id: The Tier-0 gateway ID. local_as_num: Local AS number as a string (e.g. "65001"). enabled: Enable or disable BGP on the locale-service (default True). ecmp: Enable ECMP for BGP routes (default True). inter_sr_ibgp: Enable inter-SR iBGP (default True). locale_service_id: Locale-service identifier (default "default"). target: Optional NSX Manager target name from config. Uses default if omitted. |
| list_nsx_alarmsA | [READ] Get active NSX alarms at one severity, with feature, description, and entity. Note: the NSX severity filter is an EXACT match — "MEDIUM" returns only MEDIUM alarms, not MEDIUM-and-above. Query each severity separately to build a full picture. Results follow pagination cursors (all alarms at that severity are returned). Args: severity: Exact severity to filter on: LOW, MEDIUM, HIGH, or CRITICAL (default "MEDIUM"). target: Optional NSX Manager target name from config. Uses default if omitted. |
| get_transport_node_statusA | [READ] Get realized runtime status of one transport node (ESXi host or Edge node). No side effects. Use after list_transport_nodes (which supplies node IDs) when a node looks degraded or overlay tunnels are suspect; for cluster-wide edge health use get_edge_cluster_status instead. Returns: node_id, status (e.g. UP, DEGRADED, DOWN, UNKNOWN), control_connection_status and mgmt_connection_status (controller/manager connectivity), tunnel_status (status plus up/down/degraded tunnel counts and BFD counters), and pnic_status (up/down/degraded pNIC counts). On failure returns {"error", "hint"} instead of raising. Args: node_id: Transport node UUID, as returned by list_transport_nodes. target: NSX Manager name from config.yaml. Uses the default target if omitted. |
| get_edge_cluster_statusA | [READ] Check status of an edge cluster (member health, overall status). Args: cluster_id: The edge cluster ID. target: Optional NSX Manager target name from config. Uses default if omitted. |
| get_nsx_manager_statusA | [READ] Get NSX Manager cluster status (node health, cluster status, version). Args: target: Optional NSX Manager target name from config. Uses default if omitted. |
| list_segmentsA | [READ] List all NSX network segments with type, subnet, admin state, and port count. Args: target: Optional NSX Manager target name from config. Uses default if omitted. |
| get_segmentA | [READ] Get full details for one network segment, including its attached ports. No side effects. Use after list_segments to inspect a single segment — e.g. check port_count before delete_segment (segments with attached ports refuse deletion). Returns: id, display_name, type, admin_state, subnets, transport_zone_path, connectivity_path (linked gateway), vlan_ids, port_count, and the first 50 ports (id, display_name, attachment). On failure returns {"error", "hint"} instead of raising. Args: segment_id: Segment ID — the final component of the policy path /infra/segments/, as returned by list_segments. target: NSX Manager name from config.yaml. Uses the default target if omitted. |
| list_tier0_gatewaysA | [READ] List all Tier-0 gateways with HA mode and transit subnets. Args: target: Optional NSX Manager target name from config. Uses default if omitted. |
| get_tier0_gatewayA | [READ] Get configuration details for one Tier-0 gateway (north-south edge router). No side effects. Use after list_tier0_gateways to inspect HA configuration, or to build the tier0_path ("/infra/tier-0s/") that create_tier1_gateway needs. For BGP peering state use get_bgp_neighbors instead. Returns: id, display_name, ha_mode (ACTIVE_ACTIVE or ACTIVE_STANDBY), failover_mode (PREEMPTIVE or NON_PREEMPTIVE), transit_subnets, internal_transit_subnets, rd_admin_field. On failure returns {"error", "hint"} instead of raising. Args: tier0_id: Tier-0 gateway ID, as returned by list_tier0_gateways. target: NSX Manager name from config.yaml. Uses the default target if omitted. |
| list_tier1_gatewaysA | [READ] List all Tier-1 gateways with linked Tier-0 path and route advertisement. Args: target: Optional NSX Manager target name from config. Uses default if omitted. |
| get_tier1_gatewayA | [READ] Get detailed info for a specific Tier-1 gateway. Args: tier1_id: The Tier-1 gateway ID. target: Optional NSX Manager target name from config. Uses default if omitted. |
| list_transport_zonesA | [READ] List all NSX transport zones — the overlay/VLAN boundaries that segments attach to. No side effects. Primary use: discover the transport zone required by create_segment, whose transport_zone_path is "/infra/sites/default/enforcement-points/default/transport-zones/" using the id returned here. Returns one dict per zone: id, display_name, transport_type (e.g. OVERLAY_STANDARD or VLAN_BACKED). All zones are returned (typically under 20; no pagination). On failure returns a single-element list containing {"error", "hint"}. Args: target: NSX Manager name from config.yaml. Uses the default target if omitted. |
| list_transport_nodesA | [READ] List all transport nodes with type and status. Args: target: Optional NSX Manager target name from config. Uses default if omitted. |
| list_edge_clustersA | [READ] List all edge clusters with member count and deployment type. Args: target: Optional NSX Manager target name from config. Uses default if omitted. |
| create_ip_poolA | [WRITE] Create an IP address pool with one static subnet and allocation range. IP pools supply addresses to NSX consumers such as tunnel endpoints (TEPs). Check list_ip_pools first to avoid overlapping ranges; start_ip and end_ip must both fall inside cidr. Re-running with the same pool_id overwrites it (PUT semantics). Returns the created pool dict; verify consumption later with get_ip_pool_usage. On failure returns {"error", "hint"}. Recorded in the audit log (~/.vmware/audit.db). Args: pool_id: Unique pool identifier (alphanumerics, hyphens, underscores only); becomes policy path /infra/ip-pools/. display_name: Human-readable name shown in the NSX UI. start_ip: First allocatable IPv4 address, e.g. "192.168.1.10". end_ip: Last allocatable IPv4 address, e.g. "192.168.1.100". cidr: Subnet containing the range, in CIDR notation, e.g. "192.168.1.0/24". gateway_ip: Default gateway IP for the subnet, e.g. "192.168.1.1". Optional. target: NSX Manager name from config.yaml. Uses the default target if omitted. |
| delete_ip_poolA | [WRITE] Permanently delete an IP address pool. Irreversible: consumers (e.g. transport endpoints) that draw addresses from this pool can no longer allocate, and NSX rejects the delete if the pool still has active allocations. Run list_ip_pools and get_ip_pool_usage on the same pool_id first to confirm the pool is unused, and confirm with the user before deleting. Returns a confirmation string on success, or an "Error: ..." string (pool not found, still in use, connectivity failure). Recorded in the audit log (~/.vmware/audit.db). Args: pool_id: IP pool ID to delete, as returned by list_ip_pools. target: NSX Manager name from config.yaml. Uses the default target if omitted. |
| create_nat_ruleA | [WRITE] Create a NAT rule on a Tier-1 gateway. Args: tier1_id: The Tier-1 gateway ID. rule_id: Unique ID for the NAT rule. action: NAT action: "SNAT", "DNAT", or "REFLEXIVE" (default "DNAT"). source_network: Source network CIDR (required for SNAT). destination_network: Destination network CIDR (required for DNAT). translated_network: Translated network/IP address (required for SNAT, DNAT, and REFLEXIVE). target: Optional NSX Manager target name from config. Uses default if omitted. |
| delete_nat_ruleA | [WRITE] Permanently delete a NAT rule from a Tier-1 gateway's USER NAT section. Irreversible: traffic matched by the rule stops being translated immediately, which can break inbound (DNAT) or outbound (SNAT) connectivity. Run list_nat_rules on the same tier1_id first to confirm the rule_id and review its action and networks, and confirm with the user before deleting. Returns a confirmation string on success, or an "Error: ..." string (rule or gateway not found, connectivity failure). Recorded in the audit log (~/.vmware/audit.db). Args: tier1_id: Tier-1 gateway that owns the rule, as returned by list_tier1_gateways. rule_id: NAT rule ID to delete, as returned by list_nat_rules. target: NSX Manager name from config.yaml. Uses the default target if omitted. |
| list_nat_rulesA | [READ] List NAT rules on a Tier-1 gateway. Args: tier1_id: The Tier-1 gateway ID. target: Optional NSX Manager target name from config. Uses default if omitted. |
| get_bgp_neighborsA | [READ] Get BGP configuration and neighbor status for a Tier-0 gateway. No side effects. Use to verify dynamic routing after configure_tier0_bgp or when troubleshooting north-south connectivity. Reads the gateway's first locale-service, its BGP config and configured neighbors (Policy API), plus realized neighbor session state (Management API) where available. Returns tier0_id, locale-service info, BGP config (local AS, enabled, ECMP), neighbors (peer IP, remote ASN, hold_down_time, keep_alive_time), and session status (connection_state, in/out prefix counts); includes a hint when the gateway has no locale-services. On failure returns {"error", "hint"}. Args: tier0_id: Tier-0 gateway ID, as returned by list_tier0_gateways. target: NSX Manager name from config.yaml. Uses the default target if omitted. |
| list_static_routesA | [READ] List static routes on a Tier-0 or Tier-1 gateway. Args: tier1_id: The gateway ID (Tier-0 or Tier-1, per gateway_type). gateway_type: Either "tier0" or "tier1" (default "tier1"). target: Optional NSX Manager target name from config. Uses default if omitted. |
| list_ip_poolsA | [READ] List all IP address pools with subnets and usage summary. Args: target: Optional NSX Manager target name from config. Uses default if omitted. |
| get_ip_pool_usageA | [READ] Get current IP allocations for one IP address pool. No side effects. Use after list_ip_pools to see how much of a pool is consumed — e.g. when diagnosing TEP address exhaustion or before retiring a pool. Returns: pool_id, allocation_count, and allocations — one entry per allocated IP with id, display_name, allocation_ip (all allocations returned, no pagination). An empty allocations list means the pool is unused. On failure returns {"error", "hint"} instead of raising. Args: pool_id: IP pool ID, as returned by list_ip_pools. target: NSX Manager name from config.yaml. Uses the default target if omitted. |
| create_static_routeA | [WRITE] Create a static route on a Tier-0 or Tier-1 gateway via the Policy API. Use for destinations not covered by connected or advertised routes (e.g. reaching a VPN or external subnet). Note: for the Tier-0 to advertise this route upstream, the gateway needs TIER1_STATIC_ROUTES route advertisement (set via update_tier1_gateway). Re-running with the same route_id overwrites it (PUT semantics). Returns the created route dict; on failure returns {"error", "hint"}. Recorded in the audit log (~/.vmware/audit.db). Args: tier1_id: Gateway ID (Tier-0 or Tier-1, per gateway_type), as returned by list_tier0_gateways / list_tier1_gateways. route_id: Unique route identifier (alphanumerics, hyphens, underscores only). network: Destination network in CIDR notation, e.g. "10.0.0.0/8". next_hop: Next-hop IPv4 address, e.g. "192.168.1.254". gateway_type: Either "tier0" or "tier1" (default "tier1"). target: NSX Manager name from config.yaml. Uses the default target if omitted. |
| delete_static_routeA | [WRITE] Permanently delete a static route from a Tier-0 or Tier-1 gateway. Irreversible: traffic to the route's destination CIDR immediately falls back to remaining routes or is dropped. Run list_static_routes on the same tier1_id first to confirm the route_id, destination network, and next hops, and confirm with the user before deleting. Returns a confirmation string on success, or an "Error: ..." string (route or gateway not found, connectivity failure). Recorded in the audit log (~/.vmware/audit.db). Args: tier1_id: Gateway that owns the route (Tier-0 or Tier-1, per gateway_type), as returned by list_tier0_gateways / list_tier1_gateways. route_id: Static route ID to delete, as returned by list_static_routes. gateway_type: Either "tier0" or "tier1" (default "tier1"). target: NSX Manager name from config.yaml. Uses the default target if omitted. |
| create_segmentA | [WRITE] Create a new NSX network segment (overlay or VLAN-backed) via the Policy API. Prerequisite: get the transport zone from list_transport_zones first. Pass subnet for overlay routed segments, or vlan_ids for VLAN-backed transport zones. Re-running with the same segment_id overwrites that segment (PUT semantics). Returns the created segment dict (id, display_name, subnets, transport_zone_path); on failure returns {"error", "hint"}. The operation is recorded in the audit log (~/.vmware/audit.db). Args: segment_id: Unique segment identifier (alphanumerics, hyphens, underscores only); becomes policy path /infra/segments/. display_name: Human-readable name shown in the NSX UI. transport_zone_path: Full transport zone policy path, e.g. "/infra/sites/default/enforcement-points/default/transport-zones/". vlan_ids: VLAN ID(s) for VLAN-backed segments, comma- or hyphen-separated individual IDs (e.g. "100" or "100,200"). Omit for overlay. subnet: Gateway IP in CIDR notation, e.g. "192.168.1.1/24" (the gateway address, not the network address). Omit for VLAN-backed segments. target: NSX Manager name from config.yaml. Uses the default target if omitted. |
| update_segmentA | [WRITE] Update an existing network segment (partial update via PATCH). Args: segment_id: The segment ID to update. display_name: New display name (optional). subnet: New gateway CIDR (optional). target: Optional NSX Manager target name from config. Uses default if omitted. |
| delete_segmentA | [WRITE] Delete a network segment. WARNING: This will disconnect all attached VMs. Args: segment_id: The segment ID to delete. target: Optional NSX Manager target name from config. Uses default if omitted. |
| get_logical_port_statusA | [READ] Check realized state of all ports on a segment (first 50 ports). For each port returns admin_state, attachment (type/id), and the realized state from the Policy API: attached (attachment present), realized_bindings_count, and transport_node_ids (nodes realizing the port). NSX does not expose a single UP/DOWN flag per segment port — an attached port with realized bindings on at least one transport node is healthy. Args: segment_id: The segment ID whose ports to inspect, as returned by list_segments. target: Optional NSX Manager target name from config. Uses default if omitted. |
| get_segment_port_for_vmA | [READ] Find which segment(s) a VM is attached to via its VIF attachments. Looks up the VM in the NSX fabric inventory by display name, fetches its VIFs (/api/v1/fabric/vifs), and matches segment ports whose attachment id equals a VIF's lport_attachment_id. Returns VM info (external_id, host, power state) and matched_ports (segment id/name, port id/name). Args: vm_display_name: The VM display name as shown in vCenter/NSX inventory. target: Optional NSX Manager target name from config. Uses default if omitted. |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
No prompts | |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
No resources | |
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/zw008/VMware-NSX'
If you have feedback or need assistance with the MCP directory API, please join our Discord server