ClawHub

Vmware Nsx

v1.5.14

Use this skill whenever the user needs to manage VMware NSX networking — segments, gateways, NAT, routing, and IP pools. Directly handles: create/manage netw...

0· 400·1 current·1 all-time
by@zw008

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zw008/vmware-nsx.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Vmware Nsx" (zw008/vmware-nsx) from ClawHub.
Skill page: https://clawhub.ai/zw008/vmware-nsx
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: VMWARE_NSX_CONFIG
Required binaries: vmware-nsx
Config paths to check: ~/.vmware-nsx/config.yaml, ~/.vmware-nsx/.env
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install vmware-nsx

ClawHub CLI

Package manager switcher

npx clawhub@latest install vmware-nsx
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the declared requirements: the skill expects a vmware-nsx CLI binary, a VMWARE_NSX_CONFIG pointing at ~/.vmware-nsx/config.yaml, and per-target passwords in ~/.vmware-nsx/.env — all appropriate for NSX Manager Policy API operations.
Instruction Scope
Runtime instructions are scoped to NSX operations (segments, gateways, NAT, routing, IP pools, health). They reference only the config files and environment vars required for those tasks. Minor inconsistencies: the compatibility notes say "No webhooks, no outbound network calls" while the example config includes an optional notify.webhook_url (default empty). The skill correctly documents that it talks to NSX Manager over HTTPS (port 443).
Install Mechanism
This is instruction-only (no automated install spec in the registry). The SKILL.md suggests installing via the 'uv' tool (uv tool install vmware-nsx-mgmt) or pip/from-source — these are expected for a CLI tool and the repo is public on GitHub. No downloads from untrusted hosts or archive extraction are present in the manifest.
Credentials
Requested env/config access is proportional: VMWARE_NSX_CONFIG and per-target VMWARE_<TARGET>_PASSWORD variables are required and described. Required config paths (~/.vmware-nsx/config.yaml and ~/.vmware-nsx/.env) are appropriate. The skill writes an audit DB (~/.vmware/audit.db) locally; audit entries include parameters and before/after state (not passwords). Ensure the .env file is protected (chmod 600) and that the NSX account used has least privilege required.
Persistence & Privilege
Skill does not request always:true and uses stdio MCP integration. It writes its own audit DB under ~/.vmware and uses local config; it does not claim to modify other skills or system-wide agent settings. Autonomous invocation is permitted (platform default) but not combined with elevated persistent privileges here.
Assessment
This skill appears coherent for NSX management, but take these practical precautions before installing: 1) Verify the vmware-nsx/vmware-nsx-mgmt package source (github.com/zw008/VMware-NSX) and inspect the CLI code if you can. 2) Keep ~/.vmware-nsx/.env permissions strict (chmod 600) and use a least-privilege NSX account for automation. 3) Confirm the audit DB location (~/.vmware/audit.db) is acceptable for your environment and that audit contents won't leak sensitive data. 4) Leave optional webhook_url empty unless you intentionally need external notifications. 5) If you plan to let agents invoke the skill autonomously, be aware the agent can perform write operations against NSX (double-confirm prompts/dry-run exist, but an autonomous agent could trigger them); restrict scope/credentials accordingly. 6) Minor inconsistency: SKILL.md asserts "no webhooks/no outbound calls" yet the config supports a webhook field — treat webhooks as disabled by default.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🌐 Clawdis
OSmacOS · Linux
Binsvmware-nsx
EnvVMWARE_NSX_CONFIG
Config~/.vmware-nsx/config.yaml, ~/.vmware-nsx/.env
Primary envVMWARE_NSX_CONFIG
latestvk970p9etrx3fkvez747jd05swn859x0m
400downloads
0stars
23versions
Updated 1w ago
v1.5.14
MIT-0
macOS, Linux
@zw008
latest
Download

VMware NSX

Disclaimer: This is a community-maintained open-source project and is not affiliated with, endorsed by, or sponsored by VMware, Inc. or Broadcom Inc. "VMware" and "NSX" are trademarks of Broadcom. Source code is publicly auditable at github.com/zw008/VMware-NSX under the MIT license.

VMware NSX networking management — 31 MCP tools for segments, gateways, NAT, routing, and IPAM.

Domain-focused networking skill for NSX-T / NSX 4.x Policy API. Companion skills: vmware-nsx-security (DFW/firewall), vmware-aiops (VM lifecycle), vmware-monitor (read-only monitoring), vmware-storage (iSCSI/vSAN), vmware-vks (Tanzu Kubernetes), vmware-aria (metrics/alerts/capacity), vmware-avi (AVI/ALB/AKO). | vmware-pilot (workflow orchestration) | vmware-policy (audit/policy)

What This Skill Does

CategoryToolsCount
Segmentslist, get details, create, update, delete, list ports6
Tier-0 Gatewayslist, get details, BGP neighbors, route table4
Tier-1 Gatewayslist, get details, create, update, delete, route table6
NATlist rules, get rule details, create rule, update rule, delete rule5
Static Routeslist, create, delete3
IP Poolslist, get allocations, create pool, create subnet4
Health & TroubleshootingNSX alarms, transport node status, edge cluster status, manager cluster status, logical port status, VM-to-segment lookup6

Total: 31 tools (18 read-only + 13 write)

Quick Install

uv tool install vmware-nsx-mgmt
vmware-nsx doctor

When to Use This Skill

  • List, create, or modify NSX segments (overlay / VLAN-backed)
  • Create or manage Tier-0 / Tier-1 gateways
  • Configure NAT rules (SNAT, DNAT, reflexive)
  • View or add static routes, check BGP neighbors
  • Manage IP pools and subnet allocations
  • Check NSX alarms, transport node health, edge cluster status
  • Find which segment a VM is connected to
  • Troubleshoot logical port status

Use companion skills for:

  • Distributed firewall, security groups, DFW rules, IDS/IPS → vmware-nsx-security
  • VM lifecycle, deployment, guest ops → vmware-aiops
  • vSphere inventory, health, alarms, events → vmware-monitor
  • Storage: iSCSI, vSAN, datastores → vmware-storage
  • Tanzu Kubernetes → vmware-vks
  • Load balancing, AVI/ALB, AKO, Ingress → vmware-avi

Related Skills — Skill Routing

User IntentRecommended Skill
NSX networking: segments, gateways, NAT, routing, IPAMvmware-nsx ← this skill
NSX security: DFW rules, security groups, IDS/IPSvmware-nsx-security
Read-only vSphere monitoring, alarms, eventsvmware-monitor
VM lifecycle, deployment, guest opsvmware-aiops
Storage: iSCSI, vSAN, datastoresvmware-storage
Tanzu Kubernetes (vSphere 8.x+)vmware-vks
Aria Ops: metrics, alerts, capacity planningvmware-aria
Multi-step workflows with approvalvmware-pilot
Load balancer, AVI, ALB, AKO, Ingressvmware-avi (uv tool install vmware-avi)
Audit log queryvmware-policy (vmware-audit CLI)

Common Workflows

Create an App Network (Segment + T1 Gateway + NAT)

  1. Create a Tier-1 gateway → vmware-nsx gateway create-t1 app-t1 --edge-cluster edge-cluster-01 --tier0 tier0-gw
  2. Create a segment → vmware-nsx segment create app-web-seg --gateway app-t1 --subnet <subnet-cidr> --transport-zone tz-overlay
  3. Add SNAT rule → vmware-nsx nat create app-t1 --action SNAT --source <private-cidr> --translated <public-ip>
  4. Verify → vmware-nsx segment list and vmware-nsx nat list app-t1

Dry-run first: Append --dry-run to any write command to preview without executing:

vmware-nsx segment create app-web-seg --gateway app-t1 --subnet <subnet-cidr> --transport-zone tz-overlay --dry-run

Check Network Health

  1. NSX manager cluster status → vmware-nsx health manager-status
  2. Transport node status → vmware-nsx health transport-nodes
  3. Edge cluster status → vmware-nsx health edge-clusters
  4. Active alarms → vmware-nsx health alarms
  5. If issues found, investigate with vmware-monitor for vSphere-side events

Troubleshoot VM Connectivity

  1. Find the VM's segment → vmware-nsx troubleshoot vm-segment my-vm-01
  2. Check logical port status → vmware-nsx troubleshoot port-status <port-id>
  3. Check the gateway route table → vmware-nsx gateway routes-t1 app-t1
  4. Check BGP neighbors on T0 → vmware-nsx gateway bgp-neighbors tier0-gw
  5. Review NAT rules → vmware-nsx nat list app-t1

Multi-Target Operations

All commands accept --target <name> to operate against a specific NSX Manager from your config:

# Default target (first in config.yaml)
vmware-nsx segment list

# Specific target
vmware-nsx segment list --target nsx-prod
vmware-nsx health alarms --target nsx-lab

Usage Mode

ScenarioRecommendedWhy
Local/small models (Ollama, Qwen)CLI~2K tokens vs ~8K for MCP
Cloud models (Claude, GPT-4o)EitherMCP gives structured JSON I/O
Automated pipelinesMCPType-safe parameters, structured output

MCP Tools (31 — 18 read, 13 write)

All MCP tools accept an optional target parameter to select which NSX Manager to connect to.

CategoryToolTypeDescription
Segmentlist_segmentsReadList all segments with type, subnet, gateway, transport zone
get_segmentReadGet segment details including ports and subnet config
create_segmentWriteCreate overlay or VLAN segment with subnet and gateway
update_segmentWriteUpdate segment properties (description, tags, DHCP)
delete_segmentWriteDelete a segment (checks for connected ports first)
list_segment_portsReadList logical ports on a segment with status
Tier-0 GWlist_tier0_gatewaysReadList Tier-0 gateways with HA mode and edge cluster
get_tier0_gatewayReadGet Tier-0 details: interfaces, routing config, BGP
get_tier0_bgp_neighborsReadList BGP neighbor sessions with state, ASN, routes
get_tier0_route_tableReadGet Tier-0 routing table (connected, static, BGP)
Tier-1 GWlist_tier1_gatewaysReadList Tier-1 gateways with linked Tier-0 and edge cluster
get_tier1_gatewayReadGet Tier-1 details: interfaces, route advertisement
create_tier1_gatewayWriteCreate Tier-1 gateway with edge cluster and Tier-0 link
update_tier1_gatewayWriteUpdate Tier-1 properties (route advertisement, tags)
delete_tier1_gatewayWriteDelete a Tier-1 gateway (checks for connected segments)
get_tier1_route_tableReadGet Tier-1 routing table
NATlist_nat_rulesReadList NAT rules on a Tier-1 gateway
get_nat_ruleReadGet NAT rule details (action, source, destination, translated)
create_nat_ruleWriteCreate SNAT/DNAT/reflexive NAT rule on a gateway
update_nat_ruleWriteUpdate NAT rule properties
delete_nat_ruleWriteDelete a NAT rule
Static Routeslist_static_routesReadList static routes on a Tier-0 or Tier-1 gateway
create_static_routeWriteAdd a static route with network and next-hop
delete_static_routeWriteRemove a static route
IP Poolslist_ip_poolsReadList IP pools with usage statistics
get_ip_pool_allocationsReadShow allocated IPs from a pool
create_ip_poolWriteCreate a new IP address pool
create_ip_pool_subnetWriteAdd a subnet/range to an IP pool
Healthget_nsx_alarmsReadList active NSX alarms with severity and entity
get_transport_node_statusReadTransport node connectivity and config status
get_edge_cluster_statusReadEdge cluster member status and failover config
get_manager_cluster_statusReadNSX Manager cluster health and node roles
Troubleshootget_logical_port_statusReadLogical port admin/operational status and link state
find_vm_segmentReadFind which segment(s) a VM is connected to by name

Read/write split: 18 tools are read-only, 13 modify state. Write tools require explicit parameters and are audit-logged. All write operations support dry-run mode.

CLI Quick Reference

# Segments
vmware-nsx segment list [--target <name>]
vmware-nsx segment get <segment-name>
vmware-nsx segment create <name> --gateway <t1> --subnet <cidr> --transport-zone <tz> [--dry-run]
vmware-nsx segment update <name> --description "new desc" [--dry-run]
vmware-nsx segment delete <name> [--dry-run]
vmware-nsx segment ports <segment-name>

# Tier-0 Gateways
vmware-nsx gateway list-t0
vmware-nsx gateway get-t0 <name>
vmware-nsx gateway bgp-neighbors <t0-name>
vmware-nsx gateway routes-t0 <t0-name>

# Tier-1 Gateways
vmware-nsx gateway list-t1
vmware-nsx gateway get-t1 <name>
vmware-nsx gateway create-t1 <name> --edge-cluster <ec> --tier0 <t0> [--dry-run]
vmware-nsx gateway update-t1 <name> --route-advertisement connected,nat [--dry-run]
vmware-nsx gateway delete-t1 <name> [--dry-run]
vmware-nsx gateway routes-t1 <t1-name>

# NAT
vmware-nsx nat list <gateway-name>
vmware-nsx nat get <gateway-name> <rule-id>
vmware-nsx nat create <gateway-name> --action SNAT --source <cidr> --translated <ip> [--dry-run]
vmware-nsx nat update <gateway-name> <rule-id> --translated <new-ip> [--dry-run]
vmware-nsx nat delete <gateway-name> <rule-id> [--dry-run]

# Static Routes
vmware-nsx route list <gateway-name>
vmware-nsx route create <gateway-name> --network <cidr> --next-hop <ip> [--dry-run]
vmware-nsx route delete <gateway-name> <route-id> [--dry-run]

# IP Pools
vmware-nsx ippool list
vmware-nsx ippool allocations <pool-id>
vmware-nsx ippool create <name> [--dry-run]
vmware-nsx ippool add-subnet <pool-id> --start <ip> --end <ip> --cidr <cidr> [--dry-run]

# Health & Troubleshooting
vmware-nsx health alarms [--severity CRITICAL]
vmware-nsx health transport-nodes
vmware-nsx health edge-clusters
vmware-nsx health manager-status
vmware-nsx troubleshoot port-status <port-id>
vmware-nsx troubleshoot vm-segment <vm-name>

# Diagnostics
vmware-nsx doctor [--skip-auth]

Full CLI reference with all options and output formats: see references/cli-reference.md

Troubleshooting

"Segment not found" when querying

Segment display names and Policy API IDs can differ. Use vmware-nsx segment list to get the exact ID. The Policy API uses the segment id field, not display_name. Common mistakes: using the display name with spaces instead of the hyphenated ID.

NAT rule creation fails with "gateway not found"

NAT rules are created on Tier-1 gateways (or Tier-0 for some topologies). Verify the gateway name with vmware-nsx gateway list-t1. The gateway must have an edge cluster assigned for NAT to function.

BGP neighbor shows "Connect" or "Active" state

The BGP session is not established. Common causes:

  1. Peer IP unreachable from the edge node — check physical uplinks and VLAN config
  2. ASN mismatch — compare local and remote ASN in bgp-neighbors output
  3. Firewall blocking TCP 179 — check edge node firewall rules (not NSX DFW)
  4. MD5 password mismatch — verify authentication settings on both sides

Transport node status "degraded"

A transport node in degraded state has partial connectivity. Steps:

  1. Check vmware-nsx health transport-nodes for the specific failure reason
  2. Common cause: tunnel endpoint (TEP) unreachable — verify underlay MTU (minimum 1600 for Geneve)
  3. Check NTP sync between NSX Manager and transport nodes
  4. If recently upgraded, verify the host switch config matches NSX Manager expectations

"Password not found" error

The password environment variable is missing. Variable names follow the pattern VMWARE_<TARGET_NAME_UPPER>_PASSWORD where hyphens become underscores. Example: target nsx-prod needs VMWARE_NSX_PROD_PASSWORD. Check your ~/.vmware-nsx/.env file.

Safety

  • Read-heavy: 18 of 31 tools are read-only (list, get, status, health, troubleshoot)
  • Audit logging: All operations logged to ~/.vmware/audit.db (SQLite WAL, via vmware-policy) with timestamp, user, target, operation, parameters, and result
  • Double confirmation: CLI write commands require two separate confirmation prompts before executing
  • Dry-run mode: All write commands support --dry-run to preview API calls without executing
  • Dependency checks: Segment delete checks for connected ports; gateway delete checks for connected segments; prevents accidental cascade failures
  • Input validation: CIDR networks validated, IP addresses checked, gateway existence verified before NAT/route operations
  • Prompt injection defense: NSX object names returned from the API are sanitized via _sanitize() — strips control characters, truncates to 500 chars
  • Credential safety: Passwords loaded only from environment variables (.env file), never from config.yaml
  • No firewall operations: Cannot create, modify, or delete DFW rules, security groups, or IDS/IPS policies — that scope belongs to vmware-nsx-security

Setup

uv tool install vmware-nsx-mgmt
mkdir -p ~/.vmware-nsx
cp config.example.yaml ~/.vmware-nsx/config.yaml
# Edit config.yaml with your NSX Manager targets

# Add to ~/.vmware-nsx/.env (create if missing, chmod 600):
# VMWARE_NSX_PROD_PASSWORD=<your-password>
chmod 600 ~/.vmware-nsx/.env

vmware-nsx doctor

All tools are automatically audited via vmware-policy. Audit logs: vmware-audit log --last 20

Full setup guide with multi-target config, MCP server setup, and Docker: see references/setup-guide.md

Architecture

User (natural language)
  |
AI Agent (Claude Code / Goose / Cursor)
  | reads SKILL.md
vmware-nsx CLI or MCP server (stdio transport)
  | NSX Policy API (REST/JSON over HTTPS)
NSX Manager
  |
Segments / Gateways / NAT / Routes / IP Pools / Transport Nodes

The MCP server uses stdio transport (local only, no network listener). Connections to NSX Manager use HTTPS on port 443.

Audit & Safety

All operations are automatically audited via vmware-policy (@vmware_tool decorator):

  • Every tool call logged to ~/.vmware/audit.db (SQLite, framework-agnostic)
  • Policy rules enforced via ~/.vmware/rules.yaml (deny rules, maintenance windows, risk levels)
  • Risk classification: each tool tagged as low/medium/high/critical
  • View recent operations: vmware-audit log --last 20
  • View denied operations: vmware-audit log --status denied

vmware-policy is automatically installed as a dependency — no manual setup needed.

License

MIT — github.com/zw008/VMware-NSX

Comments

Loading comments...