Creating NSX-T segments with VMware PowerShell

Recently I was asked to help out with writing a PowerShell script to import a large amount of NSX-T VLAN backed segments. While learning the NSX-T PowerShell commands and how they work I also encountered some other issues. I will document these here as well as the script I created so it might help others in the future.


Actually the requirements where not that complex. Like I already said, we needed to add a large amount of NSX-T segments on a VLAN transport zone.

  • Add segments from Excel sheet / CSV file
  • Make sure to use the VLAN Transport Zone
  • Add the correct VLAN ID to the segment
  • Use the Portgroup name from the Excel sheet as segment ID

For reference, I’m working with NSX-T 2.5 and 3.0, PowerShell 5.x and 6.x and VMware PowerCLI module version 11.5. According to the VMware Interoperability Matrix this all works nicely together.

About the PowerShell cmdlets

There are only 4 cmdlets to interact with NSX-T from PowerShell.

  • Connect-NsxtServer
  • Disconnect-NsxtServer
  • Get-NsxtPolicyService 
  • Get-NsxtService

The first two are obvious, the two ‘Get’ commands are used to interact with the NSX-T (policy) API. I wont go in to this much further since this has already been covered in other blogs (Marco van Baggum and Kyle Ruddy for example).

The script

So this is the script I came up with. In the paragraph below it I will get in to some of the challenges.

First we need to connect to NSX-T manager. This can be done as part of the script or as a separate action before you run the actual script:

$credentials = Get-Credential
Connect-NsxtServer -Server -Credential $credentials

Script to create the segments with VLAN ID:

# Transport Zone
$transportZone = "/infra/sites/default/enforcement-points/default/transport-zones/<transport_zone_id>"
Import-Csv "D:\nsx-segments.txt" | ForEach-Object {
    # Set variables from csv data
    $segmentId = $_.pgName
    $vlanArray = @($_.VlanID)
    # Pull the current segment information
    $segmentList = Get-NsxtPolicyService -Name com.vmware.nsx_policy.infra.segments
    # Creating a new segment object
    $newSegmentSpec = $segmentList.Help.patch.segment.Create()
    $newSegmentSpec[0].id = $segmentId
    $newSegmentSpec[0].vlan_ids = $vlanArray
    $newSegmentSpec[0].transport_zone_path = $transportZone
    # Create the segment
    $segmentList[0].patch($segmentId, $newSegmentSpec[0])
    Write-Host("Created segment "+$segmentId+ " with vlan ID "+$vlanArray)

Before you can use the script you need to add the ID of the transport zone in the first variable because this is mandatory for creating a segment. You can get it from the GUI (System->Fabric->Transport Zones)

Or via PowerShell:

$tZoneSvc = Get-NsxtService -Name com.vmware.nsx.transport_zones
$tZoneSvc | Get-Member
$tZones = $tZoneSvc.list()
============= Result ===========
transport_type              : VLAN
host_switch_name            : nsxHostSwitch
host_switch_id              : f7725e0a-f3c5-42ab-bd11-5503de2d4baf
transport_zone_profile_ids  : {@{Help=; resource_type=BfdHealthMonitoringProfile; profile_id=52035bb3-ab02-4a08-9884-18631312e50a}}
host_switch_mode            : STANDARD
nested_nsx                  : False
is_default                  : True
resource_type               : TransportZone
id                          : a95c914d-748d-497c-94ab-10d4647daeba
display_name                : nsx-vlan-transportzone
create_user                 : system
create_time                 : 1593273276472
last_modified_user          : system
last_modified_time          : 1593273276472
system_owned                : False
protection                  : NOT_PROTECTED
revision                    : 0
schema                      : /v1/schema/TransportZone
links                       : 
self                        : 
description                 : 
tags                        : 
uplink_teaming_policy_names : 

The CSV file should be in the following format:



Using the Connect-NsxtServer cmdlet I was unable to connect. Turns out you should disable the system proxy in PowerShell (NoProxy instead of UseSystemProxy). At least in the environment I was working in. Use this command to achieve this:

Set-PowerCLIConfiguration -ProxyPolicy NoProxy

Also, I made sure there where no issues with certificate warnings

Set-PowerCLIConfiguration -InvalidCertificateAction Ignore

Another thing I ran into are the subtle differences in how different PowerShell versions work. I was building the script with PowerShell version 6.x but I needed to run it with PowerShell 5.x. I noticed in 5.x you need to use the first item in the objects using [0]. In 6.x PowerShell manages this for you. If not using the objects correctly I got the error: The property ‘value’ cannot be found on this object. Verify that the property exists and can be set.

So, in the end I figured it is better to point PowerShell to the first item in the object by adding the [0] so it works in both versions.

Lastly, be aware that the VLAN ID we add to the object should be an array (even if you only have 1 ID). If we take the string value directly from the CSV file the VLAN ID does not get set properly. In my case VLAN 25 got interpreted as VLAN 2 and 5. That is why I take the input from the CSV and put it in an array like this: $vlanArray = @($_.VlanID).


Even though the PowerShell cmdlets for NSX-T are a bit different then ‘normal’ PowerShell cmdlets, once you get the hang of it, it is actually pretty simple. Hopefully this will help someone in the future, sharing is caring 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.