If necessary, you can run a script to remove all NSX-T objects created by NCP.

The installation files include the following cleanup scripts:
  • nsx_policy_cleanup.py - Use this script if the NSX-T resources were created in Policy mode.
  • nsx_cleanup.py - Use this script if the NSX-T resources were created in Manager mode.

Note: In a vSphere with Tanzu environment, the cleanup scripts can be found on the vCenter Server Appliance in the directory /usr/lib/vmware-wcp.

Before running the script, perform the following tasks:
  • Stop NCP.
  • Remove all resources that you created and are associated with the NCP-created objects. The script will fail if you do not delete those objects. For example, if NCP created a segment, and you created a distributed firewall (DFW) rule and group associated with the segment, you must delete the DFW rule and group, or remove the associations. Or if you attached VMs to the segment, you must delete the VMs or detach them from the segment.

Policy Mode

Usage: nsx_policy_cleanup.py [options]

Options:
  -h, --help            show this help message and exit
  --mgr-ip=MGR_IP       NSX Manager IP address
  -u USERNAME, --username=USERNAME
                        NSX Manager username, ignored if nsx-cert is set
  -p PASSWORD, --password=PASSWORD
                        NSX Manager password, ignored if nsx-cert is set
  -n NSX_CERT, --nsx-cert=NSX_CERT
                        NSX certificate path
  -k KEY, --key=KEY     NSX client private key path
  --vc-endpoint=VC_ENDPOINT
                        IpAddress or Hostname of VC, ignored if environment
                        variable VC_ENDPOINT is set
  --vc-username=VC_USERNAME
                        Username for the VC ServiceAccount, ignored if
                        environment variable VC_USERNAME is set
  --vc-password=VC_PASSWORD
                        Password for the VC ServiceAccount, ignored if
                        environment variable VC_PASSWORD is set
  --vc-https-port=VC_HTTPS_PORT
                        HTTPS port of VC, ignored if environment variable
                        VC_HTTPS_PORT is set. If not present, 443 default
                        value will be used
  --vc-sso-domain=VC_SSO_DOMAIN
                        SSO Domain of VC, ignored if environment variable
                        VC_SSO_DOMAIN is set. If not present, local default
                        value will be used
  --vc-ca-cert=VC_CA_CERT
                        Specify a CA bundle to verify the VC server
                        certificate. It will be ignored if environment
                        VC_CA_CERT is set
  --vc-insecure         Not verify VC server certificate
  -c CLUSTER, --cluster=CLUSTER
                        Cluster to be removed
  -r, --remove          CAVEAT: Removes NSX resources. If not set will do dry-
                        run.
  --top-tier-router-id=TOP_TIER_ROUTER_ID
                        Specify the top tier router id. Must be specified if
                        top tier router does not have the cluster tag
  --all-res             Also clean up HA switching profile, ipblock, external
                        ippool. These resources could be created by TAS NSX-T
                        Tile
  --no-warning          Disable urllib's insecure request warning
  --status              Check the deletion status, the exit code can be
                        success(0), in progress(EXIT_CODE_IN_PROGRESS or
                        failure(other non-zerovalues)
  --thumbprint=THUMBPRINT
                        Specify one or a list of thumbprint strings to use in
                        verifying the NSX Manager server certificate
For example:
python nsx_policy_cleanup.py --mgr-ip={nsx_mngr_ip} -u admin -p {password} -c {k8s_cluster_name} --no-warning -r

In some cases, the top-tier-router-id parameter must be be specified.

Manager Mode

Usage: nsx_cleanup.py [options]

Options:
  -h, --help            show this help message and exit
  --mgr-ip=MGR_IP       NSX Manager IP address
  -u USERNAME, --username=USERNAME
                        NSX Manager username, ignored if nsx-cert is set
  -p PASSWORD, --password=PASSWORD
                        NSX Manager password, ignored if nsx-cert is set
  -n NSX_CERT, --nsx-cert=NSX_CERT
                        NSX certificate path
  -k KEY, --key=KEY     NSX client private key path
  -c CLUSTER, --cluster=CLUSTER
                        Cluster to be removed
  -r, --remove          CAVEAT: Removes NSX resources. If not set will do dry-
                        run.
  --top-tier-router-uuid=TOP_TIER_ROUTER_UUID
                        Specify the top tier router uuid. Must be specified if
                        top tier router does not have the cluster tag or for a
                        single-tier1 topology
  --all-res             Also clean up HA switching profile, ipblock, external
                        ippool. These resources could be created by TAS NSX-T
                        Tile
  --no-warning          Disable urllib's insecure request warning
For example:
python nsx_cleanup.py --mgr-ip={nsx_mngr_ip} -u admin -p {password} -c {k8s_cluster_name} --top-tier-router-uuid={top_tier_router_uuid} --no-warning -r