NSX-T Data Center is the most technically complex product in the VMware portfolio — and the most commercially significant lever in Broadcom's post-acquisition strategy. Broadcom has made NSX-T a mandatory component of VMware Cloud Foundation (VCF), the subscription bundle that replaced all perpetual licence purchasing in 2024. For organisations that purchased NSX-T Data Center under perpetual licence before the Broadcom acquisition, this creates a commercial trap: pay 4–5× your historical support cost to enter VCF, or find a path to maintain your existing NSX-T estate independently.
Third-party support for NSX-T Data Center is that path. For organisations running NSX-T 3.x or 4.x under perpetual licence, TPS delivers the full active support service — P1 incident response, security patching, distributed firewall troubleshooting, BGP peering diagnosis, TEP (Tunnel End-Point) fault isolation — at 75–85% lower cost than VCF subscription includes NSX.
This guide covers the NSX-T bundling mechanism in detail, what TPS covers across the full NSX-T stack, a version matrix, and a four-profile cost model built around financial services, manufacturing, and large enterprise deployments.
Facing Broadcom price increases? Most clients save 75–87% on VMware support. Get your repricing analysis free.
500+ enterprise clients · Est. 2016 · 15-min response · No commitment
Running NSX-T on perpetual licence under Broadcom pressure to move to VCF? We can help.
Free NSX AssessmentHow Broadcom Uses NSX-T to Force VCF
Broadcom's VCF strategy is built around a specific commercial mechanic: bundle NSX-T Data Center into VCF as a mandatory component, remove standalone NSX-T perpetual licence purchasing, and use Broadcom's support renewal process to convert legacy NSX-T SnS customers into VCF subscription customers.
The sequence in practice: your existing NSX-T Data Center Advanced or Enterprise Plus perpetual licence has an annual SnS (Subscription and Support) renewal. Broadcom's renewal team presents VCF as the "new" support vehicle for NSX-T — framing the move from NSX-T standalone SnS to VCF as a logical evolution rather than a 4–5× price increase. The price comparison is rarely made explicit in Broadcom commercial documentation.
| Support Path | What You Get | Typical Annual Cost (100-proc estate) |
|---|---|---|
| NSX-T SnS (legacy perpetual, pre-2024) | Active NSX-T support + security patches + version updates | £320,000 |
| VMware Cloud Foundation (Broadcom mandate) | VCF bundle (vSphere + vSAN + NSX + SDDC Manager) subscription | £1,440,000–£1,800,000 |
| NSX-T TPS | Full active NSX-T support, 15-min P1 SLA, custom security patches | £80,000–£112,000 |
The key point: Broadcom cannot revoke a perpetual licence. The right to use NSX-T Data Center on the licence version you purchased is a contractual entitlement that survives Broadcom's product repackaging. Broadcom has changed what it will sell going forward — it has not changed what you have already purchased. TPS replaces the SnS obligation without touching the underlying licence.
What TPS Covers on VMware NSX-T Data Center
NSX-T is operationally complex. The distributed firewall, overlay networking (GENEVE encapsulation), BGP/OSPF dynamic routing, edge node clustering, and Tier-0/Tier-1 gateway management all generate support incidents that require deep NSX-T expertise to resolve. TPS coverage spans the full stack:
| NSX-T Component | TPS Coverage |
|---|---|
| NSX-T Manager (3-node cluster) | Full — API errors, UI issues, database consistency, backup/restore |
| Distributed Firewall (DFW) | Full — rule processing errors, DFW kernel module incidents, policy sync failures |
| Overlay networking (GENEVE, TEP) | Full — TEP connectivity issues, MTEP (Multi-TEP) failover, MTU analysis |
| Logical switching (segments, segment ports) | Full — segment replication mode issues, broadcast/unknown unicast/multicast control |
| NSX-T Edge nodes and edge clusters | Full — edge cluster failover, Active/Standby transitions, edge datapath issues |
| Tier-0 and Tier-1 Gateways | Full — BGP peering failures, ECMP load balancing, NAT rule issues, VRF configuration |
| BGP and OSPF routing | Full — route redistribution, AS-path filtering, BFD (Bidirectional Forwarding Detection) sessions |
| Load Balancer (L4/L7) | Full — pool member health check issues, SSL termination, persistence profile errors |
| VPN (IPSec and L2VPN) | Full — IKE/IPSec SA negotiation failures, L2VPN bridge configuration |
| NSX-T Intelligence (network detection) | Full — analytics pipeline issues, topology visualisation, flow data collection |
| Federation (NSX-T Global Manager) | Full — GM-LM synchronisation, span policy management, stretched segments |
| vSphere integration (vDS, vSAN stretched) | Full — TEP VLAN configuration on VDS, transport node profile issues |
| Security patches (CVE-level) | Yes — custom patch engineering; critical NSX-T CVEs (e.g. authentication bypass in NSX Manager REST API) |
| VCF upgrade path assist | Not included — separate commercial engagement |
NSX-T Version Matrix and TPS Availability
| NSX-T Version | Broadcom/VMware Status | TPS Available | Notes |
|---|---|---|---|
| NSX-T Data Center 4.1 / 4.2 | Active SnS (declining) | Yes | Most recent pre-VCF release; large installed base on 4.1 |
| NSX-T Data Center 3.2.x | Active SnS (declining) | Yes | Primary TPS cohort; long-term stable release; widely deployed in banking |
| NSX-T Data Center 3.1.x | End of General Support (Apr 2023) | Yes | Technical Support still available; many FS environments on 3.1.3 |
| NSX-T Data Center 3.0.x | End of General Support (Sep 2022) | Yes | Some environments on 3.0.2 for stability reasons; TPS available |
| NSX-V (NSX for vSphere 6.x) | End of Support (Jan 2022) | Yes | Legacy NSX-V estates — specialist TPS still available for transition period |
| NSX-T as part of VCF subscription | Broadcom subscription | Not applicable | VCF subscription customers — TPS not relevant (NSX bundled) |
NSX-T TPS Cost Model — Four Profiles
NSX-T is licensed per CPU in the transport node (compute cluster + edge nodes). The following profiles reflect common NSX-T Data Center Advanced and Enterprise Plus deployments.
Financial Services — NSX-T 3.2, 120 CPUs, DFW + Micro-seg
NSX-T TPS: £96,000–£120,000/yr
Annual saving vs. VCF: £744,000–£768,000
Scope: DFW, T0/T1 gateways, BGP peering, NSX Intelligence
Manufacturing — NSX-T 3.1, 80 CPUs, OT/IT Segmentation
NSX-T TPS: £64,000–£80,000/yr
Annual saving vs. VCF: £496,000–£512,000
Scope: DFW, micro-seg for OT/IT boundary, edge cluster
Large Enterprise — NSX-T 4.1, 240 CPUs, Federation
NSX-T TPS: £176,000–£192,000/yr
Annual saving vs. VCF: £1,536,000–£1,552,000
Scope: Global Manager, 3 sites, BGP ECMP, IPSec VPN, Load Balancer
Telco / NFV — NSX-T 3.2, 160 CPUs, SR-IOV Edge
NSX-T TPS: £128,000–£144,000/yr
Annual saving vs. VCF: £1,008,000–£1,024,000
Scope: SR-IOV edge nodes, BFD on BGP sessions, NIC offload configuration
What does your NSX-T estate cost under Broadcom's VCF mandate vs. TPS? Get the numbers.
Get My NSX-T Cost ModelNSX-T, Micro-segmentation, and Regulatory Compliance
For financial services organisations, NSX-T micro-segmentation is frequently deployed as a primary control for DORA (Digital Operational Resilience Act) ICT risk management — specifically, the network segmentation requirements under Article 9 of the DORA regulatory technical standards. The question that arises with TPS is: does switching from Broadcom SnS to TPS compromise NSX-T's status as a DORA-compliant control?
The answer is no. DORA requires that ICT components are maintained and supported — it does not mandate vendor-direct support. TPS with documented SLAs, 15-minute P1 response, and contractual CVE patching obligations satisfies DORA's Article 9 support adequacy requirements. Several European banks confirmed DORA compliance of their NSX-T TPS arrangements with their national competent authorities (NCAs) during 2025. See our financial services VMware case study for a detailed example.
For public sector organisations subject to UK NCSC baseline cyber security requirements, NSX-T TPS similarly satisfies the active support obligations in NCSC's 10 Steps to Cyber Security guidance. The key requirement is active vulnerability management — which TPS delivers through custom CVE patching. See our public sector industry page for further context.
Sector Angles
Financial Services
NSX-T DFW is the dominant micro-segmentation platform in European banking. SWIFT infrastructure, trading systems, and settlement engines are frequently isolated using NSX-T distributed firewall rules. TPS covers DFW in full, including the critical-path incident scenarios — firewall kernel module reload events, rule count threshold alerts, and Central Control Plane (CCP) synchronisation failures. 15-minute P1 SLA means firewall incidents are resolved before they breach trading system SLAs. For sector context see our financial services page.
Manufacturing
OT/IT network segmentation is the primary NSX-T use case in manufacturing. NSX-T's ability to create micro-segments at the vNIC level — isolating PLC networks, SCADA systems, and historian servers from corporate IT networks without requiring physical network changes — makes it technically superior to traditional VLAN-based segmentation for factory floor environments. TPS maintains this segmentation posture actively; a passive support arrangement would not meet ISO 27001 or IEC 62443 active maintenance requirements. See our manufacturing industry page.
Healthcare
NHS Trusts and private healthcare providers deploying NSX-T for clinical network segmentation (isolating medical device networks from EPR systems and corporate IT) face the same Broadcom commercial pressure as financial services. NHS organisations have limited capital for technology procurement cycles, making a 4–5× VCF price increase commercially impossible without budget supplementation. TPS provides NHS organisations with a cost-viable path to maintain NSX-T micro-segmentation without triggering a VCF procurement cycle. See our healthcare industry page.