Create Dynamic Address Group Membership Criteria
In NSX-T, you can configure the membership criteria for your virtual machines and IP set belonging to an NSX-T security group (dynamic address group) in the Panorama plugin for NSX. For each dynamic address group, you must specify a service definition and define up to five match criteria and each criterion includes up to five match rules.
You create this membership criteria on the plugin and then push it to NSX-T Manager. However, this does not apply the membership criteria to guest virtual machines in your deployment. You must define and apply membership data, such as tags, to your guest VMs in NSX-T Manager.
The rules that the Panorama plugin for NSX-T identifies and classifies virtual machines based on two membership types—Virtual Machine or IP set. The keys and operators usable with each member type are listed in the table below.
Membership criteria changes should be made only on Panorama; do not make changes on NSX-T Manager. If you make changes on NSX-T Manager, the Panorama plugin for VMware NSX show the service definition as out-of-sync. You should click on the
Out-of-Synclink to see the specific reason for the out-of-sync status. If a membership criteria change is the cause, perform a configuration sync by clicking
- Select.PanoramaVMwareNSX-TMembership CriteriaAddTo add or modify membership criteria for a service definition, with at least one dynamic address group, you can click on the service definition name instead of clickingAdd.
- From theName, select a service definition for the Membership Criteria. The selected service definition must have East_West insertion type and used as part of a security-centric deployment.
- ClickAddto specify a dynamic address group.
- Select aDynamic Address Groupfrom the drop-down. The drop-down lists the dynamic address groups associated with the specified service definition.The plugin UI displays dynamic and static address groups configured on Panorama. Take care not accidently select a static address group when configuring membership criteria.
- ClickAddto define the criteria associated with the chosen dynamic address group.
- Enter a descriptive name for theCriteria.
- ClickAddto define a rule.
- Define a rule. You can create up to five rules.
- Enter a descriptive name for the rule.
- Select theMember Type—Virtual Machine or IP Set.
- Select theKey—Tag, Name, OS Name, Computer Name.
- Select theOperator—Equals, Contains, Starts With, Ends With, Not Equals.
- Enter theValue.If the Key is set to Tag, the Value is the Tag. The plugin user interface does not list the Tags, so you must use the Panorama CLI (with NSX-T Manager 3.0.0. and later).request plugins vmware_nsx nsx_t nsxt-tags service-definition <SD_name>
- (Optional) Enter theScope. Scope is applicable only with the keyTag. Scope is an optional value applied to an object tag in NSX-T. The scope is defined on NSX-T Manager. For example, if you tag virtual machines based on operating system, you can create tags for Windows, Linux, and MacOS and then set the scope of each tag to OS.To view the tags and scope, use the Panorama CLI (with NSX-T Manager 3.0.0 and later).Execute the following command to view the list of tags.request plugins vmware_nsx nsx_t nsxt-tags service-definition <SD_name>Execute the following command to view the scope associated with the specified tag.request plugins vmware_nsx nsx_t nsxt-scope tag <tag_value> service-definition <SD-name>
- (Optional) ClickAddto create additional (up to five total) rules.
- On the Dynamic Address Group window, clickOKto finish orAddto create additional criteria (up to five total) and rules.
- On the Membership Criteria window, clickOKto finish orAddto specify additional dynamic address groups.
Recommended For You
Recommended videos not found.