Create Dynamic Address Group Membership Criteria

In NSX-T, you can configure the membership criteria for your virtual machines and IP set belonging to an NSX-T security group (dynamic address group) in the Panorama plugin for NSX. For each dynamic address group, you must specify a service definition and define up to five match criteria and each criterion includes up to five match rules.
You create this membership criteria on the plugin and then push it to NSX-T Manager. However, this does not apply the membership criteria to guest virtual machines in your deployment. You must define and apply membership data, such as tags, to your guest VMs in NSX-T Manager.
The rules that the Panorama plugin for NSX-T identifies and classifies virtual machines based on two membership types—Virtual Machine or IP set. The keys and operators usable with each member type are listed in the table below.
Member Type
Key
Operator
IP Set
Tag
Equals
Virtual Machine
  • Tag
  • Name
  • OS Name
  • Computer Name
  • Equals
  • Contains
  • Starts With
  • Ends With
  • Not Equals (
    Not applicable with Tag key
    )
Membership criteria changes should be made only on Panorama; do not make changes on NSX-T Manager. If you make changes on NSX-T Manager, the Panorama plugin for VMware NSX show the service definition as out-of-sync. You should click on the
Out-of-Sync
link to see the specific reason for the out-of-sync status. If a membership criteria change is the cause, perform a configuration sync by clicking
NSX-T Config-Sync
.
  1. Select
    Panorama
    VMware
    NSX-T
    Membership Criteria
    Add
    .
    To add or modify membership criteria for a service definition, with at least one dynamic address group, you can click on the service definition name instead of clicking
    Add
    .
  2. From the
    Name
    , select a service definition for the Membership Criteria. The selected service definition must have East_West insertion type and used as part of a security-centric deployment.
  3. Click
    Add
    to specify a dynamic address group.
  4. Select a
    Dynamic Address Group
    from the drop-down. The drop-down lists the dynamic address groups associated with the specified service definition.
    The plugin UI displays dynamic and static address groups configured on Panorama. Take care not accidently select a static address group when configuring membership criteria.
  5. Click
    Add
    to define the criteria associated with the chosen dynamic address group.
  6. Enter a descriptive name for the
    Criteria
    .
  7. Click
    Add
    to define a rule.
  8. Define a rule. You can create up to five rules.
    1. Enter a descriptive name for the rule.
    2. Select the
      Member Type
      —Virtual Machine or IP Set.
    3. Select the
      Key
      —Tag, Name, OS Name, Computer Name.
    4. Select the
      Operator
      —Equals, Contains, Starts With, Ends With, Not Equals.
    5. Enter the
      Value
      .
      If the Key is set to Tag, the Value is the Tag. The plugin user interface does not list the Tags, so you must use the Panorama CLI (with NSX-T Manager 3.0.0. and later).
      request plugins vmware_nsx nsx_t nsxt-tags service-definition <SD_name>
    6. (
      Optional
      ) Enter the
      Scope
      . Scope is applicable only with the key
      Tag
      . Scope is an optional value applied to an object tag in NSX-T. The scope is defined on NSX-T Manager. For example, if you tag virtual machines based on operating system, you can create tags for Windows, Linux, and MacOS and then set the scope of each tag to OS.
      To view the tags and scope, use the Panorama CLI (with NSX-T Manager 3.0.0 and later).
      Execute the following command to view the list of tags.
      request plugins vmware_nsx nsx_t nsxt-tags service-definition <SD_name>
      Execute the following command to view the scope associated with the specified tag.
      request plugins vmware_nsx nsx_t nsxt-scope tag <tag_value> service-definition <SD-name>
    7. Click
      OK
      .
    8. (
      Optional
      ) Click
      Add
      to create additional (up to five total) rules.
  9. On the Dynamic Address Group window, click
    OK
    to finish or
    Add
    to create additional criteria (up to five total) and rules.
  10. On the Membership Criteria window, click
    OK
    to finish or
    Add
    to specify additional dynamic address groups.

Recommended For You