Re: NSX Policy group object

ravik3677 · ‎04-11-2021

Hi All

Is there a way to create a group object with an excluded list of IP addresses. It seems pretty easy request but I do not see an option to do that in my NSX-T env. I am running 3.1.1.

I want to create a groupp like the below

All subnets included but subnet 4, 5 and 6 should be in the exclude list in that group.

Is this possible? It is very easily possible in all the other FWs that i have worked with before.

Would appreciate if someone can share how to do this in DFW on NSX-t 3.1.1

Thanks

shank89 · ‎04-11-2021

There is currently no exclude list, only the list of core vms that bypass the firewall.

The option you have is the negate feature, if that will work for you.

Shashank Mohan

VCIX-NV 2022 | VCP-DCV2019 | CCNP Specialist

https://lab2prod.com.au
LinkedIn https://www.linkedin.com/in/shankmohan/
Twitter @ShankMohan
Author of NSX-T Logical Routing: https://link.springer.com/book/10.1007/978-1-4842-7458-3

ravik3677 · ‎04-11-2021

Thanks Shashank. By negate feature you mean the, negate feature that is under the policy section where you apply rules. You can negate based on source or destination. Is that what you mean?

thanks

shank89 · ‎04-11-2021

The negate function and a potential way to use it can be found here https://arabitnetwork.com/2019/02/15/nsx-how-to-prohibit-intra-traffic-for-tiered-app-vms/

Shashank Mohan

VCIX-NV 2022 | VCP-DCV2019 | CCNP Specialist

https://lab2prod.com.au
LinkedIn https://www.linkedin.com/in/shankmohan/
Twitter @ShankMohan
Author of NSX-T Logical Routing: https://link.springer.com/book/10.1007/978-1-4842-7458-3