You can configure an NSGroup to contain a combination of IP sets, MAC sets, logical ports, logical switches, and other NSGroups, . You can specify NSGroups as sources and destinations, as well as in the Applied To field, in firewall rules.
An NSGroup has the following characteristics:
- You can specify direct members, which can be IP sets, MAC sets, logical switches, logical ports, and NSGroups.
- You can specify up to five membership criteria that apply to logical switches, logical ports, or VMs. For a criterion that applies to logical switches or logical ports, you can specify a tag and optionally a scope. For a criterion that applies to VMs, you can specify a name that starts with, is equal to, or contains a particular string.
- An NSGroup has direct members and effective members. Effective members include members that you specify using membership criteria, as well as all the direct and effective members that belong to this NSGroup's members. For example, assuming NSGroup-1 has direct member LogicalSwitch-1. You add NSGroup-2 and specify NSGroup-1 and LogicalSwitch-2 as members. Now NSGroup-2 has direct members NSGroup-1 and LogicalSwitch-2, as well as an effective member, LogicalSwitch-1. Next you add NSGroup-3 and specify NSGroup-2 as a member. NSGroup-3 now has direct member NSGroup-2 and effective members LogicalSwitch-1 and LogicalSwitch-2.
- An NSGroup can have a maximum of 500 direct members.
- The recommended limit for the number of effective members in an NSGroup is 5000. Exceeding this limit does not affect any functionality but might have a negative impact on performance. On the NSX Manager, when the number of effective members for an NSGroup exceeds 80% of 5000, the warning message NSGroup xyz is about to exceed the maximum member limit. Total number in NSGroup is ... appears in the log file, and when the number exceeds 5000, the warning message NSGroup xyz has reached the maximum numbers limit. Total number in NSGroup = ... appears. On the NSX Controller, when the number of translated VIFs/IPs/MACs in an NSGroup exceeds 5000, the warning message Container xyz has reached the maximum IP/MAC/VIF translations limit. Current translations count in Container - IPs:..., MACs:..., VIFs:... appears in the log file. The NSX Manager and NSX Controller check the NSGroups regarding the limit twice a day, at 7 AM and 7 PM.
- The maximum supported number of VMs is 10,000.
For all the objects that you can add to an NSGroup as members, that is, logical switches, logical ports, IP sets, MAC sets, VMs, and NSGroups, you can navigate to the screen for any of the objects and selectto see all the NSGroups that directly or indirectly has this object as a member. For example, in the example above, after you navigate to the screen for LogicalSwitch-1, selecting shows NSGroup-1, NSGroup-2, and NSGroup-3 because all three have LogicalSwitch-1 as a member, either directly or indirectly.
- From your browser, log in with admin privileges to an NSX Manager at https://nsx-manager-ip-address.
- Select from the navigation panel.
- Click the Groups tab if it is not already selected.
- Click Add.
- Enter a name for the NSGroup.
- (Optional) Enter a description.
- (Optional) Click Membership Criteria.
A criterion can apply to logical switches, logical ports, or VMs. For each criterion, you can specify up to five rules, which are combined with the logical AND operator. For a rule that applies to logical switches or logical ports, you can specify a tag and optionally a scope. For a rule that applies to VMs, you can specify a name that starts with, is equal to, or contains a particular string.
You can specify up to five criteria, which are combined with the logical OR operator.
- (Optional) Click Members to select members.
The available types are IP Set, MAC Set, Logical Switch, Logical Port, and NSGroup.
- Click Save.