This article explains how to configure and apply the IDS inspection rules selectively to segments and exclude specific VMs from IDS inspection. This approach ensures that only the desired VMs are inspected by the IDS rules, while others are excluded from inspection.

• VMware NSX with IDS feature enabled
• NSX segments and VMs configured for network access
• IDS inspection applied selectively based on tags and group definitions

Procedure:

1. Assign Tags to Segments:
   Suppose you have two segments, Segment A and Segment B. Apply the same tag (e.g., Tag: IDS, Scope: segment) to both segments. This ensures that these segments will be subject to IDS inspection by default.
   

2. Tag VMs/Segment Ports to Exclude from IDS:
   Next, identify any VMs or segment ports that do not require IDS inspection. For example, if UPSA-B does not need IDS inspection, tag it as Tag: IDS, Scope: Notneeded. This ensures that UPSA-B is excluded from the IDS inspection.
   

3. Create a Group for IDS Inspection:
   Create a group (e.g., GroupforIDS) to include the VMs that should undergo IDS inspection. Configure the group with the following criteria:
   
   

4. Verify Exclusion of IP Address:
   After configuring the group, ensure that the IP of UPSA-B is excluded from the group. This ensures that this VM will not be subjected to IDS rules. You can check the membership and configuration by inspecting the group settings.
   
   

5. Verify DFW apply to and IDS Rules do NOT apply to UPSA-B
   The DFW rules will apply to UPSA-B, but the IDS rules will not. You can verify this by running the following command to check if the rules are applied to UPSA-B:

   summarize-dvfilter | grep UPSA-B -A 2 | grep nic

   Additionally, check the rules for the specific VM:

   vsipioctl getrules -f nic-xxxxxxx-eth0-vmware-sfw.2

   The output should indicate the DFW rules without showing IDS rules for UPSA-B.