Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

tunnel-initiated

Syntax

Hierarchy Level

Description

You can enforce per-VNI egress rate limits on VXLAN tunnel-initiated traffic using a filter with the vxlan tunnel-initiated match qualifier and the egress profile1 filter profile. This configuration targets VXLAN traffic and preserves locally switched or routed flows while it helps prevent congestion, mitigate denial-of-service (DoS) risk, and prioritize critical services. The VLAN and VNI have a one-to-one mapping, allowing traffic policing per VNI to be treated as per VLAN and applied to the VLAN's egress. However, the VXLAN VNI rate limiting feature does not support rate limiting layer 3 (L3) multicast traffic, L3 unicast traffic, or Type-5 tunnel-initiated traffic.

Create the filter using set firewall family ethernet-switching filter filter-name term term-name from vxlan tunnel-initiated and traffic-type known-unicast for unicast traffic or traffic-type-except known-unicast for BUM traffic.

Enable the egress VLAN ACL filter using the set system packet-forwarding-options firewall profiles ethernet-switching egress profile1 configuration.

Set two-color or three-color policers with the discard action and attach the filters per VLAN with set routing-instances instance-name vlans vlan-name forwarding-options filter output filter-name.

You use show firewall to view policer statistics.

Required Privilege Level

firewall—To view this statement in the configuration.

firewall-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Evolved Release 25.4R1

Related Documentation