vxlan-gbp-profile

Syntax

Hierarchy Level

Description

Enable vxlan-gbp-profile on the tunnel termination endpoint in your EVPN-VXLAN deployment to support group-based policies. This setting tells the switch to allocate a share of its resources for L2/L3 group-based policies, whereas otherwise the resources would remain committed for use by all other flows. Note that for switches in a virtual chassis, the device must be rebooted for this setting to apply; for stand-alone switches the packet forwarding engine (PFE) will be restarted.

Group-based policies (GBP) make use of existing layer 3 VXLAN network identifiers (VNI), in conjunction with firewall filter policies, to provide micro-segmentation at the level of device or tag, independent of the underlying network topology. For example, IoT devices typically only need access to specific applications on the network, so GBP can keep this traffic isolated by automatically applying security policies without the need for L2 or L3 lookups or ACLs. As such, GBP provides a new approach to network access control and security that is especially valuable for enterprise campuses. The vxlan-gbp-profile is suitable for a balanced configuration that contains a mix of L2 and L3 networks.

In addition to enabling vxlan-gbp-profile on the tunnel termination endpoint, you need to create firewall rules with match conditions for the endpoint devices you want to segregate. Do this on the switches in your topology that are deployed in the role of VXLAN gateway for the access layer.

Default

Not enabled

Required Privilege Level

interface—To view this statement in the configuration.

interface-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 21.1R1 for EX4400 Series switches.