Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?




Hierarchy Level


Enable vxlan-gbp-profile on the tunnel termination endpoint in your EVPN-VXLAN deployment to support group-based policies. This setting tells the switch to allocate a share of its resources for L2/L3 group-based policies, whereas otherwise the resources would remain committed for use by all other flows. Note that for switches in a virtual chassis, the device must be rebooted for this setting to apply; for stand-alone switches the packet forwarding engine (PFE) will be restarted.

Group-based policies (GBP) make use of existing layer 3 VXLAN network identifiers (VNI), in conjunction with firewall filter policies, to provide micro-segmentation at the level of device or tag, independent of the underlying network topology. For example, IoT devices typically only need access to specific applications on the network, so GBP can keep this traffic isolated by automatically applying security policies without the need for L2 or L3 lookups or ACLs. As such, GBP provides a new approach to network access control and security that is especially valuable for enterprise campuses. The vxlan-gbp-profile is suitable for a balanced configuration that contains a mix of L2 and L3 networks.

In addition to enabling vxlan-gbp-profile on the tunnel termination endpoint, you need to create firewall rules with match conditions for the endpoint devices you want to segregate. Do this on the EX4400 switch in your topology that is deployed in the role of VXLAN gateway for the access layer.

Table 1 shows the maximum GBP supported configuration with 1K unique tags.

Table 1: GBP Scales for the vxlan-gbp-profile
Tag Assignment Maximum GBP Supported Configuration for EX4100 Series Maximum GBP Supported Configuration for EX4400 Series Maximum GBP Supported Configuration for EX4650 Series and QFX5120 Series
MAC 32K 32K 32K
IPv4 10K 16K 26K
Port 500 2K 2K
VLAN Not applicable 3K 3K
Port + VLAN Not applicable 3K 3K


Not enabled

Required Privilege Level

interface—To view this statement in the configuration.

interface-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 21.1R1 for EX4400 Series switches.