Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?




Hierarchy Level


Enable vxlan-gbp-profile on the tunnel termination endpoint in your EVPN-VXLAN deployment to support group-based policies. This setting tells the switch to allocate a share of its resources for L2/L3 group-based policies, whereas otherwise the resources would remain committed for use by all other flows. Note that for switches in a virtual chassis, the device must be rebooted for this setting to apply; for stand-alone switches the packet forwarding engine (PFE) will be restarted.

Group-based policies (GBP) make use of existing layer 3 VXLAN network identifiers (VNI), in conjunction with firewall filter policies, to provide micro-segmentation at the level of device or tag, independent of the underlying network topology. For example, IoT devices typically only need access to specific applications on the network, so GBP can keep this traffic isolated by automatically applying security policies without the need for L2 or L3 lookups or ACLs. As such, GBP provides a new approach to network access control and security that is especially valuable for enterprise campuses.

In addition to enabling vxlan-gbp-profile on the tunnel termination endpoint, you need to create firewall rules with match conditions for the endpoint devices you want to segregate. Do this on the EX4400 switch in your topology that is deployed in the role of VXLAN gateway for the access layer.

The following match conditions can be used:



At the [edit firewall family ethernet-switching filter f1 term t1 then] level, only gbp-src-tag is valid.


Not enabled

Required Privilege Level

interface—To view this statement in the configuration.

interface-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 21.1R1 for EX4400 Series switches.