Group Based Policy
From RFC VXLAN Group Policy Option draft-smith-vxlan-group-policy-04:
The VXLAN Group Based Policy Extension (VXLAN-GBP) header is defined
as:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|G|R|R|R|I|R|R|R|R|D|R|R|A|R|R|R| Group Policy ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| VXLAN Network Identifier (VNI) | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: VXLAN-GBP Extension
The following bits are defined in addition to the existing VXLAN
fields:
G Bit: Bit 0 of the initial word is defined as the G (Group Based
Policy Extension) bit.
G = 1 indicates that the source TSI Group membership is being
carried within the Group Policy ID field as defined in this
document.
G = 0 indicates that the Group Policy ID is not being carried, and
the G Bit MUST be set to 0 as specified in [RFC7348].
D bit: Bit 9 of the initial word is defined as the Don't Learn bit.
When set, this bit indicates that the egress VTEP MUST NOT learn the
source address of the encapsulated frame.
A Bit: Bit 12 of the initial word is defined as the A (Policy
Applied) bit. This bit is only defined as the A bit when the G bit
is set to 1.
A = 1 indicates that the group policy has already been applied to
this packet. Policies MUST NOT be applied by devices when the A
bit is set.
A = 0 indicates that the group policy has not been applied to this
packet. Group policies MUST be applied by devices when the A bit
is set to 0 and the destination Group has been determined.
Devices that apply the Group policy MUST set the A bit to 1 after
the policy has been applied.
Group Policy ID: 16 bit identifier that indicates the source TSI
Group membership being encapsulated by VXLAN. The allocation of
Group Policy ID values is outside the scope of this document.
In Junos GBP can be defined with either MAC, Subnet (IP Prefix), or VLAN. Here are some sample configs generated by Mist Wired Assurance (Campus Fabric IPClos Topology)
By Subnet
set groups top firewall family any filter gbp_tags_by_ip micro-segmentation
set groups top firewall family any filter gbp_tags_by_ip term 01 then gbp-tag 10
set groups top firewall family any filter gbp_tags_by_ip term 01 from ip-version ipv4 address 10.20.30.0/24
set groups top firewall family any filter gbp_SwitchPolicy1 term 01 from gbp-src-tag 10
set groups top firewall family any filter gbp_SwitchPolicy1 term 01 from gbp-dst-tag 10
set groups top firewall family any filter gbp_SwitchPolicy1 term 01 then discard
set groups top chassis forwarding-options vxlan-gbp-profile
By VLAN
set groups top firewall family any filter gbp_tags_by_vlan micro-segmentation
set groups top firewall family any filter gbp_tags_by_vlan term 01 then gbp-tag 11
set groups top firewall family any filter gbp_tags_by_vlan term 01 from vlan-id 1234
set groups top firewall family any filter gbp_SwitchPolicy2 term 01 from gbp-src-tag 11
set groups top firewall family any filter gbp_SwitchPolicy2 term 01 from gbp-dst-tag 11
set groups top firewall family any filter gbp_SwitchPolicy2 term 01 then discard
set groups top chassis forwarding-options vxlan-gbp-profile
By MAC
set groups top firewall family any filter gbp_tags_by_mac micro-segmentation
set groups top firewall family any filter gbp_tags_by_mac term 01 then gbp-tag 20
set groups top firewall family any filter gbp_tags_by_mac term 01 from mac-address 005054a8b0c1
set groups top firewall family any filter gbp_tags_by_mac term 02 then gbp-tag 30
set groups top firewall family any filter gbp_tags_by_mac term 02 from mac-address 005054a8f0d2
set groups top firewall family any filter gbp_SwitchPolicy3 term 01 from gbp-src-tag 20
set groups top firewall family any filter gbp_SwitchPolicy3 term 01 from gbp-dst-tag 30
set groups top firewall family any filter gbp_SwitchPolicy3 term 01 then discard
set groups top chassis forwarding-options vxlan-gbp-profile
Enforcement
set groups top chassis forwarding-options vxlan-gbp-profile
set groups top forwarding-options evpn-vxlan gbp ingress-enforcement
set apply-groups top
