Filtering and policing VXLAN traffic

You can filter and police VXLAN traffic in the following ways: 

• Per-VXLAN network identifier (VNI) filtering and policing-You can create a firewall filter that matches the VNI of a VXLAN segment. To rate-limit traffic for the VXLAN segment, you can specify policer as the action in the firewall filter. To rate-limit traffic exiting the VXLAN segment, you must apply the filter to the input traffic for the VXLAN. To rate-limit traffic entering the VXLAN segment, you must apply the filter to the output traffic for the VXLAN.
•  Per-virtual tunneling endpoint (VTEP) filtering and policing-To perform per-VTEP filtering, you create a firewall filter with one or more match conditions. In addition, you can create a dynamic profile for each dynamically created VTEP interface to filter input or output traffic. You can also create a default profile for interfaces that are not included in a dynamic profile. For the packets that match the per-VTEP filter, you can rate-limit the traffic for a dynamically created VTEP interface by specifying policer as the action in the firewall filter. 
• Filtering and policing based on outer header-You can create a firewall filter that matches the outer IP and UDP header contents of a VXLAN packet. When configuring this firewall filter, you must specify family inet and apply the filter to an interface on which VXLAN packets enter or exit. For the packets that match the filter, you can rate-limit traffic for the interface by specifying policer as the action in the firewall filter.