Per-VNI egress rate limiting for VXLAN tunnel traffic

You can enforce per-VNI egress rate limits on VXLAN tunnel-initiated traffic to prevent congestion, mitigate denial-of-service (DoS) risk, and prioritize critical services. This configuration targets traffic entering the VXLAN tunnel. This does not rate limit locally switched or routed traffic. We added a new egress VLAN ACL filter profile to support the egress rate limit per VNI feature. You enable this profile with "set system packet-forwarding-options firewall profiles ethernet-switching egress profile1". Changing the filter profile triggers a Packet Forwarding Engine restart. Create the filter using "set firewall family ethernet-switching filter term from vxlan tunnel-initiated" and "traffic-type known-unicast" for unicast traffic or "traffic-type-except known-unicast" for BUM traffic. Set two-color or three-color policers with the "discard" action and attach the filters per VLAN with "set routing-instances vlans forwarding-options filter output ". You use "show firewall" to view policer statistics.