Micro- or macro-segmentation is a technique of dividing the network into multiple smaller segments (zones) by grouping the endpoints based on their traffic pattern or access privileges and controlling the traffic between any two segments.
VXLAN uses Group Based policy, which is based on draft-lrss-bess-evpn-group-policy that specifies a mechanism for carrying Group Policy IDs (also known as Group Policy Tags) and VXLAN header extensions to enable micro- or macro-segmentation in the VXLAN fabric.
A test with four Tenant Systems (TS1, TS2 on PE1; TS3, TS4 on PE2) used group policies to permit only specific bidirectional traffic flows. Traffic was allowed between TS1–TS3, TS2–TS3, and TS2–TS4, while all other flows were denied. Keysight IxNetwork statistics showed that only permitted pairs communicated successfully, confirming group policy enforcement.