Switching

Hello,

I need to restrict a vlan whichis going to be used by guest users, if i could create a acl where should I apply it, core switch or the access switch where the users are connected?, if it is in the core switch should i create the policy using set  firewall inet filter or set firewall ethernet-switching filter. 

thanks

http://www.juniper.net/techpubs/en_US/junos/topics/concept/firewall-filter-ex-series-overview.html
http://www.juniper.net/techpubs/en_US/junos/topics/example/firewall-filter-ex-series-configuring.html

About halfway down are some examples and explanation that should help guide your decision:
Configuring a VLAN Ingress Firewall Filter to Prevent Rogue Devices from Disrupting VoIP Traffic

All the way down are more examples which you can actually modify for your specific environment.

More than likely you will be using a trunk port to carry vlan traffic from the access to the core, so it would seem like you would need to classify the traffic for the vlans on the access switches. After all it is on the ports at which the device access the network that you want to define the vlan, yes?

Hi,

Thanks for the link, I had gone through it and created a filter which is attached, howwver I am not able to go to internet, I am getting ip only. I creted the filter to allow any host - host within the same subnet, but block any other subnet traffic, but allow anything over the internet. could check and advise,

firewall {
family ethernet-switching {
filter VLAN-A {
term T1 {
from {
destination-port [ dhcp domain ];
}
then accept;
}
term T2 {
from {
source-address {
192.168.132.0/24;
}
destination-address {
192.168.132.0/24;
}
}
then accept;
}
term T3 {
from {
destination-address {
192.0.0.0/8;
}
}
then discard;
}
term Default {
then accept;
}
}
}
}

I think you want to create the filter under family inet and apply it on the interface under family inet as an input filter.