Hi Null,
Since you're trying to filter traffic between VLANs, then you'd probably be best off routing between them on the SRX, so on the port that links the SRX to the EX (on both devices), you'll need to trunk all three VLANs. Your config will look something like this:
ge-0/0/6 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ VLAN0 VLAN16 VLAN32 ];
}
}
}
}
Where VLAN0, VLAN16 and VLAN32 are the names you've given your VLANs.
The simplest way to perform your filtering is to place each VLAN into it's own security zone like so:
security-zone VLAN0-ZONE {
host-inbound-traffic {
system-services {
ping;
https;
traceroute;
ssh;
}
}
interfaces {
vlan.0;
}
}
after you've created a zone for each interface, you'll then need to create a policy between each of the security zones to allow or deny traffic. Based on your example for port 22, you'd need a security policy such as:
from-zone VLAN16-ZONE to-zone VLAN32-ZONE {
policy ALLOW-SSH {
match {
source-address VLAN16-SUBNET;
destination-address VLAN32-SUBNET;
application junos-ssh;
}
then {
permit;
log {
session-close;
}
count;
}
}
}
obviously, you'd have defined address book entries for VLAN16-SUBNET and VLAN32-SUBNET. You'll also need to make sure that the SRX has vlan interfaces with addresses defined for each VLAN, and this address is the default gateway for hosts in each subnet.
Hope this helps!