Switching

Does anyone know if the EX switches have the capability to be configured to prevent ports on the same vlan from communicating with one another?  an example would be a qurantene VLAN where switch ports of non-compliant machines would be members of and its not desirable to have machines in the qurantened VLAN to talk to one another.

 you can do that  using Firewall filters

example : if you you want to prevent machine-A  from communicating with machine-B  & both are at Vlan-X

steps:

1# define firewall filter :

SW1# show firewall
family ethernet-switching {
    filter filter1 {
        term term1 {
            from {

source-address {
                    machine-A-ip;
                }

                destination-address {
                   machine-B-ip;
                }
            }
            then {
                discard;
                
            }
        }

2# apply the filter to the vlan :

SW1# set  vlans Vlan-X filter  input  filter1;

note :  the filter blocks communication from A to  B  (  not from B to A )

Thnaks that's exactly what i was looking for.  I suppose you could also automate the process using scripts. 

I am looking to the same on a QFX. If I have 3 servers and a uplink to a FW for example:

xe-0/0/0 - Uplink to FireWwall (vlan 100)

xe-0/0/1 - ServerA (Vlan 100)

xe-0/0/2 - ServerB (Vlan 100)

xe-0/0/3 - ServerC (Vlan 100)

I assume I would need to put a firewall on xe-0/0/1, xe-0/0/2, xe-0/0/3 and for each interface the firewall should only allow ingress packets from the MAC on the device connected xe-0/0/0 (which would be my firewall) or else discard the packet?

Sounds like what you want are private vlans or pvlan.

https://www.juniper.net/documentation/en_US/junos/topics/example/private-vlans-ex-series.html

Depending upon what model of QFX you have, here are the listing for PVLAN support by model and SW release:

https://apps.juniper.net/feature-explorer/feature-info.html?fKey=1206&fn=Private%20VLANs%20(PVLANs)