yes private vlans would be a solution if you want all devices to have only access to the gateway and in/out of subnet traffic.
If you need more control than that as in some devices need to talk locally, then you would need to deploy firewall filters per port groups on the switch. An example of required local traffic might be printers.
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)http://puluka.com/home
Sent: 01-16-2022 23:32
From: Anonymous User
Subject: Intrazone Security Policy and VLANs
This message was posted by a user wishing to remain anonymous
I have an SRX1500 and a EX4300 and several EX3400. The SRX is used as the firewall and router. The EX4300 is being used to aggregate all the EX3400 Access switches. The purpose of the network is to connect a range of different customers to the internet and cloud resources. Currently each customer has their own VLAN with the irb interface terminated on the SRX within its own dedicated Security Zone. There is a requirement that some customers can access some of their own local services within their own VLAN while also restricting unnecessary host to host communication.
My question is about Intrazone Policy behavior within these VLANs. My understanding is that if Host A (client) tries to communicate with Host B (server) within the same VLAN that they would be able to communicate regardless of the Intrazone Policy? My assumption is that because the above mentioned traffic is switched at L2, it would not be enforced by intrazone security policy as unicast traffic would never reach the L3 irb interface on the SRX?
Would the use of Private VLANs in this scenario be a good solution?
I unfortunately can't lab up this specific scenario or test it in the office due to COVID restrictions so just hoping to understand the theory behind it.