I have an SRX1500 and a EX4300 and several EX3400. The SRX is used as the firewall and router. The EX4300 is being used to aggregate all the EX3400 Access switches. The purpose of the network is to connect a range of different customers to the internet and cloud resources. Currently each customer has their own VLAN with the irb interface terminated on the SRX within its own dedicated Security Zone. There is a requirement that some customers can access some of their own local services within their own VLAN while also restricting unnecessary host to host communication.
My question is about Intrazone Policy behavior within these VLANs. My understanding is that if Host A (client) tries to communicate with Host B (server) within the same VLAN that they would be able to communicate regardless of the Intrazone Policy? My assumption is that because the above mentioned traffic is switched at L2, it would not be enforced by intrazone security policy as unicast traffic would never reach the L3 irb interface on the SRX?
Would the use of Private VLANs in this scenario be a good solution?
I unfortunately can't lab up this specific scenario or test it in the office due to COVID restrictions so just hoping to understand the theory behind it. Thanks,Alex