I think the definition of "Firewall Filter Types" here will probably help you:
https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/firewall-filter-ex-series-overview.html
https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/firewall-filter-ex-series-planning.html
https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/firewall-filter-ex-series-understanding.html
https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/firewall-filter-ex-series-evaluation-understanding.html
Small section:
Start with the following basic guidelines:
- If all the packets entering a port need to be exposed to filtering, then use port firewall filters.
- If all the packets that are bridged need filtering, then use VLAN firewall filters.
- If all the packets that are routed need filtering, then use router firewall filters.
Also worth to note:
When you apply a filter to an IRB interface associated with a given VLAN, the filter is executed on any Layer 3 interface with a matching VLAN ID. This is because the filter matches on all Layer 3 interfaces with the corresponding VLAN tag.
There is a path for the checks:
port firewall filter -> VLAN firewall filter -> router firewall filter.
If these are the only rules, and your irb from example 2 is associated with the vlan from example 1, it does not matter which one you use.
Example configuration can be found here: https://supportportal.juniper.net/s/article/EX-Understanding-VLAN-IRB-firewall-filter-behavior-on-EX4300?language=en_US
------------------------------
Michael Behrns
------------------------------
Original Message:
Sent: 06-10-2022 15:28
From: Anonymous User
Subject: Firewall filters in EX4300
This message was posted by a user wishing to remain anonymous
Hi Experts,
I have these filters in a EX4300 switch with the same matching conditions. First one to be applied on a VLAN and the second one on an irb. Can you please advise on which of these filters should be preferred to be used or if there is any advantage/disadvantage of using one over the other ?
Thanks,
set firewall family ethernet-switching filter VTR term t1 from ip-source-address 192.168.2.0/24
set firewall family ethernet-switching filter VTR term t1 from ip-destination-address 192.168.2.0/24
set firewall family ethernet-switching filter VTR term t1 then accept
set firewall family inet filter VTR term t1 from ip-source-address 192.168.2.0/24
set firewall family inet filter VTR term t1 from ip-destination-address 192.168.2.0/24
set firewall family inet filter VTR term t1 then accept