Thought I'd post this here as I'm not quite understanding the Junos documentation for this feature and working with JTAC hasn't really been helpful. Basically I want to know how vlan firewall filters match traffic when the are applied in the output vs input diredtions. I've been shown the "VLAN firewall filters provide access control for packets that enter a VLAN, are bridged within a VLAN, or leave a VLAN." several times. I understand this. But I'm trying to figure out what Juniper means by "leave a vlan" vs "enter a vlan". The issues I'm having is that when a fw filter is applied inthe "output" direction I can only match on ip-source-address. When it is applied in the input direction I can only match on ip-destination-address.
The scenario is that there is a vlan, a l3 interface irb bound to it. Client in that vlan use the irb address as their default gateway. Would the traffic that clients that are attached to the switch in thsi vlan generated be considreed input? Or is it output if they leave the local subnet/vlan? Would this traffic not be in put and output? Traffic returning to the switch and going out the irb into the vlan would be input?