The CLI commands in this article configure VLANs on MX network ports. The commands do not configure VLAN membership for wireless or wired authentication users. To assign a user to a VLAN, configure the RADIUS Tunnel-Private-Group-ID attribute or the VLAN-Name vendor specific attribute (VSA) for that user.
Tunnels connect MX switches across a network. Tunnels are formed automatically in a Mobility Domain to extend a VLAN to the MX with an associated roaming station. A single tunnel can carry traffic for many users and many VLANs.
In 7.0 we have changed the range of available VLAN numbers from 2-4093 to 2-3583 due to a hardware limitation in our new MX-2800 controller. Because of this limitation we have changed the range of allowed VLAN numbers across all model MXs. If the customer wants to run 7.0 they will either need to change the VLAN numbers on their wired network or have a mismatch in VLAN number mappings between the MX and the wired network.
Yes, you could do this by placing the WLAN users on a VLAN that does not have an IP interface configured. This will work for all SSIDs except for WebAAA because this requires that the MX has an IP interface on the user VLAN. If they need to do WebAAA you could still prevent users from accessing the MX with ACLs.
A basic checklist for troubleshooting IRB (Integrated Bridging and Routing) interfaces on MX Series devices. To troubleshoot Physical interface or VLAN interfaces, refer to KB26486: Troubleshooting Checklist - Ethernet Physical Interface or KB26487: Troubleshooting Checklist - VLAN Bridging