The CLI commands in this article configure VLANs on MX network ports. The commands do not configure VLAN membership for wireless or wired authentication users. To assign a user to a VLAN, configure the RADIUS Tunnel-Private-Group-ID attribute or the VLAN-Name vendor specific attribute (VSA) for that user.
Tunnels connect MX switches across a network. Tunnels are formed automatically in a Mobility Domain to extend a VLAN to the MX with an associated roaming station. A single tunnel can carry traffic for many users and many VLANs.
In 7.0 we have changed the range of available VLAN numbers from 2-4093 to 2-3583 due to a hardware limitation in our new MX-2800 controller. Because of this limitation we have changed the range of allowed VLAN numbers across all model MXs. If the customer wants to run 7.0 they will either need to change the VLAN numbers on their wired network or have a mismatch in VLAN number mappings between the MX and the wired network.
When attempting to add a second vlan range (stacked vlans ) under an auto-configure setting, a commit configuration command will cause an FPC to crash if the second outer vlan range is included in the first outer vlan range.
Yes, you could do this by placing the WLAN users on a VLAN that does not have an IP interface configured. This will work for all SSIDs except for WebAAA because this requires that the MX has an IP interface on the user VLAN. If they need to do WebAAA you could still prevent users from accessing the MX with ACLs.