I have MX 400 and MS 350.
I have created VLANs in MX 400 until now.
I think there are two ways to create a VLAN that needs to be connected to the Internet.
1: Create a VLAN on the MX 400.
2: Create a VLAN in MS 350 and route it to VLAN 1 (Default) of MX 400.
Please advise which of 1: 2: is more advantageous in terms of security and operation.
Managing VLANS on the switches and using L3 routing will be the way to go.
I would rather go as follows:
1. Create the layer 2 VLANs at your MS
2. Create the layer 3 VLANs at your MX
In this way, there are filters and/or security in between VLANs.