we have setup a MX64 in passthrough mode in between the Huawei Core and a Cisco router on one of our clients the MX can see the traffic going through it. When we tried to make global policies it can block clients from accessing youtube but when we made group policies it can only block clients that are on the same vlan as the MX. further troubleshooting, it was found out that the link from core to MX was a trunk (maybe router on a stick setup) and client has given us an ip address from the guest vlan because it was the only vlan allowed to access the internet.
now the question is that is it correct that the link from core switch to MX is a trunk?
if yes what vlan should we place the MX taking in consideration that the core switch is Huawei and has a confusing interface setup (access, trunk, hybrid?)?
I believe group policies are applied based on client MAC address, so the MX needs to be in the same VLAN as the clients. I would like someone to tell me I am wrong though.
It does not matter if it is a trunk of access port.
You could create a L3 (using FQDN) or L7 firewall rules and apply that based on subnet though - but you wont be able to see group policies.