I want to use a new CRS326-24S+2Q+ with RouterOS but all (Q)SFP+ Port in switch mode with full 40G speed possible. I know it would be easier to use SwitchOS but I want the benefit from RouterOS Tools.
What I did as-yet:
Delete all RouterOS packages apart from system package and advanced tools
Removed the mgmt port “ether1” from the bridge (all other (q)sfp ports are bridged with HW Offload)
Give ether1 an ip number and a few routes for management
If you put management interface in same bridge with rest of interfaces, it will effectively become an usual switched interface. Surely it is better to have it separated if your management is “out of band” (which I guess is not the case for many if not most deployments). Default config allows both in-band and out-of band mgmt, but it’s not really secure and if admin knows better, he is more than welcome to improve config.
So IMHO your setup outlined in original post is a good one. Just make sure you don’t have any IP configuration on bridge interface and when you configure VLANs, you don’t include bridge interface as member of any of VLANs. If you make sure all member interfaces are either strictly tagged trunks or properly configured access or hybrid ports [*], then you should be fine.
[*]for full tagged trunk ports, you would set frame-types=admit-only-vlan-tagged on those interfaces (in /interface bridge port). For access ports, you would set frame-types=admit-only-untagged-and-priority-tagged while for hybrid ports you would leave it to default (which is frame-types=admit-all), but in both cases you would set pvid= and add such interface as untagged member of VLAN (in /interface bridge vlan). In all cases, do set ingress-filtering=yes[/url] so that frames are properly filtered on ingress according to VLAN settings.