Practically I will bridge the untagged ethernet ports (with the configured ip address) together.
Does this bridge include automatically the tagged traffic?
If you bridge the physical interfaces, then the tagged AND untagged traffic will be passed.
Think of a bridge as being almost exactly like a dumb switch (until v6.41 when the bridges become vlan-aware) - it will forward the frames regardless of whether they’ve got 802.1q headers - so long as the header+payload all fits within the device’s L2MTU.
So - if you just make bridge1 and add ports ether1 and ether2, then all traffic will pass between those ports - tagged and untagged alike.
If you add a vlan interface to some physical interface (e.g. make an interface “MyVLAN” and connect it to ether1 and set the tag=101) and then add that vlan interface to your bridge as a port, then the bridge will receive traffic from that vlan (101 in this example) but with the tags stripped.
I’ve lately learned that it’s better to configure vlan on bridge interface than on etherX interface. Then use the switch menu to control what to tag or untag. How the switch menu works highly depends on the switch chip - they all seems to behave differently, and I have to say the switch vlan config is very confusing. I tend to lock my self out of from the unit at least once every time I try to do this configuration. Do take backup before you start playing with this, and use safe mode.
I’ve even experienced doing switch vlan config on a test-router - copied config from prod-router to test router before I started. Then, when I got it working I did export and used it to make a script ready to run on the prod-router. Restored the test-router to the state before I started playing with vlan, tested that the script I wrote actually worked, then ran the script on the prod-router and got locked out! Test and prod routers were same model, running same ros version!