Bridge Options

Can someone tell me if these two configurations result in any difference, or are they accomplishing the same task.
{
/interface bridge add name=LANbridge
/interface bridge port add bridge=LANbridge interface=ether2
/interface vlan add name=vlan10 vlan-id=10 interface=ether2
/interface vlan add name=vlan20 vlan-id=20 interface=ether2
/ip address add address=10.1.10.1/24 interface=vlan10
/ip address add address=10.1.20.1/24 interface=vlan20
}

..and

{
/interface bridge add name=LANbridge
/interface bridge port add bridge=LANbridge interface=ether2
/interface vlan add name=vlan10 vlan-id=10 interface=LANbridge
/interface vlan add name=vlan20 vlan-id=20 interface=LANbridge
/ip address add address=10.1.10.1/24 interface=vlan10
/ip address add address=10.1.20.1/24 interface=vlan20
}

I have been working with different vendors on native vlans and certain forum examples have bridges setup differently. I just wanted to make sure I understood correctly.

nice question, i will be tuned for answers

The first configuration is adding UNTAGGED traffic from ether2 into the LANbridge, and accepting vlan10 and vlan20 tagged traffic as two additional separate interfaces (that are NOT part of the LANbridge)

If you extend your first configuration like this:

/interface bridge add name=LANbridge
/interface bridge port add bridge=LANbridge interface=ether2
/interface bridge port add bridge=LANbridge interface=ether3
/interface bridge port add bridge=LANbridge interface=ether4
/interface bridge port add bridge=LANbridge interface=ether5
/interface vlan add name=vlan10 vlan-id=10 interface=ether2
/interface vlan add name=vlan20 vlan-id=20 interface=ether2
/ip address add address=10.1.10.1/24 interface=vlan10
/ip address add address=10.1.20.1/24 interface=vlan20

Then you will be accepting UNTAGGED traffic from ether2, ether3, ether4, and ether5 into the LANbridge. Tagged traffic from vlan10 or vlan20 ON ETHER2 ONLY will be accepted on two additional separate interfaces. Tagged traffic from vlan10 or vlan20 on ether3, ether4, or ether5 will be dropped.

The second configuration is adding ether2 into the LANbridge, and then accepting vlan10 and vlan20 tagged traffic as two additional separate interfaces (that include all ports in the LANbridge).

If you extend your second configuration like this:

/interface bridge add name=LANbridge
/interface bridge port add bridge=LANbridge interface=ether2
/interface bridge port add bridge=LANbridge interface=ether3
/interface bridge port add bridge=LANbridge interface=ether4
/interface bridge port add bridge=LANbridge interface=ether5
/interface vlan add name=vlan10 vlan-id=10 interface=LANbridge
/interface vlan add name=vlan20 vlan-id=20 interface=LANbridge
/ip address add address=10.1.10.1/24 interface=vlan10
/ip address add address=10.1.20.1/24 interface=vlan20

Then you will accept UNTAGGED traffic from ether2, ether3, ether4, and ether5 into the LANbridge. Tagged traffic from vlan10 or vlan20 ON ALL FOUR PORTS will be accepted on two additional separate interfaces.

Of note: on our network, we have had some problems with configuration #2 in versions v6.18 and later, primarily on RB2011 hardware. Support has not been able to replicate our problem, but we had to work around it by using a configuration like this:

/interface bridge add name=br-untagged
/interface bridge add name=br-vlan10
/interface bridge port add bridge=br-untagged interface=ether2
/interface bridge port add bridge=br-untagged interface=ether3
/interface bridge port add bridge=br-untagged interface=ether4
/interface bridge port add bridge=br-vlan10 interface=e2-vlan10
/interface bridge port add bridge=br-vlan10 interface=e3-vlan10
/interface bridge port add bridge=br-vlan10 interface=e4-vlan10
/interface vlan add name=e2-vlan10 vlan-id=10 interface=ether2
/interface vlan add name=e3-vlan10 vlan-id=10 interface=ether3
/interface vlan add name=e4-vlan10 vlan-id=10 interface=ether4
/ip address add address=10.1.10.1/24 interface=br-vlan10

Thanks. That does help clarify a few things. From my experience, we have setup our network as follows:

/interface bridge add name=LANbridge
/interface bridge port add bridge=LANbridge interface=ether2
/interface bridge port add bridge=LANbridge interface=ether3
/interface bridge port add bridge=LANbridge interface=ether4
/interface bridge port add bridge=LANbridge interface=ether5
/interface bridge port add bridge=LANbridge interface=vlan99
/interface vlan add name=vlan10 vlan-id=10 interface=LANbridge
/interface vlan add name=vlan20 vlan-id=20 interface=LANbridge
/interface vlan add name=vlan99 vlan-id=99 interface=LANbridge
/ip address add address=10.1.10.1/24 interface=vlan10
/ip address add address=10.1.20.1/24 interface=vlan20
/ip address add address=10.1.99.1/24 interface=vlan99

In this example, vlan99 is our untagged management vlan and by adding it to the bridge, I can ping other devices within that network (down the switch line that is set for vlan 99 with a native vlan 99 set on the switch trunk), but have been having issues talking to all devices on that network.

I have been troubleshooting but from what I can tell, if I set the switch to not tag native packets (meaning tag on vlan 1) and leave the vlan 99 on the bridge, I can access devices that are tagged for vlan 99 but not untagged devices. However, if I set the native vlan to 99 and take vlan 99 off of the bridge, I can talk to non-tagged devices, but not other devices that have the vlan 99 tag set on them on an access port.

Not sure if that even makes sense, but I have been messing with it for a few days trying to get the right configuration.

With that configuration, you basically have a bridge loop – you have LANbridge set up with all those Ethernet ports, and you have a VLAN interface that is a sub-interface of that bridge – and then you add the vlan99 sub-interface to the same bridge it is a sub-interface of.

In general, I would either:

• Have the downstream switch perform the vlan translation (translate untagged to vlan99) and then remove the “/interface bridge port add bridge=LANbridge interface=vlan99” command to resolve your bridge loop.
• Move the IP address from vlan99 to the LANbridge interface, and have no vlan translation downstream (just accept untagged traffic as the management traffic). You then would remove the “/interface bridge port… interface=vlan99” and “/interface vlan add name=vlan99…” commands

DLNoah’s explanation is excellent.

I have a couple of things to add to it, though.

I’ve always tried to avoid bridging physical interfaces which have vlan sub-interfaces on them. The first Mikrotik I was ever handed and told “here, manage this!” had that type of configuration (and several other really weird things) on it… Things seemed to “bleed through”

If you do “configuration 1” from the OP’s example, but with DLNoah’s addition that ether3 ether4 and ether5 are also on the bridge as ports, then you get these side effects:
Any vlan tag OTHER than 10 or 20 on ether2 will be passed through to ether3-5 with the tag intact (and the Mikrotik itself won’t interact with those VLANs on layer3).
Any traffic arriving on ether3-5 with a tag of 10 or 20 will actually be forwarded out ether2 with the tag intact also, but any replies from devices on ether2 will be swallowed by the vlan sub-interfaces, thus no bidirectional connetivity is possible on those vlans.

The best thing to do is connect the physical ports to the bridge, and create VLAN sub-interfaces on the bridge for each VLAN that the Mikrotik should interact with.

If you want total granular control over which vlans go to which interfaces, etc - then you need to create the VLAN sub-interfaces on the ethernet interfaces, and create a unique bridge per VLAN and only make attachments between the vlan sub-interfaces, and ethernet ports which have no vlans on them.

e.g.:
BridgeV5 ports = ether2.vlan5, ether3.vlan5, ether4.vlan5, and ether5
BridgeV10 ports = ether2.vlan10, ether3.vlan10, ether6, ether7
BridgeV20 ports = ether3.vlan20, ether8.vlan20

Note that I never connect ether2, ether3, or ether4 directly to any bridge because those interfaces have sub-interfaces.

Here’s the key difference in the two methods (vlan interfaces on ether interfaces vs on the bridge interface):
With the vlans on the physical interfaces, the frames within the bridge aren’t tagged* - if you bridge e1.v10 with e2.v10 and e3.v10, then the vlan sub-interfaces strip the tags as frames arrive at the Mikrotik, the bridge forwards the now-untagged frames, and then the egress vlan subinterface stamps a new tag on the frames as they leave the Mikrotik.
(note that you could actually use different VLAN id tags on the various interfaces)

Using method #2, then the Mikrotik mostly acts as a “dumb” bridge, forwarding tagged or untagged traffic between all participating interfaces, leaving the tags alone. These frames will have their vlan tags intact while they’re inside the bridge, so if you want the Mikrotik to participate in these VLANs, simply add vlan sub-interfaces to the bridge itself. The subinterfaces will remove the tags as the frames go up the stack to the CPU for local processing (like pings, winbox packets, etc), and the replies from these services will be tagged appropriately as they exit through the vlan subinterfaces onto the bridge, where layer 2 forwarding will send the frames to their various egress ports (tagged or not).

*note- qinq frames would only have the outer tag removed and leave the inner vlan tagged on the bridge- if you don’t know what qinq is, ignore this exception.

Excellent write up guys! That definitely explains some of the oddities I was experiencing using method #1. I will move the configuration to match method #2 and go from there. Clarifying where the tags get stripped off between the two configurations helps a lot.