Hello
Given a Network setup with multiple LAN VLAN’s. Is it the correct way to create VLAN Interfaces onto the main Bridge, or is it better to create VLAN interfaces onto the Ethernet Interface?
I’m currently mostly doing VLAN interfaces onto the Ethernet Interface. This works fine, but it feels like it is the wrong way of doing it.
Is creating the VLAN interfaces onto the main Bridge the correct way of doing it? Is this introducing some kind of notable performance impact?
How I understood:
If you want to benefit from HW offload where possible (for those devices where it is supported), using bridge for setting up VLANs is the default way already for quite some years.
I’m specifically talking about the use-case where I have a Trunk Port on my MikroTik Router which goes with a bunch of tagged VLANs to a Switch. For every VLAN there is a Interface with Address assigned on the MikroTik (LAN IP).
Is there still bridge HW offloading in such a scenario where Interfaces and not just “switching” are involved?
Interesting part (emphasis added):
Inter-VLAN Routing
Since L3HW depends on L2HW, and L2HW is the one that does VLAN processing, Inter-VLAN hardware routing requires a hardware bridge underneath. Even if a particular VLAN has only one tagged port member, the latter must be a bridge member. > Do not assign a VLAN interface directly on a switch port! Otherwise, L3HW offloading fails and the traffic will get processed by the CPU…
Assign the VLAN interface to the bridge instead. This way, VLAN configuration gets offloaded to the hardware, and, with L3HW enabled, the traffic is subject to inter-VLAN hardware routing.
Important thing to understand is what exactly gets offloaded from bridge to switch chip: it’s passing frames between ports, attached to switch chip (typically they’re either RJ45 or SFP ports, always consult block diagram of particular device), and which are members of same bridge. Additionally switch chip handles adding/stripping VLAN headers in case when port is untagged member of a particular VLAN.
However, anything related to router’s IP stack (including vlan interfaces) is entirely processed by CPU (unless device is capable of L3HW offload).
So using bridge with single physical port doesn’t allow any offload to hardware (untagged “VLAN” in this case doesn’t need any VLAN tag manipulation and adding VLAN tag by switch chip actually means slightly more CPU processing due to use of vlan interface).
Thanks for this explanation. This makes a lot of sense and makes it easily understandable!
Let’s evaluate it with e.g. the CCR1009 sfp-sfpplus1 interface. Would you use a bridge for Router-on-a-Stick configuration with multiple VLAN, or would you do it without a bridge?
I understand that the bridge won’t gain any HW offload, but does it harm? Is it still best-practice to use a bridge for such a scenario?
IMO it doesn’t make much sense to use bridge with single port. The only functionality bridge could offer are bridge filters … for simplicity sake most things done by bridge filters can be done by L3 firewall.
But using bridge does insert additional step in frame/packet processing (even if CPU cycles needed are only a few).
So again unless you have very specific problem that only bridge can solve I don’t see any sense in having bridge on a RoaS.
The same question from me yesterday, but when I create VLANs on Bridge Interface, Hotspot function is not working. 
http://forum.mikrotik.com/t/hotspot-on-bridge-vlan/181055/1
The same question I had what will I do?
Suggested articles read and “use your force LeahBrock” 