Bridge Vlan vs. Switch Vlan

RouterOS Beginner Basics
1

Hi everyone.
i was wondering if someone can help me understand the differences between vlan in bridge menu and vlan in switch menu(CRS[1xx and 2xx] and RouterBoards which has switch chip hardware) on RouterOS V6.41+.
when i should use bridge vlan and switch vlan?
if i want to enable cpu aware vlan(assigning ip to vlan for accessing RouterOS over ip) on CRS(1xx and 2xx), i should do it with bridge vlan menu or switch vlan menu. which one has better throughput and low overhead? and which one does not disable ‘hw-offload’ feature?

and why i am facing the following text in mikrotik wiki?
“In case using RouterOS 6.41+, a bridge must be created instead with disabled RSTP and IGMP Snooping and no VLAN filtering:”

CRS326-24G-2S+
bridge vlan setup (new way)
CRS112-8P-4S High CPU usage, need your help and suggestion
CRS Egress Tag Removal
2

CRS1xx/CRS2xx and CRS3xx require a different approach to configure VLAN switching on a hardware level.
Since 6.41 the master-port configuration is discarded and is replaced with a bridge configuration.
Now in 6.41 as soon as you add ports to a bridge hardware offloading is enabled by default, this is exactly the same as port switching (in addition RSTP is enabled by default as well).

The part that is different on CRS1xx/CRS2xx from CRS3xx is that CRS1xx/CRS2xx does not support bridge VLAN filtering on a hardware level, you must configure VLAN tagging, invalid VLAN filtering and other switch related features in /interface ethernet switch.
https://wiki.mikrotik.com/wiki/Manual:CRS_examples#Port_Based_VLAN

CRS3xx on the other hand does support bridge VLAN filtering on a hardware level, this means you should configure VLAN tagging and invalid VLAN filtering in /interface bridge vlan (and /interface bridge port). Some options like ACL and QoS still must be configured in /interface ethernet switch.
https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering

Other devices that have a built-in switch chip must also be configured under /interface ethernet switch. You must first create a bridge to switch desired ports together (/interface bridge) and then you can configure VLAN tagging and invalid VLAN filtering in /interface ethernet switch.
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Setup_Examples
Note that not all switch chips are capable of doing VLAN switching, make sure that your device supports it:
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction
(In general, VLAN table support also means VLAN switching support)

Accessing the device using VLANs is called “management port”, for each type of device there is a guide in the provided links to properly set up a management port. It usually involves adding the bridge/switch-cpu port to the VLAN table.

3

I made this configuration on a CRS326-24G-2S+ with RouterOS 6.42 in order to obtain:
ether2 and sfp-sfpplus1 as trunk ports with untagged ip address by dhcp client, to reach and ping this switch from other trunk devices (switches, management pc);
ether1 access port with vlan 2012 for voip phones;
ether3 and ether4 access ports with vlan 2014 for video;
ether5 access port with vlan 2008 for control room;
ether6 to ether24 access ports with vlan 2000 for office computers;
ip addresses from dhcp over vlan 2012, 2008 and 2000 to reach and ping this switch from those access networks;

# jan/02/1970 07:48:47 by RouterOS 6.42
# software id = 7AF9-SIJP
#
# model = CRS326-24G-2S+
# serial number = 763E081A8E9E
/interface bridge
add fast-forward=no name=bridge protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="telefoni vlan2012"
set [ find default-name=ether2 ] comment="trunk port"
set [ find default-name=ether3 ] comment="video1 vlan2014"
set [ find default-name=ether4 ] comment="video2 vlan2014"
set [ find default-name=ether5 ] comment="domotica1 vlan2008"
set [ find default-name=sfp-sfpplus1 ] comment="trunk port"
/interface vlan
add interface=bridge name=vlan-domotica vlan-id=2008
add interface=bridge name=vlan-telefoni vlan-id=2012
add interface=bridge name=vlan-uffici vlan-id=2000
add interface=bridge name=vlan-videosorv vlan-id=2014

/interface bridge port
add bridge=bridge interface=ether24 pvid=2000
add bridge=bridge interface=sfp-sfpplus1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether23 pvid=2000
add bridge=bridge interface=ether22 pvid=2000
add bridge=bridge interface=ether21 pvid=2000
add bridge=bridge interface=ether20 pvid=2000
add bridge=bridge interface=ether19 pvid=2000
add bridge=bridge interface=ether18 pvid=2000
add bridge=bridge interface=ether17 pvid=2000
add bridge=bridge interface=ether16 pvid=2000
add bridge=bridge interface=ether15 pvid=2000
add bridge=bridge interface=ether14 pvid=2000
add bridge=bridge interface=ether13 pvid=2000
add bridge=bridge interface=ether12 pvid=2000
add bridge=bridge interface=ether11 pvid=2000
add bridge=bridge interface=ether10 pvid=2000
add bridge=bridge interface=ether9 pvid=2000
add bridge=bridge interface=ether8 pvid=2000
add bridge=bridge interface=ether7 pvid=2000
add bridge=bridge interface=ether6 pvid=2000
add bridge=bridge interface=ether5 pvid=2008
add bridge=bridge interface=ether4 pvid=2014
add bridge=bridge interface=ether3 pvid=2014
add bridge=bridge interface=ether1 pvid=2012
/interface bridge vlan
add bridge=bridge comment=uffici tagged=bridge,ether2,sfp-sfpplus1 untagged=\
    ether24,ether23,ether22,ether21,ether20 vlan-ids=2000
add bridge=bridge untagged=ether2,sfp-sfpplus1 vlan-ids=1
add bridge=bridge comment=videosorveglianza tagged=bridge,ether2,sfp-sfpplus1 \
    vlan-ids=2014
add bridge=bridge comment=telefoni tagged=bridge,ether2,sfp-sfpplus1 \
    vlan-ids=2012
add bridge=bridge comment=domotica tagged=bridge,ether2,sfp-sfpplus1 \
    vlan-ids=2008
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
    interface=vlan-uffici use-peer-dns=no use-peer-ntp=no
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
    interface=vlan-telefoni use-peer-dns=no use-peer-ntp=no
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
    interface=vlan-domotica use-peer-dns=no use-peer-ntp=no

/system routerboard settings
set boot-os=router-os silent-boot=no

It works.
As you can see, in this entry:

/interface bridge vlan
add bridge=bridge comment=uffici tagged=bridge,ether2,sfp-sfpplus1 untagged=\
    ether24,ether23,ether22,ether21,ether20 vlan-ids=2000

I put only ether20-ether24 as untagged ports, as described here: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering
But also ether6-ether19 work as expected as access port on the vlan 2000.
And also ether1, 3, 4, 5 work as expected as access port on their respective vlan!
So, why the wiki examples ask to insert untagged ports in the /interface bridge vlan?
Are there any issue if I don’t insert them?

4

This does not sound right. SOHO devices with switch chips, e.g. hap ac and hap ac 2, can be entirely configured for VLANs via bridge and with hardware support. There is no need to touch the /interface ethernet switch.

5

No, bridge VLAN filtering is not hardware offloaded on any other device than CRS3xx series switches, make sure to check the hardware support before configuring your device:
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Bridge_Hardware_Offloading
As soon as you enable “vlan-filtering=yes” on Atheros8327, the hardware offloading will be disabled.

6

Ah, yes, you’re right “hw=yes” per port is true, but “H - hw-offload” is not.