Hello,
I hope you are well.
I’m setting up my first MikroTik switch/router. I tried to pay as much attention as possible. That being said, being new here, I might have missed something. Kindly correct me if I’m wrong.
Among others I’ve read the following articles http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching and https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading.
To simplify the setup and the question, let’s dedicate one port to WAN, all the other ports to LAN (two in the example) - like a regular home router - and some of the LAN ports (only one in the example) should bridge to WAN when ingress is tagged as expected.
Approach 1 - explicit VLAN
/interface bridge add frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes
/interface vlan add interface=bridge1 name=lan1 vlan-id=2
/interface vlan add interface=bridge1 name=wan1 vlan-id=3
/interface bridge port add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus1 pvid=3
/interface bridge port add bridge=bridge1 frame-types=admit-all interface=sfp-sfpplus2 pvid=2
/interface bridge port add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus3 pvid=2
/interface bridge vlan add bridge=bridge1 tagged=bridge1 vlan-ids=2
# untagged=sfp-sfpplus2,sfp-sfpplus3 implied above
/interface bridge vlan add bridge=bridge1 tagged=bridge1,sfp-sfpplus2 vlan-ids=3
# untagged=sfp-sfpplus1 implied above
/ip address add address=192.168.88.1/24 interface=lan1 network=192.168.88.0
Approach 2 - Native(?) VLAN
/interface bridge add frame-types=admit-all name=bridge1 vlan-filtering=yes
/interface vlan add interface=bridge1 name=wan1 vlan-id=3
/interface bridge port add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus1 pvid=3
/interface bridge port add bridge=bridge1 frame-types=admit-all interface=sfp-sfpplus2
/interface bridge port add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus3
/interface bridge vlan add bridge=bridge1 vlan-ids=1
# untagged=bridge1,sfp-sfpplus2,sfp-sfpplus3 implied above
/interface bridge vlan add bridge=bridge1 tagged=bridge1,sfp-sfpplus2 vlan-ids=3
# untagged=sfp-sfpplus1 implied above
/ip address add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
As far as I understand, functionally both approaches are similar unless I’m missing some edge cases.
In the Native VLAN approach, pvid=1 is implied for bridge1 and its ports sfp-sfpplus2 and sfp-sfpplus3. I understand this as untagged traffic for these interfaces has VID=1 internally. However, this contradicts http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 which says
A word of caution if you are thinking of using VLAN 1 in your network design. Most vendors use VLAN 1 as the native VLAN for their hardware. > MikroTik uses VLAN 0. > If you try to create a VLAN 1 scenario with MikroTik, and expecting tagged frames, it will be incompatible with other vendors who default VLAN 1 as untagged. Therefore, unless you are prepared to change the default behavior in MikroTik and/or other vendors, it is simpler to use VLAN 2 and higher.
Do I misunderstand? Or does it mean that despite MikroTik seeing these packets as VID=1 internally they will be egressed with VID=0 by default while other vendors see them with VID=0 even internally so they allow using VID=1 as an explicit tag and not as implied behaviour for untagged traffic? (Which I think is opposite to what it says.)
What are the conceptual, security (I don’t like frame-types=admit-all on bridge1 in the Native VLAN approach but I cannot pin exactly what bothers me), and hardware offloading (the model in question is CRS309-1G-8S±IN so the capabilities are quite vast) differences between the two setups? Am I missing any functional differences?