I am learning about new bridge capabilities came with RouterOS v6.41 and please help me with this thought.
I have multiple VLAN on my network isolating different groups of users. I would like to upgrade my setup to use bridge, but how do I create a bridge for each VLAN?
My current setup is to create VLAN interface on each physical interface, and group each VLAN into respective bridge. This served the purpose, but I wonder is there better ways to do this. I kind of think the VLAN settings on bridge must have some purpose to serve.
Can I manage to create multiple bridges each for one VLAN, without using VLAN interfaces? And is there benefit in doing that?
Thank you sindy. I think your approach one is more or less what I am doing now. And approach two - I understand it basically means if I want to separate different VLANs into different bridges, I need to create one bridge to connect all network and create VLAN interface off this bridge?
I’m not sure I understand this sentence. Can you draw (a piece of ascii-art or a photo of a hand drawing is enough) what resulting topology do you have in mind?
RouterOS permits you to have several /interface vlan with the same vlan-id provided that they are on different underlying interfaces. So you can have as many bridges as you want even using the approach where multiple VLANs share the same bridge, but frames with the same VLAN IDs will not be forwarded between the bridges and only one of the bridges will benefit from hardware offloading if we talk about devices with a single low-end switch chip.
I actually find it probably is harder to draw it up - let me try to explain with some more description.
So generally what I am trying to achieve here is to have multiple bridges, each representing a fraction of network separated by VLAN ids, plus one for untagged traffic. I know following two methods of setup would work:
I create VLAN interfaces on each physical interface. Then I group all VLAN 100 into bridge-100, all VLAN 200 into bridge-200, and so on.
I bridge all physical interfaces into a bridge-all. Then I create VLAN interface on this bridge-all, so I have only one VLAN 100, VLAN 200, and so on. Then I create a bridge for each of these VLAN interfaces.
Both of them of course will include proper setup on switch to allow VLAN tagged traffic.
The concern is with either method 1 or 2, will there be performance / feature punishment due to all these many VLAN interfaces? Like I cannot enable hardware acceleration, Loop protection / STP will not work correctly, etc. And are there better ways to setup?