But the second you cross a VLAN boundary, it goes through the CPU, full stop
Ok, so that means that even inter-VLAN routing is ALWAYS done on the CPU, no exceptions (e.g if vlan 10 and 20 both belong to the “LAN” Port-group, and both are exclusively tagged on switch1 (for instance port 1 and 2))?
I didn’t notice they were going to switch or ISP alone, but you have TWO of them.
Sorry I wasn’t clear enough. I bought 2 routers (+1 a 3rd one as spare), but they will be installed on 2 different sites. Each site will use only one RB1100AHx4 as a border router to the ISP (the router config is pretty much the same on both sites, with only a few minor differences). (I am planning to add VRRP on the main site, but with a 4G/5G router as backup. It’s gonna be a bit tricky because of CGN on the Mobile network…I might have to create a tunnel to announce my AS over BGP…I’m still working on the design)