As we all know, using a bridge and doing VLAN-filtering is the only way to leverage L3HW offload capabilities on Mikrotik devices that support it. I’m curious, in the situation where you are using CHR, you don’t have any built in switch chip and everything is CPU anyway, is there any benefit (performance, security or otherwise) of setting up a bridge and doing the VLAN-filtering approach? In this case wouldn’t the extermely basic and straight forward method of attaching a vlan to the parent interface directly work equally as well since there is no offload capability? See the examples below, they are not exactly the same but you get the idea.
Basic Example:
/interface vlan
add name=VLAN2 vlan-id=2 interface=ether1 disabled=no
add name=VLAN3 vlan-id=3 interface=ether1 disabled=no
add name=VLAN4 vlan-id=4 interface=ether1 disabled=no
/ip address
add address=10.10.20.1/24 interface=VLAN2
add address=10.10.30.1/24 interface=VLAN3
add address=10.10.40.1/24 interface=VLAN4
Bridge Example:
/interface bridge
add name=bridge1 frame-types=admit-only-vlan-tagged
/interface bridge port
add bridge=bridge1 interface=ether1 frame-types=admit-only-vlan-tagged
add bridge=bridge1 interface=ether2 pvid=20 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether3 pvid=30 frame-types=admit-only-untagged-and-priority-tagged
/interface bridge vlan
add bridge=bridge1 tagged=ether1 vlan-ids=20
add bridge=bridge1 tagged=ether1 vlan-ids=30
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99
/interface vlan add
interface=bridge1 vlan-id=99 name=MGMT
/ip address
add address=192.168.99.1/24 interface=MGMT
/interface bridge
set bridge1 vlan-filtering=yes
