I am preparing my config for Bridge VLAN filtering - and can not understand how should management access be configured:
in “Untagged access with VLAN filtering” section (https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-UntaggedaccesswithVLANfiltering)
there exist such example: “For example, untagged ports ether2 and ether3 should be able to communicate with the VLAN 99 interface using untagged traffic. In order to achieve this, these ports should be configured with the pvid that matches the VLAN ID on management VLAN. Note that the bridge1 interface is a tagged port member, you can configure additional tagged ports if necessary (see the previous example).”
/interface bridge port
set [find interface=ether2] pvid=99
set [find interface=ether3] pvid=99
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2,ether3 vlan-ids=99
“Management access is used to create a way to access a device through a bridge that has VLAN filtering enabled. You could simply allow untagged access and doing that is fairly simple. Let us say you wanted the workstation behind ether3 to be able to access the device, we assumed before that the workstation is a generic computer that will not use tagged packets and therefore will only send out untagged packets, this means that we should add the CPU port (bridge1) as an untagged interface to the bridge VLAN table, to do so, simply use the same PVID value for the bridge1 and ether3 ports and set both ports as untagged members for the VLAN ID. In this case, you are going to connect from ether3 that has PVID=30, so you change the configuration accordingly:”
/interface bridge set [find name=bridge1] pvid=30
/interface bridge vlan set [find vlan-ids=30] untagged=bridge1,ether3
So bridge is untagged here
Please, tell me which of these 2 cases is correct for untagged access with VLAN filtering ?
As both variants, if properly set up, work, it’s not possible to say which one is right and which one is wrong. It’s a matter of personal taste.
My way is this: as soon as I start with VLANs, I go with all-tagged within LAN infrastructure. Which includes connections between LAN devices (switches, router, some “multi-homed” servers) and inside devices. Which means that management IP address is always set on VLAN interface (not on bridge), which makes bridge interface all-tagged, something like
The above example is for a switch where CPU (via bridge interface) only requires access to management VLAN. On router, bridge “CPU-facing port” would be configured as tagged member to many more VLANs and consequently there would be many more VLAN interfaces (anchored to bridge interface) …
The above example features one “uplink” connection via ether1 and that one is all-tagged, no untagged frames are allowed to pass the port in either direction.
In general, and to keep it SIMPLE, for the main router with DHCP, all vlans are tagged with bridge.
For MT devices not being the primary router, aka acting as an AP/Switch, ONLY the management VLAN needs to:
a. be identified as a vlan
b. be tagged on the bridge.