Ok. I finally did it. At least at the moment - hopefully things are still working next week...
This is the definitive way of accomplishing hybrid MAC-based VLAN. I'm declaring that officially - so any mistakes (impossible!) need to be critiqued and corrected. If anything here is wrong, inefficient, or just not clear now's the time to clean it up.
First of all - set aside any thoughts of auto-configuring your phones via DHCP. If someone's got a working example with Mikrotik & Polycom I'd love to see it. But even then - start with manual configuration. That's one of the biggest hurdles - you must set your phones correctly. For my Polycom phones, that meant manually going into Advanced Settings, Network, Ethernet, VLAN, and enabling VLAN, setting the ID (30 for me), and enabling VLAN filtering.
Side note - while wandering through these menus I found my PCs are connecting as half-duplex 10M via the Polycom. Admittedly these are older phones but still... Finding mention of this elsewhere I manually set the PC connection to full duplex 100M - which isn't the gigabit it should be but it's a hell of a lot better than it was.
Back to the CRS1xx. First, having already created a bridge for all ports (you did that on initial setup also, didn't you?). First create a VLAN interface.
/interface vlan add interface=bLAN name=vlan30 vlan-id=30
Now, in my case I have a mix of port usage - which is the whole reason I needed MAC based VLAN. My VoIP server is on ether4. My phones are on ether1, 3, 5, 7, 8.
First, we need to identify which ports
may participate in the VLAN. This does not force them to exclusively talk in the VLAN - but they must be declared first so the other rules will apply. Additionally, we specify SVL for MAC-based processing. Note to future proof readers - do I really need SVL and if so why?
/interface ethernet switch vlan add ports="ether1,ether3,ether4,ether5,ether7,ether8" svl=yes vlan-id=30
Now, my VoIP server is...sort of a hosted 3rd party solution. So I don't have access to change its VLAN settings. But - it's on a known port. So I'll force all traffic coming
from that VoIP server to be on the VLAN.
/interface ethernet switch ingress-vlan-translation new-customer-vid=30 ports=ether4
Now - since I just said I can't adjust the VLAN settings on the VoIP server I need (or should) strip any VLAN information on traffic
to that device.
/interface ethernet switch egress-vlan-translation add customer-vid=30 new-customer-vid=0 ports=ether4
On the other hand, I need to expressly communicate on the VLAN for the phones that are on dedicated ports.
/interface ethernet switch egress-vlan-translation add ports="ether1,ether3,ether5,ether7"
At this point - four of my phones should be communicating properly with the server. That leaves the lone oddball that needs a MAC-based connection.
/interface ethernet switch mac-based-vlan add new-customer-vid=30 src-mac-address=00:04:F2:39:BE:B5
If I wanted a "pure" MAC-based solution, I'd omit the "egress-vlan-translation" line for the dedicated ports and specify the other MAC addresses. That would allow for roaming of phones - but I believe that would increase the load on the CRS1xx CPU. At the moment, looks like the CPU load on mine is floating around 10% (plus/minus whatever), with occasional spikes to 20%.