1) yes ... one vlan entry per bridge. So ideally you would actually include [ find bridge=bridge vlan-ids=100 ]
in the set command.
2) /interface ethernet
has no correlation with settings in /interface bridge
. OTOH VLANs are not physical properties of ethernet ports (and are not properties of only ethernet ports), they are kind of logical properties of bridge ports. In short: you always check status in the configuration tree where you also configure the same properties.
3) bridge the switch-like property doesn't have pvid settings. But bridge the interface does, you can set it with /interface bridge set [ find bridge=bridge] pvid=100
. Actually default setting is pvid=1
and like other default settings it's not shown in usual configuration export
. If you set pvid on bridge interface
, then whatever you do L3-wise directly on bridge interface (just like you would on all-untagged setup) will actually be done for VLAN ID 100 ... and bridge interface
becomes untagged member of VLAN ID 100. In this case you should not use /interface vlan
to create vlan interface for vlan-id=100 ...
Yeah, gets messy, that's why I strongly suggest to always use tagged stuff inside ROS device (and inside LAN infrastructure perimeter which means using solely tagged-only trunks between routers/switches).
You can see actual VID state by running /interface bridge vlan print
(all actual VLAN settings) and /interface bridge port print
(the PVID column ... which sometimes is not relevant if port has frame-types=admit-only-vlan-tagged
set). Mind that the implicit bridge interface
is not shown in the later printout.
4b) it has "invisible" pvid=1 set, see the answer above.
4c) see the answer above. In addition to setting bridge interface
as untagged member of said VLAN, you'd have to set pvid=99
on /interface bridge
(see the answer above).
The correct approach would be to use single connection between switch and router (either single ethernet cable or multiple configured in a bond) in a VLAN trunk configuration (tagged member of multiple VLANs). Do it the same on router side. This way only single physical connection consumes port space both on switch and router. Downside is potential throughput bottleneck, but in case of most mikrotik routers the bottleneck will be routing performance of the router.
Then construct multiple /interface vlan
interfaces, one per each of VLANs which should be routed, and configure L3 (IP) stuff on them. Then router will automatically try to route between VLANs unless particular configuration (most frequently that's firewall setup) blocks such connections.
5b) tagging/untagging frame has some performance overhead. Bridge has some overhead as well. In case of CRS3xx both are offloaded to hardware and things are equal performance wise.
That's true only for switching functionality. When it comes to L3 (IP) performance, most likely it will be the general purpose CPU of device which will be the bottleneck in any case. But in any case, the bridge/vlan-interface approach is clean switch-like config and I recommend it every time.
5c) Have a look at block diagram, available from product page
. As you can see, each of switch chips have kind of bottleneck with interconnection to CPU. If traffic is destined to CPU in any case (e.g. WAN traffic should always hit firewall), then it doesn't matter which switch chip it passes. However it is beneficial to separate it from LAN traffic if only to give LAN a bit more bandwidth on the switch chip - CPU interconnect. Add the fact that HW-offloaded switching is only available between ports handled by same switch chip (so you can have 5 LAN ports if using eth6-eth10 group). OTOH, RB3011 doesn't offload VLAN config if done per guide by @pcunite. OTOH2, this doesn't matter at all if only single link is used between LAN (switches, ...) and router. HW offload only comes into play for intra-VLAN traffic, passing between bridge ethernet
ports. HW offload doesn't do anything for traffic passing any other bridge ports (including bridge interface
Beware of the oddity with SFP cage connection ... when it's used, switch chip for ports eth6-eth10 looses one of interconnects.