Hi,
using crs 317 6.86.4. Eventhough sfp 16 is not allowed with vlan 2606. I see mac address on the this port with vlan 2606.

/interface bridge> pr
name="bridge" mtu=auto actual-mtu=1500 l2mtu=1584 arp=enabled arp-timeout=auto mac-address=2C:C8:1B:2F:C8:56 protocol-mode=mstp fast-forward=yes igmp-snooping=no
auto-mac=no admin-mac=2C:C8:1B:2F:C8:56 ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 region-name="R1" region-revision=0
max-hops=20 vlan-filtering=yes ether-type=0x8100 pvid=1 frame-types=admit-only-vlan-tagged ingress-filtering=yes dhcp-snooping=no


/interface bridge vlan> pr
0 bridge 3501 bridge
sfp-sfpplus16-LXM
1 bridge 2607 sfp-sfpplus16-LXM sfp-sfpplus2-Sigma
2 bridge 167 sfp-sfpplus2-Sigma
sfp-sfpplus16-LXM
help would be appreciated
thanks

/export hide=sensitive file=anynameyouwish

PLUS
network diagram

Without seeing the configuration from /export hide-sensitive it is difficult to say, likely missing port ingress filtering.

Without seeing the configuration from /export hide-sensitive it is difficult to say, likely missing port ingress filtering.

ty

You have only specified ingress-filtering=yes on bridge ports sfp-sfpplus2-Sigma, sfp-sfpplus16-LXM and the bridge itself (which is the bridge-to-CPU port), all the other bridge ports will permit ingress of any VLAN ID.

As you have filtering on sfp-sfpplus16-LXM it may be that the bridge hosts table is populated before the packet is dropped, you could open a support ticket and see what Mikrotik say.