Sun Nov 06, 2022 2:10 pm
When an interface is made member of bridge, then no further configuration should use that interface directly. Such erroneous configuration isn't flagged as invalid by ROS, but sometimes causes random misbehaviour.
So no, you can't create vlan interface on top of ether1 interface. Besides, if bridge functions are offloaded to switch chip (either automaticalky by ROS or by manual configuration which is the case in your config), then most packets never pass the switch chip - CPU interconnect so there's no worry that they'll peg the CPU. The mentioned interconnect will only carry traffic which, according to switch chip's ARP table, has to be dealt with by CPU ... in your case that will include only management traffic between ether1 and ROS inside VLAN 523 as per switch chip configuration.
Potential overhead, caused by bridge, is slight as all packets targeting management interface have to pass bridge code but that code won't perform any of (potentially numerous) functions - e.g. none of VLAN related. Next step - handling of the VLAN header - will be performed by vlan pseudo-interface, but this step is identical as if this vlan interface was bound directly to ether1.
BTW ... I've never tried, but I have suspicion that your setup eoukdn't even perform as (unmanaged) switch between ports without having bridge configured. You can try and see if it does. You'll have to prepare a way of out-of-band management access though ...