VLAN router + L2 switch
Devices with built-in switch chip
Warning: Not all devices with a switch chip are capable of VLAN switching on a hardware level, check the supported features for each switch chip, the compatibility table can be found Here. If a device has VLAN table support, then it is capable of VLAN switching using the built-in switch chip. You can check the device’s switch chip either in the provided link or by using /interface ethernet switch print
/interface bridge add name=bridge1 /interface bridge port add bridge=bridge1 interface=ether1 hw=yes add bridge=bridge1 interface=ether2 hw=yes add bridge=bridge1 interface=ether3 hw=yes /interface ethernet switch vlan add ports=ether1,ether2 switch=switch1 vlan-id=20 add ports=ether1,ether3 switch=switch1 vlan-id=30 add ports=ether1,switch1-cpu switch=switch1 vlan-id=99 /interface vlan add interface=bridge1 vlan-id=99 name=MGMT /ip address add address=192.168.99.1/24 interface=MGMT /interface ethernet switch port set ether1 vlan-mode=secure vlan-header=add-if-missing set ether2 vlan-mode=secure vlan-header=always-strip default-vlan-id=20 set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=30 set switch1-cpu vlan-header=leave-as-is vlan-mode=secure
devices without a built-in switch chip
It is possible to do VLAN filtering using the CPU, there are multiple ways to do it, but it is highly recommended by using bridge VLAN filtering.
/interface bridge add name=bridge1 /interface bridge port add bridge=bridge1 interface=ether1 hw=no add bridge=bridge1 interface=ether2 hw=no pvid=20 add bridge=bridge1 interface=ether3 hw=no pvid=30 /interface bridge vlan add bridge=bridge1 tagged=ether1 untagged=ether2 vlan-ids=20 add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=30 add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99 /interface vlan add interface=bridge1 vlan-id=99 name=MGMT /ip address add address=192.168.99.1/24 interface=MGMT /interface bridge set bridge1 vlan-filtering=yes