Skip to content
MikroTik RouterOS Docs

RouterOS VLAN: 802.1Q Trunk and Access Port Configuration

RouterOS VLAN: 802.1Q Trunk and Access Port Configuration

Section titled “RouterOS VLAN: 802.1Q Trunk and Access Port Configuration”

Summary

Section titled “Summary”

802.1Q VLAN tagging allows a single physical link to carry traffic for multiple VLANs by inserting a 4-byte tag into each Ethernet frame. RouterOS implements 802.1Q-based VLAN segmentation through two mechanisms:

  • Bridge VLAN filtering — the recommended method for L2 switching. Defines trunk and access port behavior via the bridge VLAN table and per-port settings. Supports hardware offloading on CRS switches.
  • /interface vlan sub-interfaces — L3 termination objects. Used to assign router IP addresses to specific VLANs for routing and services, not for pure L2 switching policy.

In practice, a complete VLAN deployment uses both: bridge VLAN filtering for L2 policy (trunk/access), and VLAN sub-interfaces on the bridge for L3 gateway services.

802.1Q VLAN Tagging on Ethernet Interfaces

Section titled “802.1Q VLAN Tagging on Ethernet Interfaces”

How 802.1Q Tagging Works

Section titled “How 802.1Q Tagging Works”

802.1Q inserts a 4-byte header after the source MAC address in an Ethernet frame. The tag contains:

  • TPID (Tag Protocol Identifier): 0x8100 identifies a tagged frame.
  • PCP (Priority Code Point): 3-bit 802.1p priority field.
  • DEI (Drop Eligible Indicator): formerly Canonical Format Indicator.
  • VID (VLAN Identifier): 12-bit VLAN ID, values 1–4094 (0 and 4095 are reserved).

An untagged frame carries no VLAN tag. An access port strips tags on egress so connected devices receive untagged frames. A trunk port sends and receives tagged frames and can carry multiple VLANs on a single link.

MTU Considerations

Section titled “MTU Considerations”

The 802.1Q tag adds 4 bytes to each frame. If the physical interface MTU is 1500, tagged frames carrying 1500-byte payloads will exceed MTU. In practice, RouterOS adjusts the L2 MTU automatically for VLAN sub-interfaces, but verify if strict MTU paths or QinQ (double tagging, 8 bytes added) are involved.

Bridge VLAN Filtering vs Interface VLANs

Section titled “Bridge VLAN Filtering vs Interface VLANs”

When to Use Bridge VLAN Filtering

Section titled “When to Use Bridge VLAN Filtering”

Use bridge VLAN filtering for any scenario requiring multiple ports to participate in VLAN-segmented switching:

  • Multi-port VLAN switch (managed access/trunk ports)
  • CRS switch chip hardware offloading
  • Centralized per-port VLAN policy via the bridge VLAN table

Bridge VLAN filtering is the recommended approach for RouterOS 7. It provides a single policy table (/interface bridge vlan) that defines tagged and untagged port membership for each VLAN, combined with per-port settings for ingress behavior.

When to Use Interface VLANs

Section titled “When to Use Interface VLANs”

Use /interface vlan for:

  • Assigning L3 gateway addresses to VLANs (SVI-style, always created on the bridge, not on physical ports)
  • Single-port VLAN termination — for example, an ISP trunk delivering traffic on a specific VLAN ID to a WAN interface

Do not create /interface vlan sub-interfaces on physical bridge slave ports as a substitute for bridge VLAN filtering. This bypasses the bridge VLAN table, prevents hardware offloading, and creates non-standard bridging configurations.

Configuring Trunk and Access Ports

Section titled “Configuring Trunk and Access Ports”

Step 1: Create the Bridge

Section titled “Step 1: Create the Bridge”
/interface bridge
add name=br1 vlan-filtering=no

Leave vlan-filtering=no until all ports and VLAN entries are configured.

Step 2: Add Ports to the Bridge

Section titled “Step 2: Add Ports to the Bridge”

Add all ports that will participate in VLAN switching:

/interface bridge port
add bridge=br1 interface=ether1 \
    frame-types=admit-only-vlan-tagged \
    ingress-filtering=yes


add bridge=br1 interface=ether2 \
    pvid=10 \
    frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes


add bridge=br1 interface=ether3 \
    pvid=20 \
    frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes


add bridge=br1 interface=ether4 \
    pvid=30 \
    frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes

Port parameter reference:

ParameterTrunk PortAccess Port
pvid(not required — carries tagged VLANs)VLAN ID for untagged ingress frames
frame-typesadmit-only-vlan-taggedadmit-only-untagged-and-priority-tagged
ingress-filteringyesyes
  • pvid — Port VLAN ID. Untagged frames arriving on an access port are classified into this VLAN. Must match an entry in the bridge VLAN table where the port is listed as untagged.
  • frame-types — Controls ingress admission. admit-only-vlan-tagged drops untagged frames (trunk). admit-only-untagged-and-priority-tagged drops tagged frames (access). admit-all (default) accepts both.
  • ingress-filtering — When yes, frames for VLANs where the port is not a member are dropped on ingress. Always enable on both trunk and access ports.

Step 3: Populate the Bridge VLAN Table

Section titled “Step 3: Populate the Bridge VLAN Table”

Define VLAN membership for each VLAN. Include br1 in the tagged list for any VLAN the router must participate in (management, routing, DHCP):

/interface bridge vlan
add bridge=br1 vlan-ids=10 tagged=br1,ether1 untagged=ether2
add bridge=br1 vlan-ids=20 tagged=br1,ether1 untagged=ether3
add bridge=br1 vlan-ids=30 tagged=br1,ether1 untagged=ether4

Each entry maps a VLAN ID to its port membership:

ParameterDescription
vlan-idsVLAN ID (1–4094); supports ranges (10,20,30 or 100-200)
taggedPorts that send frames with the VLAN tag intact (trunk ports and CPU/bridge)
untaggedPorts that strip the VLAN tag on egress (access ports)

A port may not appear in both tagged and untagged for the same VLAN.

Step 4: Enable VLAN Filtering

Section titled “Step 4: Enable VLAN Filtering”

Once all entries are in place, enable VLAN filtering:

/interface bridge set br1 vlan-filtering=yes

Verification

Section titled “Verification”
/interface bridge vlan print
/interface bridge port print detail
/interface bridge monitor br1

Inter-VLAN Routing

Section titled “Inter-VLAN Routing”

To enable routing between VLANs, create VLAN sub-interfaces on the bridge (not on physical ports) and assign gateway IP addresses:

/interface vlan
add name=vlan10 interface=br1 vlan-id=10
add name=vlan20 interface=br1 vlan-id=20
add name=vlan30 interface=br1 vlan-id=30


/ip address
add address=192.168.10.1/24 interface=vlan10
add address=192.168.20.1/24 interface=vlan20
add address=192.168.30.1/24 interface=vlan30

This is the SVI (Switched Virtual Interface) pattern in RouterOS: VLAN sub-interfaces on the bridge act as per-VLAN L3 gateways. The bridge VLAN table must include br1 in the tagged list for each routed VLAN (as shown in the examples above).

Firewall Considerations

Section titled “Firewall Considerations”

Inter-VLAN traffic is routed and passes through the firewall forward chain. With a default-accept forward policy, all VLANs can reach each other immediately. With a default-drop policy, add explicit accept rules:

/ip firewall filter
add chain=forward action=accept connection-state=established,related comment="Allow established/related"
add chain=forward action=accept src-address=192.168.10.0/24 dst-address=192.168.20.0/24 comment="VLAN10 to VLAN20"
add chain=forward action=accept src-address=192.168.20.0/24 dst-address=192.168.10.0/24 comment="VLAN20 to VLAN10"
add chain=forward action=drop comment="Drop all other inter-VLAN"

To isolate VLANs completely (no inter-VLAN routing), omit the VLAN sub-interfaces and do not add IP addresses. Traffic will remain L2-switched within each VLAN and will not be routed between VLANs.

Complete Example

Section titled “Complete Example”

Three VLANs (10, 20, 30), one trunk uplink on ether1, three access ports, with inter-VLAN routing:

# 1. Bridge
/interface bridge
add name=br1 vlan-filtering=no


# 2. Ports — trunk and access
/interface bridge port
add bridge=br1 interface=ether1 frame-types=admit-only-vlan-tagged ingress-filtering=yes
add bridge=br1 interface=ether2 pvid=10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
add bridge=br1 interface=ether3 pvid=20 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
add bridge=br1 interface=ether4 pvid=30 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes


# 3. VLAN table
/interface bridge vlan
add bridge=br1 vlan-ids=10 tagged=br1,ether1 untagged=ether2
add bridge=br1 vlan-ids=20 tagged=br1,ether1 untagged=ether3
add bridge=br1 vlan-ids=30 tagged=br1,ether1 untagged=ether4


# 4. Enable filtering
/interface bridge set br1 vlan-filtering=yes


# 5. VLAN gateway interfaces on the bridge
/interface vlan
add name=vlan10 interface=br1 vlan-id=10
add name=vlan20 interface=br1 vlan-id=20
add name=vlan30 interface=br1 vlan-id=30


# 6. IP addresses
/ip address
add address=192.168.10.1/24 interface=vlan10
add address=192.168.20.1/24 interface=vlan20
add address=192.168.30.1/24 interface=vlan30


# 7. Firewall — allow inter-VLAN, restrict as needed
/ip firewall filter
add chain=forward action=accept connection-state=established,related
add chain=forward action=accept src-address=192.168.10.0/24 dst-address=0.0.0.0/0
add chain=forward action=accept src-address=192.168.20.0/24 dst-address=0.0.0.0/0
add chain=forward action=accept src-address=192.168.30.0/24 dst-address=0.0.0.0/0
add chain=forward action=drop
Section titled “Related”