Hybrid Port: Tagged and Untagged on the Same Interface
Hybrid Port: Tagged and Untagged on the Same Interface
Section titled “Hybrid Port: Tagged and Untagged on the Same Interface”Overview
Section titled “Overview”A hybrid port carries both untagged (access) frames and tagged (trunk) frames on a
single physical interface. RouterOS implements this through bridge VLAN filtering — there
is no separate “hybrid” keyword; it is achieved by setting the correct pvid,
frame-types, and VLAN table memberships.
This is distinct from a pure trunk port (tagged only) or a pure access port (untagged only).
When you need a hybrid port:
| Scenario | Untagged VLAN | Tagged VLAN(s) |
|---|---|---|
| IP phone with PC passthrough on one wall port | Data (PC) | Voice (phone) |
| AP with management VLAN + client SSIDs | Management | SSID VLANs |
| IoT device + management on the same port | IoT | Management |
| Legacy device that cannot tag + modern VLAN stack | Legacy | Production |
Constraint: A port can be
untaggedfor exactly one VLAN (its native VLAN, determined bypvid) while simultaneously beingtaggedfor any number of other VLANs. The same VLAN ID cannot appear in bothtagged=anduntagged=for the same port.
Prerequisites
Section titled “Prerequisites”- RouterOS 6.41 or later (bridge VLAN filtering was introduced in v6.41)
- The interface must be a member of a bridge with
vlan-filteringenabled (or to be enabled after configuration) - Out-of-band or console access is recommended when enabling
vlan-filtering, because incomplete VLAN table entries can cause traffic interruption
Warning — do not use your management interface as the hybrid port example. On most RouterOS devices (including CHR),
ether1is the default management interface. Adding it to a bridge and enablingvlan-filtering=yesbefore assigning it to the correct VLAN will drop your SSH/Winbox session. Use a secondary interface (e.g.,ether3) for the hybrid port, and ensure you have console or out-of-band access before enabling VLAN filtering.
Configuration
Section titled “Configuration”Concepts
Section titled “Concepts”Three parameters on /interface bridge port govern how a port handles frames:
| Parameter | Purpose |
|---|---|
pvid | VLAN assigned to untagged ingress frames (the port’s native VLAN) |
frame-types | Which frames are accepted on ingress |
ingress-filtering | Drop frames whose VLAN is not permitted on this port |
frame-types values:
| Value | Port role |
|---|---|
admit-all | Hybrid — accepts both tagged and untagged ingress |
admit-only-vlan-tagged | Trunk — only tagged frames accepted |
admit-only-untagged-and-priority-tagged | Access — only untagged frames accepted |
For a hybrid port, always use frame-types=admit-all.
Egress tagging is controlled per-VLAN in /interface bridge vlan:
untagged=<port>— frames egress the port with the 802.1Q tag strippedtagged=<port>— frames egress the port with the 802.1Q tag present
Example: IP Phone + PC on the Same Port
Section titled “Example: IP Phone + PC on the Same Port”Topology:
ether3— hybrid edge port (wall jack; IP phone with PC passthrough)ether2— pure access port on VLAN 10ether5— uplink trunk to upstream switch (adapt to your uplink port name)- VLAN 10 — data (PC traffic, untagged)
- VLAN 20 — voice (IP phone traffic, tagged with VLAN 20)
Step 1: Create the bridge
Section titled “Step 1: Create the bridge”/interface bridgeadd name=br1 vlan-filtering=noLeave vlan-filtering=no until the VLAN table is complete.
Step 2: Add ports to the bridge
Section titled “Step 2: Add ports to the bridge”/interface bridge port
# Upstream trunk: tagged onlyadd bridge=br1 interface=ether5 \ frame-types=admit-only-vlan-tagged \ ingress-filtering=yes
# Hybrid port: untagged VLAN 10 (native/data) + tagged VLAN 20 (voice)add bridge=br1 interface=ether3 \ pvid=10 \ frame-types=admit-all \ ingress-filtering=yes
# Pure access port: untagged VLAN 10 onlyadd bridge=br1 interface=ether2 \ pvid=10 \ frame-types=admit-only-untagged-and-priority-tagged \ ingress-filtering=yesKey parameters for the hybrid port:
| Parameter | Value | Effect |
|---|---|---|
pvid | 10 | Untagged ingress frames are classified as VLAN 10 |
frame-types | admit-all | Accept both tagged and untagged ingress frames |
ingress-filtering | yes | Drop frames for VLANs not in the VLAN table for this port |
Step 3: Populate the bridge VLAN table
Section titled “Step 3: Populate the bridge VLAN table”/interface bridge vlan
# VLAN 10: ether3 sends/receives untagged (PC); uplink and CPU are taggedadd bridge=br1 vlan-ids=10 \ tagged=br1,ether5 \ untagged=ether3,ether2
# VLAN 20: ether3 sends/receives tagged (phone); uplink and CPU are taggedadd bridge=br1 vlan-ids=20 \ tagged=br1,ether3,ether5ether3 appears as untagged in VLAN 10 and tagged in VLAN 20. This is what makes it a hybrid port.
The bridge interface (br1) is included as tagged in each VLAN so the CPU can send and receive on those VLANs (required for management access or L3 routing via VLAN interfaces).
Step 4: Enable VLAN filtering
Section titled “Step 4: Enable VLAN filtering”/interface bridge set br1 vlan-filtering=yesEnable only after the VLAN table and port assignments are complete.
Optional: Add L3 VLAN interfaces for routing or management
Section titled “Optional: Add L3 VLAN interfaces for routing or management”/interface vlanadd name=vlan10 interface=br1 vlan-id=10add name=vlan20 interface=br1 vlan-id=20
/ip addressadd address=192.168.10.1/24 interface=vlan10add address=192.168.20.1/24 interface=vlan20Winbox
Section titled “Winbox”- Bridge → Bridge tab: add
br1, enable VLAN Filtering. - Bridge → Ports tab: add
ether3,ether2, andether5tobr1.ether3(hybrid): set PVID =10, Frame Types =Admit All, Ingress Filtering = checked.ether2(access): set PVID =10, Frame Types =Admit Only Untagged and Priority Tagged, Ingress Filtering = checked.ether5(trunk): set Frame Types =Admit Only VLAN Tagged, Ingress Filtering = checked.
- Bridge → VLANs tab:
- Add VLAN 10: Tagged =
br1, ether5; Untagged =ether3, ether2. - Add VLAN 20: Tagged =
br1, ether3, ether5.
- Add VLAN 10: Tagged =
Verification
Section titled “Verification”# Confirm per-port pvid and frame-types/interface bridge port print detail where interface=ether3
# Confirm VLAN table — check tagged/untagged lists/interface bridge vlan print detail
# Check effective membership for specific VLANs/interface bridge vlan print where vlan-ids=10/interface bridge vlan print where vlan-ids=20
# Monitor traffic on VLAN interfaces/interface monitor-traffic vlan10,vlan20
# Packet capture to verify tagging behaviour on ether3/tool sniffer quick filter-interface=ether3 filter-ip-address=0.0.0.0/0Expected output for /interface bridge vlan print detail:
- VLAN 10:
ether3andether2appear incurrent-untagged;br1andether5incurrent-tagged. - VLAN 20:
ether3,br1, andether5all appear incurrent-tagged.
Troubleshooting
Section titled “Troubleshooting”| Symptom | Likely cause | Fix |
|---|---|---|
| PC on hybrid port gets no IP | pvid mismatch or port missing from untagged= | Confirm pvid=<data-vlan> and port listed in untagged= for that VLAN |
| IP phone cannot register | Voice VLAN not in tagged= for the hybrid port | Add port to tagged= in the voice VLAN bridge entry |
All traffic drops when vlan-filtering=yes is enabled | Router CPU (br1) not in any VLAN | Add br1 to tagged= for every VLAN the router needs to reach |
| Untagged frames placed in wrong VLAN | Wrong pvid | Verify pvid matches the intended native VLAN ID |
| Trunk uplink dropping certain VLANs | ingress-filtering=yes but VLAN not in table | Add the missing VLAN to /interface bridge vlan with the uplink in tagged= |
| Loop or duplicate traffic | Port in both tagged= and untagged= for the same VLAN | A port must appear in exactly one list per VLAN — fix the bridge VLAN entry |
| Untagged frames accepted when trunk-only expected | Port has frame-types=admit-all instead of admit-only-vlan-tagged | Change frame-types to admit-only-vlan-tagged on the trunk port |
| HW offload not activating (CRS switches) | ingress-filtering=yes disables offload on some CRS models | Check /interface bridge port print for hw=yes/no; see MikroTik Bridge HW Offload docs |