What is the recommended way to best utilise the two switch CPUs on the RB2011iL. I am using it as an access switch and have two spare ports. After a very steep learning curve, I am just about comfortable trunking ports 5 and 6 to provide switching across all remaining ports.

Is using a software bridge instead better for freeing up access ports but worse for throughput? If I get another device that needs access on this switch then I will have to fallback to it but would it be better just to use it now?

Being very new to RouterOS, I'm still sketchy on the details of how to configure the software bridge. Switch group 1 is set up and working fine with one trunk link to a HP switch and 4 access ports. Switch group 2 will consist of all access ports. Do I just configure them as normal and put the master port into a bridge with the master port from switch group 1?

Thanks for you responses,

It's somewhat confusing to me what your are trying to accomplish. I suggest posting a network diagram and device configs to get help.

I work on a network with one RB2011 as an access switch for 7 devices.

ether1:LAN Trunk (Master)
ether2:Access, Vlan30(Slave)
ether3:Access, Vlan30(Slave)
ether4:Access, Vlan30(Slave)
ether5:Access, Vlan20(Slave)

ether6:Access,Vlan30(Master)
ether7:Access,Vlan30(Slave)(Unused)
ether8:Access,Vlan20(Slave)
ether9:Access,Vlan10(Slave) (Unused)
ether10:Access,Vlan10(Slave)

the RB2011 works, effectively, as one 5-port gigabit switch and one 5-port fast-ethernet switch connected by the router CPU.

I need all vlans from the uplink on ether1 to be shared across all 9 access ports. Is the best way to do this by a software bridge within routerOS or by rearranging my vlans and connections and adding a physical trunk link from -for example- ether5-------ether6.

I also have an issue with how to manage the device. I want the device to be managed from VLAN10. This works fine. However, no devices connected to ports in VLAN10 get a DHCP address. Is there a better way to solve this than adding VLAN10 to the bridge? for some reason in my head that doesnt seem efficient

You could add the vlans to the master interface and slave the other interfaces to it or you could have each port with no master and create a vlan on each interface and then bridge them together individually. First method is probably better because it uses hardware. I haven't tried this so curious to know which works best.

I also have an issue with how to manage the device. I want the device to be managed from VLAN10. This works fine. However, no devices connected to ports in VLAN10 get a DHCP address. Is there a better way to solve this than adding VLAN10 to the bridge? for some reason in my head that doesnt seem efficient

As long as you haven't enabled any bridge firewall/nat rules and haven't enabled the use-ip-firewall option on the bridge, the bridge can forward traffic with fastpath which should be good enough for a few 10/100 hosts communicating to the gigabit switch.

You would want to make sure that all VLANs include cpu in switch1 and in switch2.
Then bridge the master port of switch1 to the master port of switch2. The bridge won't need to know anything about the particular vlans because it will just forward the frames with their 802.1q headers intact.

For management, you will need to put a vlan10 interface on the bridge - that's normal, and it will only be used for IP traffic to/from the 2011 itself.
You can even put IP firewall filters on the vlan10 interface w/o breaking fastpath. You could even go so far as to disable IP forwarding in the IP settings.

To get a management IP address, you can put a dhcp-client on the vlan10 interface, or just configure a static IP address / default GW on the 2011 for management. Remember that this interface will only be used to talk to the 2011 itself. It will still forward all ethernet layer2 traffic as normal switched/bridged frames.

So the perceived wisdom is software bridging is adequate for the 5 10/100 ports. This was great whe I had it working.

What would now be great is if I realised I hadn't made a backup of the config, just a very limited script. That, coupled with my VERY experimental knowledge of RouterOS, and I am back to the place where I can't ping from the management vlan. I accidentally added a default-vlan-id to switch1-cpu (management vlan). It won't let me change it back to auto. would this be the cause?

Its going to be a long night.

I've never tinkered with vlans on the HW-based switch, so my insights are pretty much "academic" in that I've read several threads here about various things with it....

Anyway, that being said, I would think that allowing all vlans to CPU without modifying the vlan tags is what you want for cpu-bridging between the two switches. It might be easiest if all vlans are tagged when forwarded to the CPU - then whichever VLAN it is you want to use for management, create a vlan interface on the bridge interface with that vlan-id set to 10, and put the management IP of the Mikrotik on that vlan interface. Don't forget to put the default GW route in the IP routes configuration. (dst=0.0.0.0/0)

Your DHCP comment is a tad ambiguous to me - should the Mikrotik be the DHCP server for vlan 10, or is there some other device doing it, and you're using the lack of dhcp connectivity as evidence that the bridging isn't working properly?

sorry I'm learning a lot of terminology very quickly here and not paying attention to what I am writing.

I first set the configuration up with the software bridge between the two switch chips and most things worked as they should.
the vlan10 interface was placed solely on ether1 not on the inter-switch bridge.
due to the route directing all traffic bound for the 172.20.10.0/23 subnet to the vlan10 interface, no traffic for vlan10 crossed the bridge to the second switch chip meaning the DHCP offers coming from an external router were not reaching devices on vlan10 access ports. (this was my interpretation of what was going wrong, probably completely incorrect)
I tried adding vlan10 to the bridge and this solved the problem.
I was about to try taking the vlan10 interface off the bridge and making the route to it more specific to see if that worked. Unfortunately, one bit of wrong config and I was kicked off and my backup config wasnt a backup config. Working back to where I was now

sorry I'm learning a lot of terminology very quickly here and not paying attention to what I am writing.

I first set the configuration up with the software bridge between the two switch chips and most things worked as they should.
the vlan10 interface was placed solely on ether1 not on the inter-switch bridge.
due to the route directing all traffic bound for the 172.20.10.0/23 subnet to the vlan10 interface, no traffic for vlan10 crossed the bridge to the second switch chip meaning the DHCP offers coming from an external router were not reaching devices on vlan10 access ports. (this was my interpretation of what was going wrong, probably completely incorrect)
I tried adding vlan10 to the bridge and this solved the problem.
I was about to try taking the vlan10 interface off the bridge and making the route to it more specific to see if that worked. Unfortunately, one bit of wrong config and I was kicked off and my backup config wasnt a backup config. Working back to where I was now

Adding vlan10 to the bridge is the correct and preferred way of making a bridging Mikrotik "participate" in a VLAN using IP.

Correct me if I'm wrong, but I've had the impression that you're just wanting to use this 2011 as a managed switch with VLAN capability, and not for any routing - thus there is/are some other router(s) that is/are the default GW for each vlan, correct? So that being said, there don't need to be any routes/whatever to reach the switch for management-only purposes. As far as the IP layer is concerned, you can think of this 2011 the same as any other pc/device connected to the network. It just has an IP address and you use that to talk to it.

Have you tried to get into the device using its MAC address from Winbox? You could delete all IP addresses entirely and still be able to get back in the box with that. Or, if you have access to one of those blue cisco console cables, you could console into the 2011 with that.

correct, i'm just having a bit of a hard time figuring out how the 2011 deals with the vlan interfaces.

I'm calling the two switch chips on the 2011 sw1 and sw2.

currently, the vlan10 interface is configured to ether1 (the master port for sw1 and trunk link for the whole device)
ether1 and ether 6 (master port for sw2) are in the bridge-local bridge
devices plugged into vlan20 or vlan30 access ports on sw2 communicate correctly with the LAN
devices plugged into a vlan10 access port on sw2 do not communicate.

if I add interface vlan10 to the bridge, devices plugged into vlan10 access ports on sw2 can communicate. A side effect is a large amount of extra traffic being examined by the CPU (simple check on the number of hosts observed by bridge-local).

The issue now is really academic. There should not be enough traffic from sw2 ports to cause significant problems for the CPU, however, there must be a way to send this traffic across the bridge in the same way that vlan20 and vlan30 do.

if I add interface vlan10 to the bridge, devices plugged into vlan10 access ports on sw2 can communicate. A side effect is a large amount of extra traffic being examined by the CPU (simple check on the number of hosts observed by bridge-local).

By "add interface vlan10 to the bridge" do you mean....

This: (wrong)
/interface bridge port add bridge=bridge-local interface=vlan10

Or this: (right)
/interface vlan add name=vlan10 vlan-id=10 interface=bridge-local

The first one will inject the traffic from the bridge into VLAN10 of the hw switch. (assuming that vlan10 interface is a sub-interface of ether1)
If the bridge's traffic was tagged, then it will be double-tagged on switch1, and if untagged on the bridge, it will become single-tagged as 10 on switch1....

The second one creates a connection between the Mikrotik CPU and the bridge, speaking with tagged traffic ID=10 on the bridge, and not tagged when going to/from the CPU.

Basically, I think of interfaces as having a "front" and a "back" side - in the case of a vlan interface, the front side will spit out tagged frames, and it will receive only tagged frames. The back side goes to the CPU with no tags present. When you set the physical interface for a vlan interface, then that connects the front of the vlan interface to whatever physical interface you specified.

When you connect an interface to a bridge as a port of that bridge, then you're connecting the back of that interface to the bridge, and allowing traffic to get forwarded to some other port of the same bridge. If the port is a vlan interface, then what's happening is that the vlan's front side is grabbing tagged frames, and then ripping them off and spitting them out the back side directly onto the bridge.

Thanks for your help with this ZeroByte, I have done as you said and associated the vlan10 interface with bridge-local. The switch is now functioning as intended.