MikroTik

Hello!
Sorry for my English.
Please help.

I have some CRS106 and CRS212 mikrotik switches.
My management vlan for devices eg 99.
Example, config for first switch1: Bridge witch option "vlan-filtering=off".

My second switch2, config same as first switch, only the address is different.
Switch2 address: 10.10.10.12/8 (also vlan 99 name "mgmt" on uplink interface).

Now i connected switch1 10.10.10.11 to my network and I get access to it (ping work),
After i connect "uplink" port of the switch2 to the sfp1-sfp5 ports switch1.

And I have works access to the switch2 - ping 10.10.10.12 work.
How I may be to limit access to the switch2 through switch1?
In switch1 ports sfp1-sfp5 not member mgmt vlan, why bridge passes through itself tagged frame.

I want this, example:
switch1: mgmt vlan 99 on uplink, mgmt vlan 99 on sfp5 (name mgmt_sfp5).
After - add "mgmt" and "mgmt_sfp5" in "mgmt_bridge".
And after this - get access to switch2, only when connect to sfp5 on switch1.
It's possible?
I need disable tagged vlan frames in bridge on switch1 witch "vlan-filtering=off".

Bridge witch option "vlan-filtering=off".
...
In switch1 ports sfp1-sfp5 not member mgmt vlan, why bridge passes through itself tagged frame.

If you have vlan-filtering=off, then CRS won't touch VLAN tags at all.

If you want to drop tagged frames, then you have to enable vlan-filtering and set all ports (including bridge itself) to have pvid=1 and to be untagged member of VLAN ID=1.

Yes, I understand you.
If vlan-filtering=no, switch work as unmanaged, it forward any vlan frames. From wiki:

The main VLAN setting is vlan-filtering which globally controls vlan-awareness and VLAN tag processing in the bridge. If vlan-filtering=no, bridge ignores VLAN tags, works in a shared-VLAN-learning (SVL) mode and cannot modify VLAN tags of packets.

Maybe exist way drop all vlan frames in this mode?