Tag stacking - If a packet has a VLAN tag that matches the EtherType, then the packet is considered as a tagged packet, but you can force another VLAN tag regardless of the packet's content.This also gives a possibility to divert specific traffic through different devices in your network. VLAN Tunnelling - If the EtherType of the packet does not match with the EtherType configured for the bridge, then ingress packets are considered as untagged packets, this behavior gives a possibility to encapsulate VLANs into another, different VLAN.
The selected EtherType will be used for VLAN filtering and VLAN tagging/untagging. EtherType - By default, a VLAN aware bridge will filter VLANs by checking the C-TAG (0x8100), all other VLAN tags are considered as untagged packets (without a VLAN tag).frame-type - You can filter out packets whether they have a VLAN tag or not, this is useful to add an extra layer of security for your bridge ports.Settings related to the CPU port are under /interface bridge When using bridge VLAN filtering, the CPU port is mostly used to create management access. CPU port - The bridge itself is a port as well, this is can be called as the CPU port since this is the port that is used to communicate with the device's CPU.Management access is a great way to add another layer of security when accessing the device through a bridge port, this type of access is sometimes called the management port and it is related to the CPU port of a bridge.
With bridge VLAN filtering you can limit which packets are allowed to access the device that has the bridge configured, the most common practice is to allow access to the device only by using a very specific VLAN ID, but there are other ways you can grant access to the device.