Hi all, thanks for the replies. Mike there's a comment from a Mikrotik staff member on this post: https://forum.mikrotik.com/viewtopic.php?t=113724&start=50 and other similar pages. The exact comment on this from MK specifically is: "RB750Gr3 switch chip does not have full VLAN tagging/untagging support yet, it is planned to implement it in future. Currently, you should use RB750Gr3 switch chip only for basic switching." that was in November 2016, so was hoping that maybe things had changed since then. as for whether I'll go a virtual or hardware switch I'm not sure at this point. In general I'd try and use hardware support for things because dedicated ASICs tend to give you better performance than relying up the main CPU to achieve a feature (this isn't a MK specific comment btw, true of any vendors I've come across). So currently I'm using the switch chip vlan not routerOS virtual interface tagging. If I could continue to use it, that would be my preference... but if not does it change the actual config design a lot? I'm guessing once you have the VLAN interface up then all your other rules are still referring to object(x) which just happens to be a virtual interface instead of a switch chip vlan? Or not...? Thanks! Chris