Yes, you’re assumtions are correct.
You need to enable VLAN support on the RB4011 and the Switch. Use RB4011 as a RoaS as depicted here: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
The SFP+ of the RB4011 and the corresponding Switch-Port will both be trunk ports.
The Port on the Switch, where the new cable-Modem is connected will be an access-port (if the Modem ist not VLAN capable)
Define a dedicated VLAN for that 2.5G-Cable-Modem connection
Then add this VLAN to the WAN interface-list on the RB4011 and enable NAT on it.