VLAN access allowed when specifically denied.

Today when cleaning up vlans I noticed I mistakenly enabled the wrong vlan on a port on the VLANS page, but assigned it the correct vlan on the VLAN page.

This is what I think is going on can the community confirm it form.

Because on the VLAN page I have that port set as strict “only untagged” and specified a vlan id of 103, and the device itself is unaware of of any vlan; that no vlan tag is ever recived on this port, and since no vlan tag is received on that port it doesn’t matter if that port has vlan 103 enabled on the VLANS page. however if that device was sending a vlan tag and on the VLAN page I said strict tagged only, then the enforcement of the VLANS page would take effect.

Thank you for your time.

In RouterOS, when port has PVID set (in /interface bridge port, I guess it’s the same as default VID setting in SwOS shown in lower part of screenshot), it is automatically added to group of ports members of that VLAN (as untagged member of course). Only tagged membership has to be explicitly defined in config section (/interface bridge vlan) which seems to parallel the upper part of screenshot. Explicitly setting untagged membership is optional in ROS (and if set wrongly, it might lead to some odd misbehaviour).

Could be something similar happens in SwOS?