Port 1-4 = Trunk Port
Port 5 = Access Port (VL10)

---------

/interface ethernet switch port
set 0 vlan-mode=secure
set 1 vlan-mode=secure
set 2 vlan-mode=secure
set 3 vlan-mode=secure
set 4 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 5 vlan-mode=secure


Is A or B correct: (or are they in effect the same, as eth5 is set to strip header above)

A:
/interface ethernet switch vlan
add independent-learning=yes ports=ether1,ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=1
add independent-learning=yes ports=ether1,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=10
add independent-learning=yes ports=ether1,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=20

B:
/interface ethernet switch vlan
add independent-learning=yes ports=ether1,ether2,ether3,ether4,switch1-cpu switch=switch1 vlan-id=1
add independent-learning=yes ports=ether1,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=10
add independent-learning=yes ports=ether1,ether2,ether3,ether4 switch=switch1 vlan-id=20

This is a decent guide.
https://www.youtube.com/watch?v=Rj9aPoyZOPo

Case A (ether5 member of VLANs 1, 01 and 20) doesn't make much sense since ether5 port is set to untag everything on egress and can only tag untagged frames with single default-vlan-id on ingress.

This is a decent guide.
https://www.youtube.com/watch?v=Rj9aPoyZOPo

Thank you, I watched this. He uses option B.

Case A (ether5 member of VLANs 1, 01 and 20) doesn't make much sense since ether5 port is set to untag everything on egress and can only tag untagged frames with single default-vlan-id on ingress.

This is the crux of my question. If in practice there is no difference (even though A does not make sense), then I would rather use A. Why? Time efficiency. When it comes to making changes, I can leave the vlan table alone and make changes only in the port settings.

If my logic makes sense.

If in practice there is no difference (even though A does not make sense), then I would rather use A.

I didn't say there was no difference. In case A traffic from other VLANs will bleed through ether5 (broadcasts, multicasts and some unicast packets if switch won't know exact egress port for dst MAC address, ...). It goes against the gist of setting vlan-mode=secure ... Even more so if you don't set independent-learning=yes on all switch ports.

I didn't say there was no difference. In case A traffic from other VLANs will bleed through ether5 (broadcasts, multicasts and some unicast packets if switch won't know exact egress port for dst MAC address, ...). It goes against the gist of setting vlan-mode=secure ... Even more so if you don't set independent-learning=yes on all switch ports.

Ah noted. Basically with option A, the access port becomes a hybrid port instead of a native access port. Is this correct?

I didn't say there was no difference. In case A traffic from other VLANs will bleed through ether5 (broadcasts, multicasts and some unicast packets if switch won't know exact egress port for dst MAC address, ...). It goes against the gist of setting vlan-mode=secure ... Even more so if you don't set independent-learning=yes on all switch ports.

Ah noted. Basically with option A, the access port becomes a hybrid port instead of a native access port. Is this correct?

No, hybrid port means it is member of one VLAN where frames on the outer side (i.e. on the wire) are untagged, and one or more VLAN where frames on outer side are tagged.
In case A the port is still access, all frames on outer side will be untagged, but partly hybrid - on ingress it will accept frames tagged with VIDs from the list of vlans. Normally device beyond such port won't be able to normally communicate bi-directionally with other devices from "non-native" VLAN (because normal NIC driver will do the ingress filtering), but there are still some frames which will bleed this way or another.