First of all, I am new to SwOS and this is my first time using it. I was testing VLANs when I encountered a behavior that I need help in understanding.

I created a new VLAN with id 99 on VLANs tab and assigned ports 23, 24 as members, port isolation = off. On VLAN tab I configured ports 23,24 as follows: VLAN mode = enabled, VLAN receive = any, Default ID = 99, Force VLAN ID = off. Both machines can communicate with each other, but when I remove one of the ports from VLAN members, they are still able to communicate to each other just fine. Per documentation

VLAN mode = enabled - Drop packets with VLAN tag ID that is not present in VLAN table. Default VLAN ID must be specified for access ports since it will be used to tag traffic from a certain port, enabled VLAN filtering

I was expecting switch to stop forwarding packets between the machines because they were no longer members of the same VLAN. Is this a bug or expected behavior and if so why?

Thanks

Forgot to mention I am running SwOS v2.7

Tested same scenario with v2.4 and behavior is the same.

After a bit more testing in v2.7 I think that behavior described in documentation (in bold)

disabled - VLAN table is not used. Switch discards packets with a VLAN tag on egress ports. If packet has a VLAN tag and the VLAN ID matches Default VLAN ID on egress ports, then with VLAN Receive=any the switch will remove the VLAN tag and forward the packet.

applies to all VLAN modes, not just 'disabled' mode.

So to paraphrase documentation: If ingress packet has a VLAN tag (which it always will because it either arrived tagged or was tagged by the switch with value from Default VLAN ID) and the VLAN ID matches Default VLAN ID on egress port, then with VLAN Receive set to any on egress port the switch will remove the VLAN tag and forward the packet no matter if egress port is a member of VLAN table. This applies to all VLAN modes.

Question is if this is a bug in the SwOS or just incorrect documentation.

I'm not familiar with SwOS, but from what your describing, it sounds like if you set the default VLAN-ID for a port, it automatically gets added to allowed vlans whether selected or not.