Thanks for reply. I don't see why VLAN 1 would behave differently but if it does then I prefer not to use it
VLAN 1 doesn't behave any differently than any other VLAN set as default (2 in your case). The only gotcha with VLAN 1 is, as I wrote, that it's set as default VLAN in default settings and it's easier to overlook that ...
Untagged traffic in secure mode should be rejected ingress so why would anyone send back untagged traffic ?
Behaviour of link partner is not defined by settings of this end. In addition, this setup is secure:
/interface ethernet switch port
set ether1 default-vlan-id=40 vlan-header=always-strip vlan-mode=secure
set ether2 vlan-mode=secure
/interface ethernet switch vlan
add independent-learning=yes ports=ether1,ether2 switch=switch1 vlan-id=40
add independent-learning=yes ports=ether1,ether2 switch=switch1 vlan-id=42
The above setup configures ether1 as hybrid port (tagged VID 42 and untagged VID 40).
vlan-mode=secure makes sure no other VLANs can be injected on ingress. And the same setup configures ether2 as trunk port for both VLANs.
In the similar manner one would set
vlan-mode=secure on an access port (with default-vlan-id set) to make sure that on ingress no other VLANs are allowed.
In short: secure mode is not so much about untagged traffic, it's about VLANs (in general, untagged can be thought of another VLAN) on ingress.
I have not made an analysis of other vendors, but on my allied and tplink switches I can force tag on egress even if it is the default for the port.
My interpretation of how VLANs work in MT (not necessarily shared by other distinguished members of this forum) is that (when we start to work with VLANs) frames always pass bridge/switch tagged ... including those untagged frames ingressing port with default_vlan/pvid set. And that frames get stripped off VLAN tag if they should be tagless on egress. And my interpretation is that this process of tagging/untagging happens even for frames which flow from untagged towards untagged (switch/bridge may or might not analyze destination MAC address immediately upon ingress, if they don't they can't know whether VLAN header is needed or not). So to force header be included on egress it's vital to tag untagged frames on ingress ... and have port as normal (tagged) member of certain VLAN.
And I don't get an idea why would one accept untagged frames on ingress and force them tagged on egress ... if remote device can't handle tagged frames on (its) egress, why serve it tagged on (its) ingress ... unless one wants to mock around bug in windows network drivers which strip VLAN headers as one if first things on ingress.
I think vendors should not assume if we want tagging or not but let us choose exactly how we want things to behave. I think it is a place where explicit configuration should clearly prevails. I really hope MT would improve because the current situation with Bridge HW -> Switch -> Bridge SW is close to nightmare for configuration and predictability.
Different vendors (MT included) have different ways of doing the same thing. Your habit of setting default VLAN ID for tagged-only port should not become a standard.
As I already wrote, with MT exact configuration even slightly depends on particular switch chip type. However MT, introducing the bridge VLAN filtering, IMHO made a big step towards simpler and unified way of configuring things.
In my opinion, they should add as an interface an explicit switch port matching with switch CPU port (for device that have a switch of course). Also it should be possible to assign an ethernet port either to the switch or not (based on the HW capabilities). If the port is allocated to the switch it should not be available as a standalone interface anymore. That would match more closely the HW in hand and be much easier to work with. (The former master port concept was not so far away from a good solution but they went ahead with a solution that would never works as intended in practice)
As I wrote before: (not so) recent move by MT towards bridge-centric configuration shows that MT would like us to forget about HW peculiarities when configuring devices. And this is IMHO a good move. The only problem with this approach is that currently only a few device types support it in hardware (CRS3xx series), the rest do it in software. One can hope that this will improve with ROS v7.