1.- Choose a master port and enslave the ports you need to be in the same switch group. Switch groups are completely isolated among them, as if they where 2 separate switches. No port can be in more than one switch group.
/interface ethernet
set ether2 master-port=ether1
set ether3 master-port=ether1
...
set etherN master-port=ether1
2.- Define which ports will belong to each VLAN. Link switch1-cpu port to one VLAN to be able to reach the switch's CPU and manage it.
/interface ethernet switch vlan
add ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,switch1-cpu \
vlan-id=1
add ports=ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24 \
vlan-id=2
3.- You must define "VLAN Tagging", even if no port is going to be tagged (leave tagged-ports empty). If some ports are to be tagged, define them in the rule. The ports belonging to that VLAN (as defined in 1.-) that are not listed here will be untagged. This is how the switch knows which VLAN the packet belongs to depending on which port it is going out.
/interface ethernet switch egress-vlan-tag
add vlan-id=1
add tagged-ports=ether20 vlan-id=2
4.- Define an ingress Vlan Translation, so the switch knows which VLAN the packet belongs to depending on which port it comes from. Leave one independent rule for switch1-cpu port, even if it belongs to the same VLAN as other ports: that way you wont loose management access if you need to disable and/or modify the other ports rule.
/interface ethernet switch ingress-vlan-translation
add customer-vlan-format=untagged-or-tagged new-customer-vid=1 ports=\
ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12 sa-learning=yes \
service-vlan-format=untagged-or-tagged
add customer-vlan-format=untagged-or-tagged new-customer-vid=2 ports=\
ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24 \
sa-learning=yes service-vlan-format=untagged-or-tagged
add customer-vlan-format=untagged-or-tagged new-customer-vid=1 ports=switch1-cpu sa-learning=yes \
service-vlan-format=untagged-or-tagged
Now each port will get only the traffic it is intended for, but if you want to make sure that no VLAN traffic from VIDs not definend in the switch flow through it, set forward-unknown-vlan=no (defaults to yes).
/interface ethernet switch
set forward-unknown-vlan=no