Vlan Table

Vlan tables specifies certain forwarding rules for packets that have specific 802.1q tag. Those rules are of higher priority than switch groups configured using 'master-port' property. Basically the table contains entries that map specific vlan tag ids to a group of one or more ports. Packets with vlan tags leave switch chip through one or more ports that are set in corresponding table entry. The exact logic that controls how packets with vlan tags are treated is controlled by vlan-mode parameter that is changeable per switch port in /interface ethernet switch port menu. Vlan-mode can take following values:

disabled - ignore vlan table, treat packet with vlan tags just as if they did not contain a vlan tag;
fallback - the default mode - handle packets with vlan tag that is not present in vlan table just like packets without vlan tag. Packets with vlan tags that are present in vlan table, but incoming port does not match any port in vlan table entry does not get dropped.
check - drop packets with vlan tag that is not present in vlan table. Packets with vlan tags that are present in vlan table, but incoming port does not match any port in vlan table entry does not get dropped.
secure - drop packets with vlan tag that is not present in vlan table. Packets with vlan tags that are present in vlan table, but incoming port does not match any port in vlan table entry get dropped.

Vlan tag id based forwarding also take into account the mac addresses learned or manually added in host table.

Packets without vlan tag are treated just like if they had a vlan tag with port default-vlan-id. This means that if "vlan-mode=check or secure" to be able to forward packets without vlan tags you have to add a special entry to vlan table with the same vlan id set according to default-vlan-id.