vlan-mode=secure in order to enforce a strict match to the contents of the VLAN table

disabled - ignore the vlan table, process packets containing vlan tags in the same way as if they did not contain vlan tags;
fallback - default mode - process packets containing vlan tags not represented in the vlan table in the same way as if they did not contain vlan tags. Packets containing vlan tags present in the vlan table, but the incoming port does not match any port in the vlan table entries, will not be dropped.
check - drop packets containing vlan tags not present in the vlan table. Packets containing vlan tags present in the vlan table, but the incoming port does not match any port in the vlan table entries, will not be dropped.
secure - drop packets containing vlan tags not present in the vlan table. Packets containing vlan tags present in the vlan table, but the incoming port does not match any port in the vlan table entries, will also be dropped.
When forwarding packets based on the identifier in the vlan tag, MAC addresses added to the MAC address table during training or manually are also taken into account.
Packets that do not contain vlan tags are processed in the same way as if they contained a vlan tag with vlan id = 0. This means that if the "vlan-mode" parameter is set to "check" or "secure", then in order to , in order to be able to forward packets without vlan tags, you will need to add a separate entry to the vlan table,
The vlan-header option (configurable via the /interface ethernet switch port menu) sets the VLAN tag mode on the outgoing port. This option functions only on the Atheros 8316 chip and can take the following values:
leave-as-is - the packet is not subject to changes on the outgoing port;
always-strip - if a VLAN header is present, it will be stripped from the packet;
add-if-missing - if the VLAN header is missing, it will be added to the packet.