Thanks your question.
Please refer to 53242 datasheet VLAN feature and registers descriptions, and application note "53242-AN300-RDS" for VLAN table programming. Also there is the other chip 5389 application note "5387_5389-PG100-R" for reference about VLAN feature configure. These docs are all in Ethernet Switches Community Library folder.Please find the comment below in line [r] per your questions:
1. I am guessing that VLAN forwarding ports pass tagged traffic unchanged in both directions, and VLAN un-tag ports tag un-tagged traffic on ingress and un-tag tagged traffic on egress. Is this correct?
[r]: Basically it is correct. But for untag behavior, it is on egress side that both ingress tagged traffic and untagged traffic the 1Q tag will be removed based on the untag port setting rule.
2. How would one correlate a given VLAN Table entry to a given VID?
[r]: The VID will be stored in ARL entry VID filed along with MAC address Please find the BCM53242 datasheet "53242M-DS302" [Figure14: BCM53242M Address Table Organization]
3. How would one restrict traffic through a port to only packets tagged with one VID?
[r]: I am not sure fully understand the question. Each ingress packet will be tagged one vlan tag with one VID if the ingress packet is untagged, the vlan tag is not related to restrict traffic.
4. How would one allow a port to pass all traffic except that tagged with a certain VID? This includes all un-tagged traffic and any tagged traffic not tagged with that certain VID?
[r]: When VLAN feature is enabled, it requires follow the VLAN rule for the traffic forwarding. If ingress packets VID is missed, then the packet to drop if its VIS is invalid or be trap to IMP port. The packet VLAN ID needs to consistent with the VLAN group domain setting.