Not sure what Model of this switch ?
If this is CBS
The dashboard doesn't expose the acces vs trunk setting. Rather it always configures the port as a trunk and just allows and denies vlans on the trunk based on your configuration. If you only select a single access vlan for a port in dashboard, then the end result is a trunk port with the native vlan set and no other vlans allowed.
Is there a particular reason why you need an access port role rather than a trunk with only a native vlan enabled?
We consider a best practice to configure as access-mode the ports where only one VLAN is needed.
- Configure all user-facing ports as non-trunking (DTP off) --> https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/Baseline_Security/securebasebook/sec_chap7.html
In addition, we are facing In some strange cases when we add a VLAN to a profile, this new VLAN is added to some undesired trunks ports.
I understand where you are coming from. Do bear in mind that the best practices you cite are aimed at the Catalyst switch line which support a number of features that are not supported in the Cisco Business portfolio. In particular, DTP is not supported by the Cisco Business switches, so in the context of those guidelines, a trunk port on a Cisco Business switch with only a native vlan configured and permitted will function the same as an access port. Only untagged frames will be accepted in to the native vlan and tagged frames with any other vlan ID will be discarded. And since there is no dynamic negotiation supported for the VLANs being trunked, the only way to change the behaviour is to reconfigure the switch.
With regards to the second point you raised, when you add a new vlan to a device group with multiple network devices in it, the dashboard will also explicitly enable the vlan on links that interconnect those devices in order to make sure the vlan in contiguous across the device group. Does that explain what you are seeing, or are the undersired ports connected to something else?