[pve-devel] [PATCH docs] warn about fail-open default in vlan
Yahya Jabary
y.jabary at proxmox.com
Thu Jan 22 11:50:10 CET 2026
Signed-off-by: Yahya Jabary <y.jabary at proxmox.com>
---
pve-network.adoc | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/pve-network.adoc b/pve-network.adoc
index 03524e4..23fd2a3 100644
--- a/pve-network.adoc
+++ b/pve-network.adoc
@@ -614,6 +614,14 @@ which is transparently supported by the Linux bridge.
Trunk mode is also possible, but that makes configuration
in the guest necessary.
+[WARNING]
+====
+If no VLAN tag is specified in the guest configuration, the interface defaults
+to a VLAN trunk. This allows the guest to access *all* VLANs on the bridge by
+configuring VLAN tags inside the guest OS. To strictly isolate the guest to a
+specific VLAN (Access Mode), you must define a VLAN tag in the hardware settings.
+====
+
* *"traditional" VLAN on the Linux bridge:*
In contrast to the VLAN awareness method, this method is not transparent
and creates a VLAN device with associated bridge for each VLAN.
--
2.47.3
More information about the pve-devel
mailing list