[PVE-User] Mapping of VLAN tags to Linux bridges: Is that possible?

[Frank Thommen]

Dear list members,

our current three-node PVE cluster hosts VMs from three different 
subnets/VLANs. Each host has - besides the network ports for the Ceph 
cluster - eight physical network ports (two for the host itself and two 
for each of the three VLANs). Always two ports are configured like this:

    switch port - host port (1 Gbit) \
                                      +- bond - bridge
    switch port - host port (1 Gbit) /

This is nice, because when configuring a VM, we can choose the 
appropriate bridge from the network menu, which also shows me the 
bridge's description, so that there can't be any mistakes as to which 
brigde has to be selected. However that comes with too many cables and 
too many NICs. Especially as we expect to have to support more subnets 
in the near future.

Our networking department has suggested to move from dedicated switch 
ports to VLAN tags. This would reduce the eight 1 Gbit ports to two 25 
Gbit ports per host (LACP bonded), but as far as I can see, we would 
then have to - manually - enter the correct VLAN tag number for each 
virtual network device. I expect this to be very error prone and 
unintuitive. Best would be, if it would be possible to create Linux 
bridges which map to individual VLAN tags like this:

    switch port - host port (25 Gbit) \         / VLAN 12 - bridge1
                                       +- bond -- VLAN 56 - bridge2
    switch port - host port (25 Gbit) /         \ VLAN 25 - bridge3


but unfortunately with PVE 7.x I could not find a way to achieve this. 
Is such a setup possible at all?

I've read, that PVE 8.x greatly enhances the SDN capabilities of PVE. 
Will these SDN capabilities enable us, to achieve the VLAN-bridge mapping?

Thanks for any hint or pointer
Frank