Hi list, I have a question regarding the use of bridges with vlans. Suppose I have a lanbr which bridges together eth0 and various virtual interfaces. Putting aside bridge vlan filtering, any interface connected to the bridge will see both untagged and tagged traffic. To only see the tagged traffic portion of specific vlan I can simple create a bridge vlan interface (eg: lanbr.10) and use that virtual interface as a member of another bridge. In other words: eth0 -> lanbr -> lanbr.10 -> vlan10br Now, I wonder if it is possible to extract *only* the untagged traffic from the lanbr bridge. Something similar to that: eth0 -> lanbr -> lanbr.untagged -> untbr Full disclosure: a virtual machine bridged on lanbr will see both tagged and untagged traffic. This is fine for, say, a virtual firewall with a trunk interface. However, I do not want any other VM residing on the untagged bridge to see tagged traffic. So I need to confine these machines to see only untagged packet. One possible approach would be to use ebtables to drop 802.1q tagged packets on lanbr unless they are for a specific virtual machine interface (and it seems to work well), but I wonder if the same can be obtained without calling ebtables into the mix. Regards. -- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti at assyoma.it - info at assyoma.it GPG public key ID: FF5F32A8