RCA-2026-02-001: Analysis

Root Cause

5 Whys Analysis

Why #	Question and Answer
1	Why did management traffic fail? Because: Untagged frames were tagged with VLAN 1 instead of VLAN 100
2	Why was VLAN 1 applied? Because: Default PVID on Linux bridge ports is 1
3	Why wasn’t PVID 100 configured? Because: `bridge vlan` commands don’t persist after vnet recreation
4	Why are vnets recreated? Because: libvirt creates new vnet interfaces on VM start
5	Why isn’t this documented anywhere? Because: Linux bridge VLAN filtering is relatively new (kernel 3.18+)

Root Cause Statement: Linux bridge vnet interfaces are ephemeral. VLAN configuration applied via bridge vlan add is lost when VMs restart because libvirt creates NEW vnet interfaces with default configuration (PVID 1, no VLAN tags).

PVID vs VLAN Tags

Two separate issues require different fixes:

Issue Symptom Fix

Issue	Symptom	Fix
Missing VLANs	Tagged traffic (VLANs 10,20,30…) dropped	`bridge vlan add vid X dev vnetN`
Wrong PVID	Untagged traffic goes to wrong VLAN	`bridge vlan del vid 1 … pvid` + `bridge vlan add vid 100 … pvid`

Missing VLANs

Tagged traffic (VLANs 10,20,30…) dropped

bridge vlan add vid X dev vnetN

Wrong PVID

Untagged traffic goes to wrong VLAN

bridge vlan del vid 1 … pvid + bridge vlan add vid 100 … pvid

PVID (Port VLAN ID): Tags untagged ingress frames. Default PVID is 1. VMs sending management traffic untagged on native VLAN 100 - if PVID is 1, traffic lands in wrong VLAN.