PVE with management on tagged VLAN

[tfboy]

I have a slightly strange setup which I'm trying to achieve: move the management onto a tagged vlan and be able to tag VLAN 1 for guests.

I have PVE up and running, and have been using a single NIC for both management and guest networks. Initially, I had the management on the untagged VLAN (10 in my case) and all guests were running on tagged VLANs, except for VLAN 1 which (for now), only works untagged.

So I think my first step is to be able to move the management from the untagged VLAN (10) to a tagged VLAN (still 10). Of course, I'm updating the configuration of my network switch for the port to present VLAN 10 in tagged format.

I've tried assigning this in my /etc/network/interfaces but without much luck, I presume because the management is on a bridge and not directly on the physical interface.
Here's what I've tried but with no luck:

iface enp38s0 inet manual

auto vmbr0.10
iface vmbr0.10 inet static
   address 192.168.10.21/24
   gateway 192.168.10.254
   bridge-ports enp38s0
   bidge-stp off
   bridge-fd 0
   bridge-vlan-aware yes
   bridge-pvid 10
   bridge-vids 1-4096

When I try this, I get a message:

error: netlink: vmbr0: cannot enslave link vmbr0 to vmbr0.10: operation failed with 'No such device' (19)
error: vmbr0.10 cannot change vlan-id to 10: operation not supported. Please delete the device with 'ifdown vmbr10' and recreate it to appy the change

So what's the best way of doing this?

Once that's fixed, I would hope that I can use VLAN 1 as a tagged VLAN as I have added VLAN 1 to the bridge-vids list now that I've moved the bridge-pvid 10, but maybe that's wrong?

 

[SteveITS]

FWIW we ended up creating a VLAN this way:

iface eno1 inet manual

auto vmbr0
iface vmbr0 inet manual
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0
#front net for VMs

auto vlan1000
iface vlan1000 inet static
        address 10.0.0.20/24
        gateway 10.0.0.1
        vlan-raw-device eno1
#management net