Tagged networks and XCPNG
On the main interface, it does not filter out the tagged networks packets. It sends tagged and untagged packets to the VM’s that are on that interface.
When you need a VM to communicate on different vlans, it is easy for it to work.
When you want your VM to be isolated, you need to have it on a vlan. This is a Very important thing to be aware of.
For a better security posture, no VM should be on the main interface in XCPNG.