How to forward one or a few VLANs to a KVM virtual machine

Next step using Open vSwitch (OVS) network configuration (How to forward all VLANs to a KVM virtual machine using Open vSwitch (OVS)) to provide only one VLAN.

Create a new bridge interface

# ovs-vsctl add-br vlan236

Bridge "vlan236"
    Port "vlan236"
        Interface "vlan236"
            type: internal

Create patch port connecting to br0 (all VLANs)

# ovs-vsctl add-port vlan236 vlan236-br0 \
   -- set interface vlan236-br0 type=patch options={peer=br0-vlan236}

Create patch port on br0 with VLAN tag restriction

# ovs-vsctl add-port br0 br0-vlan236 tag=236 \
   -- set interface br0-vlan236 type=patch options={peer=vlan236-br0}

Done. Now you can define a new KVM network with virsh net-define and use it as usual.

OVS bridge state example

# ovs-vsctl show 
7a0c9d14-3166-4173-8813-bb43a01e39f0
    Bridge "vlan236"
        Port "vnet4"
            Interface "vnet4"
        Port "vlan236"
            Interface "vlan236"
                type: internal
        Port "vlan236-br0"
            Interface "vlan236-br0"
                type: patch
                options: {peer="br0-vlan236"}
    Bridge "br0"
        Port "vnet2"
            Interface "vnet2"
        Port "br0"
            Interface "br0"
                type: internal
        Port "bond0"
            Interface "bond0"
        Port "br0-vlan236"
            tag: 236
            Interface "br0-vlan236"
                type: patch
                options: {peer="vlan236-br0"}
        Port "vnet0"
            Interface "vnet0"

Human Logic, AI Syntax... Note on Content: I'm a Systems Engineer, not a native English writer. To ensure my technical ideas are clear and accessible, I use AI tools to polish the grammar and style. The workflow is simple: I provide the logic, the code, and the real-world experience. The AI handles the "English-to-Human" translation layer. If you find a bug, that's on me. If you find a perfectly placed comma, that's probably the AI.