![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
For the benefit of Google, posting the cause of the problem here.
We discovered the Windows networking stack has a bug where VLAN tags are stripped from network packets, and the now stripped packet is passed along. The effect of the bug is that all VLAN traffic and all non-VLAN untagged traffic are combined inside Windows, and appear to be on the same network. The rest of the network correctly believes the untagged LAN and the tagged VLAN are separate networks.
The subtle mismatches cause symptoms like the Windows machine negotiating an IPv4 address on the untagged LAN, and then later negotiating an IPv4 address on the tagged VLAN, triggering unexplained and sudden outages. IPv6 SLAAC addressing breaks straight away - the Windows machine sees two different announcements from two different networks, and immediately give itself two separate IPv6 addresses. With the IPv6 gateway being a link local address with an identical name on both networks, chaos ensues with upstream routing.
For Realtek network drivers, a registry entry called MonitorModeEnabled set to 1 tells the driver to pass the VLAN packets through "for monitoring purposes". This has the effect of the VLAN packets being dropped as they should be. We have not yet found a workaround for Intel adapters.