This message was deleted.

I've only added several NICs to a VM and attached each NIC to the appropriate VLAN. What's the reason you'd want to do the untagging in the VM?

i let my virtual firewalls do their own tagging, mostly so i don't have to reconfigure the VM (at the virtualization layer) every time i make a VLAN change

I echo what Steven said. I'd prefer to let the trusted person/team managing the firewall inside the VM manage their own tagging rather than having to create Harvester entities for each VLAN they might want to use. The same team might manage the physical switch itself, so giving them the ability to tag on the switch and inside the VM eliminates me as the middle man having to create VLAN VM networks as they want to use them.