Issue is a result of a known bug of enic driver, more precisely the cisco card firmware.

Some firmwares of these cards are marking non VLAN traffic as VLAN traffic with VLAN ID==0.

This is not a problem further in the OS networking stack since such VLAN ID=0 is automatically stripped with no harm.

Essentially, the NIC tags incoming traffic with no dot1q tag internally with tag 0, which is stripped again later. This is due to the fixed RX VLAN offloading configured by the NIC. Consequently, the traffic is marked as VLAN tagged (even though the tag is 0) and hence the brnf_filter_vlan_tagged sysctl is required.

https://bugzilla.redhat.com/show_bug.cgi?id=1434533

Only fix is by enabling brnf_filter_vlan_tagged sysctl.

sysctl -w net.bridge.bridge-nf-filter-vlan-tagged=1

To persist the change across reboot add "net.bridge.bridge-nf-filter-vlan-tagged=1" to /etc/sysctl.conf

http://ebtables.netfilter.org/documentation/bridge-nf.html