Index: sys/net/iflib.h
===================================================================
--- sys/net/iflib.h
+++ sys/net/iflib.h
@@ -325,7 +325,11 @@
  * Interface needs admin task to ignore interface up/down status
  */
 #define IFLIB_ADMIN_ALWAYS_RUN	0x10000
-
+/*
+ * Always flush SW/HW Tx queues before reconfiguring
+ * VLANs; to prevent anti-spoof errors
+ */
+#define IFLIB_VLAN_ANTI_SPOOF	0x20000
 
 /*
  * field accessors
Index: sys/net/iflib.c
===================================================================
--- sys/net/iflib.c
+++ sys/net/iflib.c
@@ -4136,10 +4136,15 @@
 		return;
 
 	CTX_LOCK(ctx);
+	/* Stop to flush all untagged packets */
+	if (if_getcapenable(ifp) & IFCAP_VLAN_HWFILTER ||
+	    ctx->ifc_sctx->isc_flags & IFLIB_VLAN_ANTI_SPOOF)
+		iflib_stop(ctx);
 	IFDI_VLAN_REGISTER(ctx, vtag);
 	/* Re-init to load the changes */
-	if (if_getcapenable(ifp) & IFCAP_VLAN_HWFILTER)
-		iflib_if_init_locked(ctx);
+	if (if_getcapenable(ifp) & IFCAP_VLAN_HWFILTER ||
+	    ctx->ifc_sctx->isc_flags & IFLIB_VLAN_ANTI_SPOOF)
+		iflib_init_locked(ctx);
 	CTX_UNLOCK(ctx);
 }
 
@@ -4155,10 +4160,15 @@
 		return;
 
 	CTX_LOCK(ctx);
+	/* Stop to flush all tagged packets */
+	if (if_getcapenable(ifp) & IFCAP_VLAN_HWFILTER ||
+	    ctx->ifc_sctx->isc_flags & IFLIB_VLAN_ANTI_SPOOF)
+		iflib_stop(ctx);
 	IFDI_VLAN_UNREGISTER(ctx, vtag);
 	/* Re-init to load the changes */
-	if (if_getcapenable(ifp) & IFCAP_VLAN_HWFILTER)
-		iflib_if_init_locked(ctx);
+	if (if_getcapenable(ifp) & IFCAP_VLAN_HWFILTER ||
+	    ctx->ifc_sctx->isc_flags & IFLIB_VLAN_ANTI_SPOOF)
+		iflib_init_locked(ctx);
 	CTX_UNLOCK(ctx);
 }