The tag was attached / replaced when go out from cc201's eth1 to outside, in this case to cc202's eth1. The icmp is routed from vm of cc201 through 2 gw- interface, and finally decided to go outside. So last gw is L2 domain, so the tag you watched on cc202 eth1 was tag: 8 because routed. That's one of reason the icmp has reached to cc202's VM even separate network.

However, it should be same behaviour when 1 vm send to another vm which is on other network even it was on other hypervisor or same hypervisor. It should be control by nova's security group or project separation of nova network setting. So in this viewpoint, nova configuration, iptables, or some other thing was wrong I think.