Untagged traffic is sent to eth0 and ends up in Dom0. VLAN 2 traffic is set to eth0.2, which is bridged with DomU 1’s interface. The same occurs with VLAN 3 and DomU 2. One key point in this setup is that the DomUs are completely unaware of the fact that they are utilizing a VLAN, all the work is done within the bridges in Dom0. The Dom0 is also unaware of the traffic within the VLAN, as it does not have an active address on the eth0.X or vlanbrX interfaces.

To have Xen automatically create these bridges, I wrote the network-bridge-vlan and network-multi-vlan scripts. They have been tested wtih Xen 3 running on Debian Sarge, but should work with most distributions. Make both scripts executable and place them in /etc/xen/scripts. The VLAN configuratin is done within the network-multi-vlan script. To activate the VLANs, edit /etc/xen/xend-config.sxp to use the configuration line

(network-script network-multi-vlan)

To use a new VLAN bridge for an interface within your DomU, change the xen configuration file for the DomU so that the network interface has a bridge specified:

vif = [ 'bridge=vlanbr2' ]

Within the DomU, there are two things that may need to be configured. First, if your ethernet card does not natively support VLAN tags, you will have to set the maximum MTU to 1496 to make room for the tag. The command

ifconfig eth0 mtu 1496

accomplishes this in linux. Another problem is related to network optimizations done within Xen. With the DomUs bridged to VLAN interfaces, these optimizations need to be disabled or tcp and udp connections will fail. This is done by disabling transmit checksum offloading:

ethtool -K eth0 tx off

Both should be done in a script at startup. For Debian, I created the script /etc/network/if-up.d/xen containing:

#!/bin/sh

case "$IFACE" in
        eth0)
                ethtool -K $IFACE tx off
                ifconfig $IFACE mtu 1496
                ;;
esac