Hi,
I was wondering, whether somebody of you could answer me for my problem. I am about to plan a tiny cloud, that is 2-3 servers that are supposed to run Xen (or similar, the technology does not matter here) Dom0s each providing again 3+ virtual machines (DomU).

I know how I could connect each of those virtual machines to the internet/external network, my question relates though how I would design a virtual topology of adjacent and disjoint sub networks for those virtual machines.

To make it easier to understand, what I want to achieve, a simple topology that illustrates what I want to do:



The solid lines denote physical network links (though some might be virtualized), the square box a physical border (e.g. a single Dom0) and the dotted-line switch topology those virtual networks I'm asking for.


For example, think about the following scenario: DomU on Xen host A and DomU on Xen host B want to build a virtual private network (transparently!) and still connect to the outside world. How would I make this?

I know, I could just connect an additional virtual interface to each DomU and bridge it over a real network, but I wouldn't consider this as secure, as every attached machine could join this network and it won't scale to build up a separate bridged network for each virtual machine.

In general a VLAN tag would be an appropriate solution for this, but this would mean that I'd be restricted to route traffic manually to specific VLAN interfaces on the Dom0. This won't scale neither as I would have to create for each virtual sub network of my virtual machines a static interface on the Dom0 in advance to make sure live migration still works.

So what to do?