I like to start my Xen networking by creating two (or more) bridges, one connected to the physical interface on the dom0 and another which is only connected to by virtual machines. This lets me set up an internal private network for cross-VM interaction and administration which is insulated from the DC’s network. If you put a router VM on both bridges which occupies your public IP addresses you can use 1-1 NAT to stack services from different VMs behind one IP and firewall the virtual machines. This is particularly handy where your address space is small but your VMs are many.
Unfortunately, the Debian interfaces configuration scheme doesn’t like setting up bridges with no bridge_ports directive so we have to give it a little boost. You will end up with a configuration file that looks something like this:
auto lo iface lo inet loopback iface eth0 inet manual auto extbr0 iface extbr0 inet static bridge_ports eth0 address x.x.x.x netmask 255.255.255.0 network x.x.x.0 broadcast x.x.x.255 gateway x.x.x.1 auto intbr0 iface intbr0 inet manual pre-up brctl addbr $IFACE post-down brctl delbr $IFACE up ifconfig $IFACE up y.y.y.y down ifconfig $IFACE down
Where y.y.y.y is an internal IP you can use to access the dom0. For example you might prefer not to expose SSH on your dom0 to the wild, you would make sshd listen on this IP and shell in over a VPN.