Hi,
I'm trying to setup an environment with multiple containers, each in a
separate VLAN but running on the same HN (which will in turn be in a
different VLAN for it's management traffic on eth0; eth1 eth2 and eth3 will
all be VLAN trunks). There may be other containers on other HNs in the same
VLANs, but they will be on the same switch and subnet (we're allocating one
subnet per VLAN, not per HN or per container).

The wiki page on venet vs veth says that venet is less secure and lower
performance than venet; what I was going to configure was veth per
container, and then put the HN-side of the veth into the relevant VLAN using
for example (HN/CT0 is running Debian Etch)

iface vlan201 inet static
address X.Y.Z.2
netmask 255.255.255.224
gateway X.Y.Z.1
vlan_raw_device veth201.0

(the gateway address is VLAN201 on the Ethernet switch, which is already
configured)

Three questions:
a) am I missing something obvious and there's an easier way to do this?
b) is there a way to use venet not veth, or is the performance hit
negligible?
c) Given the switch is isolating VLANs, and all that the HN is doing is
trunking from veth's to the switch, is a bridge needed?

The only thing left to setup  - other than those queries - is to make sure
the veth's are brought up before the VLAN interfaces (so that when VLANs
come up, the vlan_raw_devices vethXXX already exist); does anyone know if
actually I can config the vlan_raw_device as vethXXX anyway and define the
veth's as hotplug devices? Or is that not necessary?

Thanks in advance,
Andy