I want the ability to specify which VLAN each DomU should be on, for improved security. Potentially a DomU might be on a VLAN all to itself, or perhaps it shares with a couple of other machines (DomU or physical), or perhaps it's on the main production VLAN.

http://renial.net/weblog/2007/02/27/xen-vlan looks like it does what I want.

something like this maybe:

apt-get install vlan bridge-utils

echo 8021q >> /etc/modules
modprobe 8021q

auto br1
iface br1 inet static
    bridge_ports eth0
    bridge_maxwait 0
    bridge_fd 0
    address ...
    netmask ...
    gateway ...

auto br2
iface br2 inet manual
    bridge_ports eth0.2
    bridge_maxwait 0
    bridge_fd 0

with some extra goodness TBC to assign domUs to the correct bridge.