Abstract: For a managed network implementing at least one logical router having centralized and distributed components, some embodiments provide a method for processing multicast data messages at a first managed forwarding element (MFE) executing on a first host machine that implements a distributed multicast logical router and multiple logical switches logically connected to the logical router in conjunction with a set of additional MFEs executing on additional host machines. The method replicates multicast data messages received from a source data compute node (DCN), operating on the first host machine, that logically connects to a first logical switch of the multiple logical switches. The method replicates the multicast data message to a set of DCNs in the multicast group in the logical network without routing through a centralized local multicast router.

Abstract: A novel method for performing replication of messages in a network that bridges one or more physical networks to an overlay logical network is provided. A physical gateway provides bridging between network nodes of a physical network and virtual machines in the overlay logical network by serving as an endpoint of the overlay logical network. The physical gateway does not replicate messages from the bridged physical network to destination endpoints in the overlay logical network directly, but instead tunnels the message-to-be-replicated to a designated tunnel endpoint in the overlay logical network. The designated tunnel endpoint in turn replicates the message that was tunneled to it to other endpoints in the overlay logical network.

Abstract: The present disclosure generally relates to applying global unified security policies across a plurality of virtual private clouds of a logical network. The logical network is deployed on a software-defined datacenter that constitute one or more private and/or public datacenters. The plurality of virtual private clouds of the logical network may have one or more overlapping internet protocol address blocks, with each virtual private cloud deploying one or more virtual machines and/or containers. A global unified security policy is disseminated to endpoints throughout the logical network using logical ports of the virtual machines and/or containers.

Abstract: The disclosure provides an approach for reducing multicast traffic within a network by optimizing placement of virtual machines within subnets and within hosts, and by optimizing mapping of overlay multicast groups to underlay multicast groups. In one embodiment, substantially all VMs of a multicast group are migrated to the same subnet of the network. Thereafter or independently, VMs in the same subnet are migrated to the same host, ideally to the subnet proxy endpoint of that subnet. In the same or in another embodiment, if multiple overlay groups map to the same underlay group, one or more of the overlay groups may be remapped to a separate underlay group to improve network performance.

Abstract: A novel method for performing replication of messages in a network that bridges one or more physical networks to an overlay logical network is provided. A physical gateway provides bridging between network nodes of a physical network and virtual machines in the overlay logical network by serving as an endpoint of the overlay logical network. The physical gateway does not replicate messages from the bridged physical network to destination endpoints in the overlay logical network directly, but instead tunnels the message-to-be-replicated to a designated tunnel endpoint in the overlay logical network. The designated tunnel endpoint in turn replicates the message that was tunneled to it to other endpoints in the overlay logical network.

Abstract: A novel method of conducting multicast traffic in a network is provided. The network includes multiple endpoints that receive messages from the network and generate messages for the network. The endpoints are located in different segments of the network, each segment including one or more of the endpoints. For a source endpoint to replicate a particular message (e.g., a data packet) for all endpoints belonging to a particular replication group (i.e., multicast group) within the network, the source endpoint replicates the particular message to each endpoint within the source endpoint's own segment and to a proxy endpoint in each of the other segments. Each proxy endpoint in turn replicates the particular message to all endpoints belonging to the particular replication group within the proxy endpoint's own segment.

Abstract: For a managed network implementing at least one logical router having centralized and distributed components, some embodiments provide a method for configuring a managed forwarding element (MFE) executing on a first host machine to implement a distributed multicast logical router and multiple logical switches logically connected to the logical router in conjunction with a set of additional MFEs executing on additional host machines to process multicast data messages. The method receives a multicast group report from a data compute node (DCN) that executes on the first host, sends a summarized multicast group report indicating multicast groups joined by DCNs executing on the first host to a set of central controllers, receives data based on an aggregated multicast group report from the set of central controllers, and uses the data based on the aggregated multicast group report to configure the MFE to implement the distributed multicast logical router.

Abstract: For a managed network implementing at least one logical router having centralized and distributed components, some embodiments provide a method for configuring a managed forwarding element (MFE) executing on a first host machine to implement a distributed multicast logical router and multiple logical switches logically connected to the logical router in conjunction with a set of additional MFEs executing on additional host machines to process multicast data messages. The method receives a multicast group report from a data compute node (DCN) that executes on the first host, sends a summarized multicast group report indicating multicast groups joined by DCNs executing on the first host to a set of central controllers, receives data based on an aggregated multicast group report from the set of central controllers, and uses the data based on the aggregated multicast group report to configure the MFE to implement the distributed multicast logical router.

Abstract: A novel method of conducting multicast traffic in a network is provided. The network includes multiple endpoints that receive messages from the network and generate messages for the network. The endpoints are located in different segments of the network, each segment including one or more of the endpoints. For a source endpoint to replicate a particular message (e.g., a data packet) for all endpoints belonging to a particular replication group (i.e., multicast group) within the network, the source endpoint replicates the particular message to each endpoint within the source endpoint's own segment and to a proxy endpoint in each of the other segments. Each proxy endpoint in turn replicates the particular message to all endpoints belonging to the particular replication group within the proxy endpoint's own segment.

Abstract: Example methods are provided for a first host to maintain data-plane connectivity with a second host via a third host in a virtualized computing environment. The method may comprise identifying an intermediate host, being the third host, having data-plane connectivity with both the first host and the second host. The method may also comprise: in response to detecting, from a first virtualized computing instance supported by the first host, an egress packet that includes an inner header addressed to a second virtualized computing instance supported by the second host, generating an encapsulated packet by encapsulating the egress packet with an outer header that is addressed from the first host to the third host instead of the second host; and sending the encapsulated packet to the third host for subsequent forwarding to the second host.

Abstract: Exemplary methods, apparatuses, and systems maintain network membership information for a host when it is disconnected from a controller. When the host detects a loss of connectivity with the network controller, the host identifies and selects one or more hosts that are members of a control logical network. The control logical network includes hosts configured to run data compute nodes that are members of the overlay network, regardless of whether or not each of the hosts is currently running a data compute node that is a member of the overlay network. The host then sends any broadcast, unknown destination, or multicast (BUM) data packet(s) to the selected one or more hosts.

Abstract: For a managed network implementing at least one logical router having centralized and distributed components, some embodiments provide a method for processing multicast data messages at a first managed forwarding element (MFE) executing on a first host machine that implements a distributed multicast logical router and multiple logical switches logically connected to the logical router in conjunction with a set of additional MFEs executing on additional host machines. The method replicates multicast data messages received from a source data compute node (DCN), operating on the first host machine, that logically connects to a first logical switch of the multiple logical switches. The method replicates the multicast data message to a set of DCNs in the multicast group in the logical network without routing through a centralized local multicast router.

Abstract: For a managed network implementing at least one logical router having centralized and distributed components, some embodiments provide a method for configuring a managed forwarding element (MFE) executing on a first host machine to implement a distributed multicast logical router and multiple logical switches logically connected to the logical router in conjunction with a set of additional MFEs executing on additional host machines to process multicast data messages. The method receives a multicast group report from a data compute node (DCN) that executes on the first host, sends a summarized multicast group report indicating multicast groups joined by DCNs executing on the first host to a set of central controllers, receives data based on an aggregated multicast group report from the set of central controllers, and uses the data based on the aggregated multicast group report to configure the MFE to implement the distributed multicast logical router.

Abstract: Some embodiments provide a method for configuring a set of MFEs to implement a distributed multicast logical router and multiple logical switches to process the multicast data messages. The method sends, from a managed forwarding element (MFE) implementing the distributed multicast logical router, a multicast group query to a set of data compute nodes (DCNs) that are logically connected to one of several logical switches and that execute on the same host machine as the managed forwarding element. The method receives multicast group reports from a subset of the set of DCNs and at least one of the multicast group reports specifies a multicast group of interest. The method distributes, to a set of MFEs executing on other host machines, a summarized multicast group report specifying a set of multicast groups of interest to the first MFE (i.e., multicast groups that the first MFE participates in).

Abstract: Some embodiments provide a method for a managed forwarding element (MFE). The method receives a packet from a data compute node for which the MFE performs first-hop processing. The data compute node is associated with multiple tunnel endpoints of the MFE. The method determines a destination tunnel endpoint for the packet. The method uses a load balancing algorithm to select one of the multiple tunnel endpoints of the MFE as a source tunnel endpoint for the packet. The method encapsulates the packet in a tunnel using the source and destination tunnel endpoints.

Abstract: A novel method that uses the source port field in the transport or connection layer (L4) header to encode control plane information is provided. Specifically, the method encodes control plane information in UDP or TCP source port field of data plane tunnels in an overlay network such as VXLAN. Network virtualization is implemented by a network controller over an overlay network on the physical fabric. The network controller provides a mapping table to the data plane hosts for mapping the encoded bits in the source port field to semantically richer information. The data plane hosts in turn uses the encoded source bits and the mapping table to infer this semantically richer information. This semantically richer information is used to allow receivers of proxied traffic to learn the address of the original sender. The semantically richer information can also be used to enable ECMP for the transmitted packets.

Abstract: Example methods are provided for a first host to restore control-plane connectivity with a network management entity. The method may comprise: detecting a loss of control-plane connectivity between the first host and the network management entity; and determining connectivity status information associated with one or more second hosts. The method may also comprise, based on the connectivity status information, selecting, from the one or more second hosts, a proxy host having data-plane connectivity with the first host and control-plane connectivity with the network management entity. The method may further comprise restoring control-plane connectivity between the first host with the network management entity via the proxy host such that the first host is able to send control information to, or receive control information from, the network management entity via the proxy host.

Abstract: Example methods are provided for a first host to perform address resolution suppression in a logical network. The first host may support a first virtualized computing instance located on the logical network and a first hypervisor. The method may comprise the first hypervisor broadcasting a notification message within the logical network to trigger one or more control messages, and learning protocol-to-hardware address mapping information associated with multiple second virtualized computing instances located on the logical network based on the one or more control messages. The method may also comprise: in response to the first hypervisor detecting an address resolution request message that includes a protocol address associated with one of the multiple second virtualized computing instances, the first hypervisor generating and sending an address resolution response message to a first virtualized computing instance without broadcasting the address resolution request message on the logical network.

Abstract: Some embodiments provide a method for a controller for mapping and sharing up to date configuration information for a logical network comprising managed forwarding elements having multiple tunnel endpoints. The method identifies a data compute node for operation on a host machine that includes a managed forwarding element (MFE) having multiple tunnel endpoints. The data compute node belongs to a particular logical network. The method identifies multiple other data compute nodes belonging to the particular logical network. The method distributes to the MFE (i) a mapping of each data compute node of the other data compute nodes to an identifier for a group of tunnel endpoints associated with the data compute node and (ii) a mapping of each of the identifiers to a list of tunnel endpoints. The MFE uses the mappings to encapsulate packets sent from the data compute node for transmission to other MFEs.

Abstract: Some embodiments provide a method for connecting a host machine to a management and control system (MCS) logical network. The method of some embodiments receives, at a managed forwarding element of the host machine, data that identifies a bootstrap agent. The method of some such embodiments receives this data once the host machine is booted up. The method connects to the agent to receive configuration data for the MCS logical network from the agent. The method uses the configuration data received from the agent to connect to the MCS logical network. After connecting to the MCS logical network, the method receives the necessary configuration data for at least one additional logical network (e.g., a guest logical network) from a set of control machines that is also connected to the MCS logical network.