Abstract: A method of defining a virtual network across a plurality of physical hosts is provided. At least two hosts utilize network virtualization software provided by two different vendors. Each host hosts a set of data compute nodes (DCNs) for one or more tenants. The method, at an agent at a host, receives a command from a network controller, the command includes (i) an identification a resource on a tenant logical network and (ii) an action to perform on the identified resource. The method, at the agent, determines the network virtualization software utilized by the host. The method, at the agent, translates the received action into a set of configuration commands compatible with the network virtualization software utilized by the host. The method sends the configuration commands to a network configuration interface on the host to perform the action on the identified resource.

Abstract: A method of determining the span of logical entities in a network is provided. The method generates a directed graph. Each node of the graph corresponds to a logical network entity. Each edge of the graph has one or two directions. A direction from a first node to a second node identifies the first node as the source of span for the second node. The method determines the span of each node based on the direction of the edges of the directed graph. The method groups each set of nodes that are accessible by all other nodes in the set in a strongly connected group (SCC) sub-graph. The method generates a group node in a directed acyclic graph (DAG) to correspond to each SCC sub-graph in the directed graph. The method assigns the span of each SCC to the corresponding group node of the DAG.

Abstract: A method of allocating network bandwidth in a network that includes several tenant virtual machines (VMs). The method calculates a first bandwidth reservation for a flow between a source VM and a destination VM that are hosted on two different host machines. The source VM sends packets to a first set of VMs that includes the destination VM. The destination VM receives packets from a second set of VMs that includes the source VM. The method receives a second bandwidth reservation for the flow calculated at the destination. The method sets the bandwidth reservation for the flow as a minimum of the first and second bandwidth reservations.

Abstract: Example methods and systems for intent-based network virtualization design are disclosed. One example may comprise: obtaining configuration information and traffic information associated with multiple virtualized computing instances, processing the configuration information and traffic information to identify network connectivity intents and mapping the network connectivity intents to a logical network topology template. Based on a first switching intent, a first group may be assigned to a first logical network domain and the logical network topology template configured to include a first logical switching element. Based on a second switching intent, a second group may be assigned to a second logical network domain and the logical network topology template configured to include a second logical switching element. Based on a routing intent, the logical network topology template may be configured to include a logical routing element.

Abstract: Example methods and systems are provided for simulation-based cross-cloud connectivity checks. One example method may include injecting a connectivity check packet in a first cloud environment, and obtaining first report information associated with a first stage of forwarding the connectivity check packet from one or more first observation points in the first cloud environment. The method may also comprise: based on configuration information associated with one or more second observation points in the second cloud environment, simulating a second stage of forwarding the connectivity check packet towards a second virtualized computing instance via the one or more second observation points. The method may further comprise: generating second report information associated with the simulated second stage to identify a connectivity status between a first virtualized computing instance and the second virtualized computing instance based on the first report information and the second report information.

Abstract: Example methods are provided for first host to perform multicast packet handling in a software-defined networking (SDN) environment. The method may comprise: in response to the first host detecting, from a first virtualized computing instance, a request to join a multicast group address, obtaining control information from a network management entity. The control information may include one or more destination addresses associated with one or more second hosts that have joined the multicast group address on behalf of multiple second virtualized computing instances. The method may also comprise: in response to the first host detecting an egress multicast packet that includes an inner header addressed to the multicast group address, generating one or more encapsulated multicast packets based on the control information and sending the one or more encapsulated multicast packets in a unicast manner or multicast manner, or a combination of both.

Abstract: Example methods and systems are provided for simulation-based cross-cloud connectivity checks. One example method may include injecting a connectivity check packet in a first cloud environment, and obtaining first report information associated with a first stage of forwarding the connectivity check packet from one or more first observation points in the first cloud environment. The method may also comprise: based on configuration information associated with one or more second observation points in the second cloud environment, simulating a second stage of forwarding the connectivity check packet towards a second virtualized computing instance via the one or more second observation points. The method may further comprise: generating second report information associated with the simulated second stage to identify a connectivity status between a first virtualized computing instance and the second virtualized computing instance based on the first report information and the second report information.

Abstract: Example methods are provided for a destination host to implement a firewall in a virtualized computing environment that includes the destination host and a source host. The method may comprise receiving, via a physical network interface controller (PNIC) of the destination host, an ingress packet sent by the source host. The ingress packet may be destined for a destination virtualized computing instance that is supported by the destination host and associated with a destination virtual network interface controller (VNIC). The method may further comprise retrieving a PNIC-level firewall rule associated with the destination virtualized computing instance, the PNIC-level firewall rule being applicable at the PNIC and generated by based on a VNIC-level firewall rule applicable at the destination VNIC. In response to determination that the PNIC-level firewall rule blocks the ingress packet from passing through, the ingress packet may be dropped such that the ingress packet is not sent to the destination VNIC.

Abstract: Example methods are provided for a destination host to implement a firewall in a virtualized computing environment that includes the destination host and a source host. The method may comprise receiving, via a physical network interface controller (PNIC) of the destination host, an ingress packet sent by the source host. The ingress packet may be destined for a destination virtualized computing instance that is supported by the destination host and associated with a destination virtual network interface controller (VNIC). The method may further comprise retrieving a PNIC-level firewall rule associated with the destination virtualized computing instance, the PNIC-level firewall rule being applicable at the PNIC and generated by based on a VNIC-level firewall rule applicable at the destination VNIC. In response to determination that the PNIC-level firewall rule blocks the ingress packet from passing through, the ingress packet may be dropped such that the ingress packet is not sent to the destination VNIC.

Abstract: For a managed network including multiple host machines implementing multiple logical networks, some embodiments provide a method that reduces the memory and traffic load required to implement the multiple logical networks. The method generates configuration data for each of multiple host machines including (i) data to configure a host machine to implement a set of logical forwarding elements that belong to a set of routing domains and (ii) identifiers for each routing domain in the set of routing domains. The method then receives data regarding tunnels endpoints operating on each of the host machines and an association with the routing identifiers sent to the host machines. The method then generates a routing domain tunnel endpoint list for each routing domain based on the data received from each of the host machines including a list of the tunnel endpoints associated with the routing domain which the host machines can use to facilitate packet processing.

Abstract: Example methods are provided for a network management entity to perform network configuration failure diagnosis in a software-defined networking (SDN) environment. The method may comprise receiving a request to diagnose a network configuration failure; and generating and sending control information to a host to cause the host to inject, at a first network element, a diagnostic packet for transmission along a datapath to a configuration server via multiple second network elements. The diagnostic packet may be configured according to a network configuration protocol supported by the configuration server. The method may also comprise: receiving report information associated with the diagnostic packet from at least one of the following: the first network element, the multiple second network elements and the configuration server; and based on the report information, determining a diagnosis result associated with the network configuration failure.

Abstract: Some embodiments provide a method for a first managed forwarding element operating within a first data compute node (DCN) that executes on a host machine. From the first DCN, the method receives a packet destined for a second DCN that is logically connected to the first DCN through a set of logical forwarding elements of a logical network. The method performs forwarding processing on the packet in order to (i) identify a particular logical forwarding element in the set of logical forwarding elements, a logical port of which is coupled to the second DCN, and (ii) identify a second managed forwarding element that implements the logical port of the particular logical forwarding element. The method forwards the packet to the second managed forwarding element.

Abstract: Systems and methods of communicating between a plurality of hosts comprising one or more first hosts controlled by a first control plane and one or more second hosts controlled by a second control plane are disclosed herein. Each of the one or more first hosts runs at least one tunneling endpoint of one or more first tunneling endpoints, and each of the one or more second hosts runs at least one tunneling endpoint of one or more second tunneling endpoint. The method includes storing, at each of the one or more first hosts, a global list identifying at least the one or more second tunneling endpoints. The method further includes receiving a packet at one of the one or more first tunneling endpoints. The method further includes replicating, encapsulating, and transmitting the packet to each of the one or more second tunneling endpoints based on the global list.

Abstract: Example methods are provided for a network management entity to perform query failure diagnosis in a software-defined networking (SDN) environment. The method may comprise receiving a request to diagnose a query failure; and generating and sending control information to a host to cause the host to inject, at a first network element, a diagnostic packet for transmission along a datapath to a query failure via multiple second network elements. The diagnostic packet may be a query configured according to a query protocol supported by the query server. The method may also comprise: receiving report information associated with the diagnostic packet from at least one of the following: the first network element, the multiple second network elements and the query failure; and based on the report information, determining a diagnosis result associated with the query failure.

Abstract: Example methods and systems for a network management entity to perform configuration change monitoring. One example method may comprise receiving a request to monitor a datapath to which a configuration change is applicable. The datapath may include multiple network elements. The method may also comprise instructing the first host to inject, at a first network element, one or more trace packets for transmission along the datapath to a second network element. The method may further comprise: obtaining state information associated with the configuration change, and detecting that an operating condition associated with the datapath is affected by the configuration change based on the state information.

Abstract: Example methods are provided for a host to perform multicast packet handling in a logical network. The method comprise in response to detecting a request to join a multicast group address, a hypervisor modifying the request by replacing a first address associated with a virtualized computing instance with a second address associated with the hypervisor; and sending the modified request to join the multicast group address on behalf of the virtualized computing instance. The method may also comprise: in response to detecting an egress multicast packet, the hypervisor encapsulating the egress multicast packet with an outer header that is addressed from the second address to the multicast group address; and sending the encapsulated egress multicast packet via one or more multicast-enabled network devices that are capable of forwarding, based on the outer header, the encapsulated egress multicast packet to one or more destinations that have joined the multicast group address.

Abstract: Example methods and systems are provided for cross-cloud connectivity checks. One example method may include detecting a first connectivity check packet that is addressed from a first virtualized computing instance deployed in a first cloud environment; and determining that the first connectivity check packet is destined for a second virtualized computing instance in a second cloud environment reachable via the network device. The method may also comprise: generating a second connectivity check packet by modifying the first connectivity check packet to include one or more indicators that a connectivity check is required along a datapath towards the second virtualized computing instance in the second cloud environment. The method may further comprise: sending the second connectivity check packet to cause one or more observation points along the datapath to, based on the one or more indicators, generate and send report information associated with the second connectivity packet.

Abstract: In an embodiment, a computer-implemented method for dynamically exchanging runtime state data between datacenters with a gateway using a controller bridge is disclosed. In an embodiment, the method comprises: receiving one or more first runtime state data from one or more logical sharding central control planes (“CCPs”) controlling one or more logical sharding hosts; receiving one or more second runtime state data from a gateway that is controlled by a CCP that also controls one or more physical sharding hosts; aggregating to aggregated runtime state data, the one or more first runtime state data received from the one or more logical sharding CCPs and the one or more second runtime state data received from the gateway; determining updated runtime state data based on the aggregated runtime state data, the one or more first runtime state data, and the one or more second runtime state data; and transmitting the updated runtime state data to at least one of the one or more logical sharding CCPs and the gateway.

Abstract: In an embodiment, a computer-implemented method for dynamically exchanging runtime state data between datacenters using a controller bridge is disclosed. In an embodiment, the method comprises: requesting, and receiving, one or more first runtime state data from one or more logical sharding central control planes (“CCPs”) controlling one or more logical sharding hosts; requesting, and receiving, one or more second runtime state data from one or more physical sharding CCPs controlling one or more physical sharding hosts; aggregating, to aggregated runtime state data, the one or more first runtime state data and the one or more second runtime state data; determining updated runtime state data based on the aggregated runtime state data, the one or more first runtime state data, and the one or more second runtime state data; and transmitting the updated runtime state data to the logical sharding CCPs and physical sharding CCPs.

Abstract: Some embodiments provide a method for a first managed forwarding element operating within a first data compute node (DCN) that executes on a host machine. From the first DCN, the method receives a packet destined for a second DCN that is logically connected to the first DCN through a set of logical forwarding elements of a logical network. The method performs forwarding processing on the packet in order to (i) identify a particular logical forwarding element in the set of logical forwarding elements, a logical port of which is coupled to the second DCN, and (ii) identify a second managed forwarding element that implements the logical port of the particular logical forwarding element. The method forwards the packet to the second managed forwarding element.