Abstract: Some embodiments of the invention provide a switching element that receives a packet and processes the packet by dynamically generating a flow entry with a set of wildcard fields. The switching element then caches the flow entry and processes any subsequent packets that have header values that match the flow entry's non-wildcard match fields. In generating the flow, the switching element initially wildcards some of all of match fields and generates a new flow entry by un-wildcarding each match field that was consulted or examined to generate the flow entry.

Abstract: In general, the present invention relates to a virtual platform in which one or more distributed virtual switches can be created for use in virtual networking. According to some aspects, the distributed virtual switch according to the invention provides the ability for virtual and physical machines to more readily, securely, and efficiently communicate with each other even if they are not located on the same physical host and/or in the same subnet or VLAN. According other aspects, the distributed virtual switches of the invention can support integration with traditional IP networks and support sophisticated IP technologies including NAT functionality, stateful firewalling, and notifying the IP network of workload migration. According to further aspects, the virtual platform of the invention creates one or more distributed virtual switches which may be allocated to a tenant, application, or other entity requiring isolation and/or independent configuration state.

Abstract: Some embodiments provide a method for a managed forwarding element. The method receives a set of packets for processing by the managed forwarding element. For each of several packets in the set, the method associates the packet with one of several groups of other packets in the set. Each group of packets shares a set of characteristics. For each group of packets the method identifies a set of actions to perform and executes the specified set of actions on all of the packets in the group together.

Abstract: Some embodiments of the invention provide a method of tunneling a data packet by encapsulating the data packet with a protocol header and specifying information in the fields of the header in a manner that a network switch can offload processing tasks to its network interface controller. The switch on a transmit side sends the processed data packet through the tunnel to another switch on a receive side. The two sides represent the two ends of the tunnel established between the two switches. Each of the transmit and received side switches is controlled by a switch controller, which in some embodiments is implemented as software. The switch controllers and network interface controllers together process the data packet which is being transferred through the tunnel between the switches.

Abstract: For a network controller for managing hosts in a network, a method for configuring a host to resolve network addresses is described. The method configures an address resolution module in a host to resolve a network address. The method configures a managed forwarding element in the host to (1) avoid sending a request to resolve the network address to another host by using the address resolution module to resolve the network address and (2) forward packets using the resolved network address.

Abstract: Some embodiments of the invention provide a novel method of tunneling data packets. The method establishes a tunnel between a first forwarding element and a second forwarding element. For each data packet directed to the second forwarding element from the first forwarding element, the method encapsulates the data packet with a header that includes a tunnel option. The method then sends the data packet from the first forwarding element to the second forwarding element through the established tunnel. In some embodiments, the data packet is encapsulated using a protocol that is adapted to change with different control plane implementations and the implementations' varying needs for metadata.

Abstract: Some embodiments provide a method for a managed forwarding element that operates on a host machine to process packets for at least one logical network. The method receives a packet that includes a particular piece of data to maintain with the packet. The particular piece of data is not stored in a payload of the packet and is not protocol-specific data. The method stores the particular piece of data in a register while processing the packet. The method identifies a next destination of the packet that operates on the host machine. The method generates an object to represent the packet for the identified destination. The particular piece of data is stored in a field of the generated object.

Abstract: Some embodiments of the invention provide a method of tunneling a data packet by encapsulating the data packet with a protocol header and specifying information in the fields of the header in a manner that a network switch can offload processing tasks to its network interface controller. The switch on a transmit side sends the processed data packet through the tunnel to another switch on a receive side. The two sides represent the two ends of the tunnel established between the two switches. Each of the transmit and received side switches is controlled by a switch controller, which in some embodiments is implemented as software. The switch controllers and network interface controllers together process the data packet which is being transferred through the tunnel between the switches.

Abstract: Some embodiments provide a method for a managed forwarding element. The method receives a set of packets for processing by the managed forwarding element. For each of several packets in the set, the method associates the packet with one of several groups of other packets in the set. Each group of packets shares a set of characteristics. For each group of packets the method identifies a set of actions to perform and executes the specified set of actions on all of the packets in the group together.

Abstract: A novel method for configuring first and second managed forwarding elements to perform logical L2 switching and L3 routing is described. The method generates a first set of flow entries for configuring the first managed forwarding element to perform logical L2 ingress processing and L3 routing processing. The method generates a second set of flow entries for configuring the second managed forwarding element to performing logical L2 egress processing.

Abstract: Some embodiments of the invention provide a novel method of tunneling data packets. The method establishes a tunnel between a first forwarding element and a second forwarding element. For each data packet directed to the second forwarding element from the first forwarding element, the method encapsulates the data packet with a header that includes a tunnel option. The method then sends the data packet from the first forwarding element to the second forwarding element through the established tunnel. In some embodiments, the data packet is encapsulated using a protocol that is adapted to change with different control plane implementations and the implementations' varying needs for metadata.

Abstract: For a network controller for managing hosts in a network, a method for configuring a host to handle flow entries and template flow entries is described. The method generates a template flow entry to be populated in order to create a flow entry for a particular managed forwarding element. The method sends the template flow entry to the particular forwarding element in a host. The method configures a flow entry generating flow entry generating module in a host to create the flow entry by populating the template flow entry. The method configures the particular managed forwarding element to (1) send the template flow entry to the flow entry generating flow entry generating module (2) forward packets using the flow entry created by the flow entry generating flow entry generating module.

Abstract: In general, the present invention relates to a virtual platform in which one or more distributed virtual switches can be created for use in virtual networking. According to some aspects, the distributed virtual switch according to the invention provides the ability for virtual and physical machines to more readily, securely, and efficiently communicate with each other even if they are not located on the same physical host and/or in the same subnet or VLAN. According other aspects, the distributed virtual switches of the invention can support integration with traditional IP networks and support sophisticated IP technologies including NAT functionality, stateful firewalling, and notifying the IP network of workload migration. According to further aspects, the virtual platform of the invention creates one or more distributed virtual switches which may be allocated to a tenant, application, or other entity requiring isolation and/or independent configuration state.

Abstract: Some embodiments provide a system that allows for the use of direct host return ports (abbreviated “DHR ports”) on managed forwarding elements to bypass gateways in managed networks. The DHR ports provide a direct connection from certain managed forwarding elements in the managed network to remote destinations that are external to the managed network. Managed networks can include both a logical abstraction layer and physical machine layer. At the logical abstraction layer, the DHR port is treated as a port on certain logical forwarding elements. The DHR port transmits the packet to the routing tables of the physical layer machine that hosts the logical forwarding element without any intervening transmission to other logical forwarding elements. The routing tables of the physical layer machine then strip any logical context associated with a packet and forwarding the packet to the remote destination without any intervening forwarding to a physical gateway provider.

Abstract: Some embodiments of the invention provide a switching element that receives a packet and processes the packet by dynamically generating a flow entry with a set of wildcard fields. The switching element then caches the flow entry and processes any subsequent packets that have header values that match the flow entry's non-wildcard match fields. In generating the flow, the switching element initially wildcards some of all of match fields and generates a new flow entry by un-wildcarding each match field that was consulted or examined to generate the flow entry.

Abstract: In general, the present invention relates to a virtual platform in which one or more distributed virtual switches can be created for use in virtual networking. According to some aspects, the distributed virtual switch according to the invention provides the ability for virtual and physical machines to more readily, securely, and efficiently communicate with each other even if they are not located on the same physical host and/or in the same subnet or VLAN. According other aspects, the distributed virtual switches of the invention can support integration with traditional IP networks and support sophisticated IP technologies including NAT functionality, stateful firewalling, and notifying the IP network of workload migration. According to further aspects, the virtual platform of the invention creates one or more distributed virtual switches which may be allocated to a tenant, application, or other entity requiring isolation and/or independent configuration state.

Abstract: A novel method for logically routing a packet between a source machine that is in a first logical domain and a destination machine that is in a second logical domain is described. The method configures a managed switching element as a second-level managed switching element. The method configures a router in a host that includes the second-level managed switching element. The method communicatively couples the second-level managed switching element with the router. The method causes the router to route a packet when the router receives a packet from the first logical domain that is addressed to the second logical domain.

Abstract: Some embodiments of the invention provide a method of tunneling a data packet by encapsulating the data packet with a protocol header and specifying information in the fields of the header in a manner that a network switch can offload processing tasks to its network interface controller. The switch on a transmit side sends the processed data packet through the tunnel to another switch on a receive side. The two sides represent the two ends of the tunnel established between the two switches. Each of the transmit and received side switches is controlled by a switch controller, which in some embodiments is implemented as software. The switch controllers and network interface controllers together process the data packet which is being transferred through the tunnel between the switches.

Abstract: Some embodiments provide a method for a managed forwarding element that operates on a host machine to process packets for at least one logical network. The method receives a packet that includes a particular piece of data to maintain with the packet. The particular piece of data is not stored in a payload of the packet and is not protocol-specific data. The method stores the particular piece of data in a register while processing the packet. The method identifies a next destination of the packet that operates on the host machine. The method generates an object to represent the packet for the identified destination. The particular piece of data is stored in a field of the generated object.

Abstract: Some embodiments of the invention provide a novel method of tunneling data packets. The method establishes a tunnel between a first forwarding element and a second forwarding element. For each data packet directed to the second forwarding element from the first forwarding element, the method encapsulates the data packet with a header that includes a tunnel option. The method then sends the data packet from the first forwarding element to the second forwarding element through the established tunnel. In some embodiments, the data packet is encapsulated using a protocol that is adapted to change with different control plane implementations and the implementations' varying needs for metadata.