Abstract: An example method to perform packet tracing in a Software-Defined Networking (SDN) environment is provided. The SDN environment comprises an SDN controller device and a plurality of forwarding devices configurable by the SDN controller device. The method may comprise the SDN controller device configuring the plurality of forwarding devices to generate trace information of packets associated with a communication flow in the SDN environment; and receiving trace information of packets associated with the communication flow. Based on the trace information, the SDN controller device may generate aggregated trace information by identifying, from header information and payload information of the packets, particular packets associated with the communication flow that are processed by one of the plurality of forwarding devices, or a particular packet associated with the communication flow that is processed by at least two of the plurality of forwarding devices, or both.

Abstract: Some embodiments of the invention provide a method for a first security controller that performs security operations on the packets that are transmitted within a network. The method of some embodiments receives a packet from a forwarding element in the network based on a decision made by a security agent that operates along with the forwarding element. When the first security controller stores a security rule for the packet, the method processes the packet according to the stored security rule. When the first security controller does not store a security rule for the packet, the method (i) determines that a second security controller stores a security rule for the packet based on a set of header values of the packet, and (ii) sends the packet to the second security controller for security processing according to the security rule for the packet stored on the second security controller.

Abstract: Some embodiments of the invention provide a method that performs security operations for packets that are processed by a forwarding element. The method of some embodiments receives, at a security agent operating on a physical machine, a packet from a forwarding element that also operates on the physical machine. The method then determines whether a security rule is stored for the packet at the security agent. When no security rule is stored for the packet, the method transmits the packet to a default security controller of several security controllers that store security rules for a network and process packets according to the stored security rules. When the security rule is stored for the packet, the method processes the packet according to the stored security rule for the packet.

Abstract: An example method to perform packet tracing in a Software-Defined Networking (SDN) environment is provided. The SDN environment comprises an SDN controller device and a plurality of forwarding devices configurable by the SDN controller device. The method may comprise the SDN controller device configuring the plurality of forwarding devices to generate trace information of packets associated with a communication flow in the SDN environment, and the SDN controller device receiving, from the plurality of forwarding devices, trace information comprising header information and payload information of packets associated with the communication flow. Based on the trace information, the SDN controller device may generate aggregated trace information that identifies forwarding devices that processed a particular packet associated with the communication flow, or packets associated with the communication flow that are processed by a particular forwarding device, or both.

Abstract: An example method is provided for a network device to protect a Media Access Control (MAC) address table of a network switch in a virtualized computing environment. The method may comprise, in response to receiving a request message from a virtual machine, determining a shared MAC address that is usable for the virtual machine and at least one other virtual machine, modifying a source MAC address of the request message from a MAC address associated with the virtual machine to the shared MAC address; and sending, to the network switch, the request message having the shared MAC address as the modified source MAC address. The method may comprise, in response to receiving a reply message from the network switch, the reply message having the shared MAC address as a destination MAC address, sending, to the virtual machine, the reply message in reply to the request message.

Abstract: An example method to perform packet tracing in a Software-Defined Networking (SDN) environment is provided. The SDN environment comprises an SDN controller device and a plurality of forwarding devices configurable by the SDN controller device. The method may comprise the SDN controller device configuring the plurality of forwarding devices to generate trace information of packets associated with a communication flow in the SDN environment, and the SDN controller device receiving, from the plurality of forwarding devices, trace information comprising header information and payload information of packets associated with the communication flow. Based on the trace information, the SDN controller device may generate aggregated trace information that identifies forwarding devices that processed a particular packet associated with the communication flow, or packets associated with the communication flow that are processed by a particular forwarding device, or both.