Abstract: For a multi-tenant environment, some embodiments of the invention provide a novel method for (1) embedding a specific path for a tenant's data message flow through a network in tunnel headers encapsulating the data message flow, and then (2) using the embedded path information to direct the data message flow through the network. In some embodiments, the method selects the specific path from two or more viable such paths through the network for the data message flow.

Abstract: Some embodiments of the invention provide a novel network architecture for advertising routes in an availability zone (e.g., a datacenter providing a set of hardware resources). The novel network architecture, in some embodiments, also provides a set of distributed services at the edge of a virtual private cloud (VPC) implemented in the availability zone (e.g., using the hardware resources of a datacenter) at a set of host computers in the AZ. The novel network architecture includes a set of route servers for receiving advertisements of network addresses (e.g., internet protocol (IP) addresses) as being available in the availability zone (AZ) from different routers in the AZ. The route servers also advertise the received network addresses to other routers in the AZ. In some embodiments, the other routers include routers executing on host computers in the AZ and gateway devices of the availability zone.

Abstract: Some embodiments of the invention provide a novel network architecture for providing edge services of a virtual private cloud (VPC) at host computers hosting machines of the VPC. The host computers in the novel network architecture are reachable from external networks through a gateway router of an availability zone (AZ). The gateway router receives a data message from the external network addressed to one or more data compute nodes (DCNs) in the VPC and forwards the data message to a particular host computer identified as providing a distributed edge service for the VPC. The particular host computer, upon receiving the forwarded data message, performs the distributed edge service and provides the serviced data message to a destination DCN.

Abstract: Some embodiments of the invention provide a novel network architecture for advertising routes in an availability zone (AZ). The novel network architecture includes a set of route servers for receiving advertisements of network addresses as being available in the AZ from different routers in the AZ. The novel network architecture also includes multiple host computers that each execute a router that (i) identifies network addresses available on the host computer, (ii) sends advertisements of the identified network addresses to the set of route servers, and (iii) receives advertisements from the set of route servers regarding network addresses available on other host computers. The identified network addresses, in some embodiments, include at least one of network addresses associated with data compute nodes (DCNs) and network addresses associated with services available at the host computer. The route servers advertise the received network addresses to other routers in the AZ.

Abstract: Some embodiments of the invention provide a method for implementing a logical network with one or more logical forwarding elements (LFEs), each with multiple logical ports. Each LFE in some embodiments is implemented by several physical forwarding elements (PFEs) operating on several devices. On a host computer executing a particular machine connected to a PFE implementing a particular LFE, the method identifies an address discovery message associating a particular network address (e.g., a layer 2 (L2) address or media access control (MAC) address) of the particular machine with a another network address (e.g., a layer 3 (L3) or an Internet Protocol (IP) address) of the particular machine.

Abstract: Some embodiments of the invention provide novel methods for facilitating a distributed SNAT (dSNAT) middlebox service operation for a first network at a host computer in the first network on which the dSNAT middlebox service operation is performed and a gateway device between the first network and a second network. The novel methods enable dSNAT that provides stateful SNAT at multiple host computers, thus avoiding the bottleneck problem associated with providing stateful SNAT at gateways and also significantly reduces the need to redirect packets received at the wrong host by using a capacity of off-the-shelf gateway devices to perform IPv6 encapsulation for IPv4 packets and assigning locally unique IPv6 addresses to each host executing a dSNAT middlebox service instance that are used by the gateway device.

Abstract: Some embodiments of the invention provide novel methods for facilitating a distributed SNAT (dSNAT) middlebox service operation for a first network at a host computer in the first network on which the dSNAT middlebox service operation is performed and a gateway device between the first network and a second network. The novel methods enable dSNAT that provides stateful SNAT at multiple host computers, thus avoiding the bottleneck problem associated with providing stateful SNAT at gateways and also significantly reduces the need to redirect packets received at the wrong host by using a capacity of off-the-shelf gateway devices to perform IPv6 encapsulation for IPv4 packets and assigning locally unique IPv6 addresses to each host executing a dSNAT middlebox service instance that are used by the gateway device.

Abstract: A node includes one or more line cards interconnected to one another via a switching fabric and configured to implement a data plane; and a first router processor and a second router processor communicatively coupled to the one or more line cards, and each configured to implement a separate control plane, such that the node appears in a link-state database as two separate nodes. Responsive to an in-service software upgrade, the first router processor is upgraded and down while the second router processor is active, thereby preserving routing and forwarding. The one or more line cards include a first Virtual Local Area Networking (VLAN) for the first router processor and a second VLAN for the second router processor, and the first VLAN and the second VLAN are associated with a same physical interface on the one or more line cards.

Abstract: In some embodiments, a method inserts, by a first computing device, a first value for a capability in a first message that is used in a process to automatically exchange capability values with a second computing device. The first value for the capability indicates the first computing device requires a default route to reach the second computing device as a next hop for sending a packet to a destination. The first computing device sends the first message to the second computing device; and receives a second value for the capability in a second message from the second computing device. The second value indicating the second computing device will send the default route to reach the second computing device. When the default route is received from the second computing device, the first computing device stores the default route from the second computing device in a route table.

Abstract: Example methods and systems for uplink-aware logical overlay tunnel monitoring are described. In one example, a first computer system may establish a logical overlay tunnel with a second computer system. The first computer system may generate and send, over the logical overlay tunnel via the first uplink, a first encapsulated monitoring packet identifying the first uplink. Based on a first reply, first performance metric information associated with the first uplink may be determined. The first computer system may generate and send, over the logical overlay tunnel via the second uplink, a second encapsulated monitoring packet identifying the second uplink. Based on a second reply, second performance metric information associated with the second uplink may be determined. Based on the first performance metric information and the second performance metric information, the first uplink or the second uplink may be selected to send encapsulated data packet(s) over the logical overlay tunnel.

Abstract: A switching circuit includes circuitry configured to manage a plurality of Equal Cost Multiple Paths (ECMPs) through a plurality of shared protection group objects, wherein each of the plurality of shared protection group objects is connected to two paths in the ECMPs, and wherein a number of shared protection group objects equals a number of next-hops, cause distribution of packets based on a setting of the shared protection group object for each next-hop, and responsive to a failure of a next-hop, change the setting of the shared protection group object for the failed next-hop

Abstract: A node in a Segment Routing network includes a plurality of ports and a switching fabric between the plurality of ports, wherein, for an Ethernet Virtual Private Network (EVPN)-Virtual Private Local Area Network Service (VPLS), a port is configured to transmit a packet with a plurality of Segment Identifiers (SID) including a destination SID that identifies a destination node of the packet, a service SID that identifies an EVPN Instance (EVI), and a source SID that identifies one of the node and an Ethernet Segment (ES) that includes the node. The port can be further configured to receive a second packet with a second plurality of SIDs, and learn a Media Access Control (MAC) address based on a second service SID and a second source SID, of the second packet.

Abstract: A node in a Segment Routing network includes a plurality of ports and a switching fabric between the plurality of ports, wherein, for an Ethernet Tree (E-tree) service, a port is configured to transmit a packet with a plurality of Segment Identifiers (SID) including a first SID, a second SID, and a third SID, wherein the first SID identifies one of multicast, ingress replication for broadcast, and a destination node including any of a node SID and an anycast SID, wherein the second SID identifies a service including the E-tree service, and wherein the third SID identifies a source of the packet. A second port of the node is connected to a customer edge, and wherein the third SID is based on whether the customer edge is a leaf node or a root node in the E-tree service.

Abstract: A node in a Segment Routing network includes a plurality of ports and a switching fabric between the plurality of ports, wherein, for an Ethernet Virtual Private Network (EVPN)-Virtual Private Local Area Network Service (VPLS), a port is configured to transmit a packet with a plurality of Segment Identifiers (SID) including a destination SID that identifies a destination node of the packet, a service SID that identifies an EVPN Instance (EVI), and a source SID that identifies one of the node and an Ethernet Segment (ES) that includes the node. The port can be further configured to receive a second packet with a second plurality of SIDs, and learn a Media Access Control (MAC) address based on a second service SID and a second source SID, of the second packet.

Abstract: For a set of gateway devices at the edge of a logical network, some embodiments provide a method for ensuring that data messages from an external network requiring a stateful service are received at an active gateway device. The method advertises the availability of a set of internet protocol (IP) addresses from standby gateway devices with a higher cost than the cost advertised by an active gateway device. In some embodiments, the advertisement is made using a border gateway protocol. Data messages may be unexpectedly received on a standby node despite the higher advertised cost. This could happen due to asymmetric network failures. The method determines if a stateful service is needed for the data messages received on standby node. Based on the determination, the method forwards the received data message to the active gateway device for the active gateway device to provide the stateful service.

Abstract: A method for a hypervisor to implement flow-based local egress in a multisite datacenter is disclosed. The method comprises: determining whether a first data packet of a first data flow has been received. If the first data packet has been received, then the hypervisor determines a MAC address of a first local gateway in a first site of a multisite datacenter that communicated the first data packet, and stores the MAC address of the first local gateway and a 5-tuple for the first data flow. Upon determining that a response for the first data flow has been received, the hypervisor determines whether the response includes the MAC address of the first local gateway. If the response includes a MAC address of another local gateway, then the hypervisor replaces, in the response, the MAC address of another local gateway with the MAC address of the first local gateway.

Abstract: Some embodiments provide a method for a first edge device in a first datacenter that implements a centralized routing component of a logical router that spans multiple datacenters and handles data traffic between a logical network implemented across the multiple datacenters and external networks. From a second edge device in a second datacenter, the method receives via routing protocol a route having a particular routing protocol tag. When the first datacenter is a primary datacenter for the logical router such that all data traffic between the logical network and the external networks is handled by one or more centralized routing components implemented at the first datacenter, the method uses the routing protocol tag to determine whether to advertise the received route to the external networks.

Abstract: Some embodiments provide a method for configuring an edge computing device to implement a logical router belonging to a logical network. The method configures a datapath executing on the edge computing device to use a first routing table associated with the logical router for processing data messages routed to the logical router. The method configures a routing protocol application executing on the edge computing device to (i) use the first routing table for exchanging routes with a network external to the logical network and (ii) use a second routing table for exchanging routes with other edge computing devices that implement the logical router.

Abstract: The technology disclosed herein enables multicast network traffic to pass an RPF check in a logical router having separated packet handlers. In a particular embodiment, a method includes, in a north/south packet handler of a first logical router, receiving first network traffic from an east/west packet handler of the logical router. The first network traffic is multicast network traffic and the logical router is a first hop router for the first network traffic from a source of the first network traffic. The method further includes identifying an entry for the source in unicast routing information for unicast network traffic. Identifying the entry indicates that the first network traffic passes a reverse path forwarding (RPF) check. In response to the first network traffic passing the RPF check, the method includes transferring the first network traffic from the north/south packet handler to a next hop for the first network traffic indicated by first multicast routing information.

Abstract: The disclosure provides an approach for reducing congestion within a network, the network comprising a plurality of subnets, the plurality of subnets comprising a plurality of host machines and a plurality of virtual computing instances (VCIs) running on the plurality of host machines. Embodiments include receiving, by an edge services gateway (ESG) of a first subnet of the plurality of subnets, membership information for a group identifying a subset of the plurality of host machines. Embodiments include receiving a multicast packet directed to the group and selecting from the plurality of host machines, a replicator host machine for the multicast packet. Embodiments include sending, to the replicator host machine, the multicast packet along with metadata indicating that the replicator host machine is to replicate the multicast packet to remaining host machines of the subset of the plurality of host machines identified in the membership information for the group.