Abstract: In various example embodiments, a system, a method, and a machine readable medium to manage multicast traffic are disclosed. The system includes a controller server for receiving first multicast group member information and for providing centralized control of a network. The first multicast group member information is received from a first end-host computer and received at the controller server responsive to a first packet forwarding system identifying the first end-host computer is joining a first multicast group on a first virtual network. The controller server generates a first multicast tree and communicates a first network configuration message to at least one packet forwarding system of the first plurality of packet forwarding systems. The first network configuration message includes a packet flow table entry enabling configuration of a flow table to enable communication of multicast traffic for the first multicast group over a portion of the first multicast tree.

Abstract: Methods, systems, and computer programs are presented for distributing network address translation (NAT) operations to a plurality of network devices on a network. One method includes an operation for identifying, by a controller that controls a network fabric, a plurality of switches in the network fabric, each switch having a module for NAT and being configured to forward packets received at the switch. The controller identifies hosts having at least one internal Internet Protocol (IP) address, and for each of the hosts, the controller selects one of the switches from the plurality of switches for performing the NAT for the host. Further, the controller configures the network fabric to cause the selected switch to perform the NAT for the host to enable the host to communicate with an external network. In case of switch failure, the system reallocates NAT loads to other switches for high availability.

Abstract: A packet forwarding network may include switches that forward network traffic between end hosts and network tap devices that forward copied network traffic to an analysis network formed from client switches that are controlled by a controller. Network analysis devices and network service devices may be coupled to the client switches at interfaces of the analysis network. The controller may receive one or more network policies from a network administrator. A network policy may identify ingress interfaces, egress interfaces, matching rules, packet manipulation services to be performed. The controller may control the client switches to generate network paths that forward network packets that match the matching rules from the ingress interfaces to the egress interfaces through service devices that perform the services of the list. The controller may generate network paths for network policies based on network topology information and/or current network conditions maintained at the controller.

Abstract: In various example embodiments, a system, a method, and a machine readable medium to manage multicast traffic are disclosed. The system includes a controller server for receiving first multicast group member information and for providing centralized control of a network. The first multicast group member information is received from a first end-host computer and received at the controller server responsive to a first packet forwarding system identifying the first end-host computer is joining a first multicast group on a first virtual network. The controller server generates a first multicast tree and communicates a first network configuration message to at least one packet forwarding system of the first plurality of packet forwarding systems. The first network configuration message includes a packet flow table entry enabling configuration of a flow table to enable communication of multicast traffic for the first multicast group over a portion of the first multicast tree.

Abstract: A network of switches having ports coupled to other switches or end hosts may be controlled by a controller. The controller may identify whether any switch ports have failed. In response to identifying that a port has failed at a first switch, the controller may modify link aggregation group mappings of the other switches to handle failover. The controller may modify the link aggregation group mapping of each other switch to include a first mapping that includes ports coupled to the first switch and a second mapping that does not include any ports coupled to the first switch. The controller may configure forwarding tables at the switches to forward network packets using the first or second mappings based on network topology information maintained by the controller.

Abstract: In various example embodiments, a system and method for optimizing management of a multicast tree are disclosed. The system receives first multicast group member information, from over a network and via a first packet forwarding system, at a controller server that provides for control of a network comprised of a first virtual local area network including a first packet forwarding system, the first multicast group member information being received by the first packet forwarding system and describing a first end-host computer as joining a first multicast group on the first virtual local area network. The system generates a multicast tree, at the controller server, and communicates a network configuration message to at least one packet forwarding system of a first plurality of packet forwarding systems to enable communication of the multicast traffic for the first multicast group over a portion of the multicast tree.

Abstract: A controller implemented on computing equipment may be used to control switches in a network. End hosts may be coupled to the switches. The controller may generate a virtual network topology of virtual switches, virtual routers, and virtual system routers that are distributed over underlying switches in the network. The controller may form virtual switches from respective groups of end hosts, virtual routers from groups of virtual switches that include virtual interfaces that are coupled to virtual switches, and a virtual system router from groups of virtual routers that includes virtual system router interfaces that are coupled to the virtual routers. The controller may control the virtual network topology by generating respective flow table entries based on identified network policies for each of the virtual routers, virtual system routers, and virtual switches. The controller may control the virtual system routers to route packets between the virtual routers.

Abstract: In various example embodiments, a system and method for optimizing management of a multicast tree are disclosed. The system receives first multicast group member information, from over a network and via a first packet forwarding system, at a controller server that provides for control of a network comprised of a first virtual local area network including a first packet forwarding system, the first multicast group member information being received by the first packet forwarding system and describing a first end-host computer as joining a first multicast group on the first virtual local area network. The system generates a multicast tree, at the controller server, and communicates a network configuration message to at least one packet forwarding system of a first plurality of packet forwarding systems to enable communication of the multicast traffic for the first multicast group over a portion of the multicast tree.

Abstract: Methods, systems, and computer programs are presented for distributing network address translation (NAT) operations to a plurality of network devices on a network. One method includes an operation for identifying, by a controller that controls a network fabric, a plurality of switches in the network fabric, each switch having a module for NAT and being configured to forward packets received at the switch. The controller identifies hosts having at least one internal Internet Protocol (IP) address, and for each of the hosts, the controller selects one of the switches from the plurality of switches for performing the NAT for the host. Further, the controller configures the network fabric to cause the selected switch to perform the NAT for the host to enable the host to communicate with an external network. In case of switch failure, the system reallocates NAT loads to other switches for high availability.

Abstract: A packet forwarding network may include switches that forward network traffic between end hosts that are coupled to the forwarding network. An analysis network may be connected to the forwarding network. A controller may control the switches in the forwarding network to implement desired forwarding paths. The controller may configure the switches to form switch port groups. The controller may identify a port group that is connected to the analysis network. The controller may select a subset of the forwarded packets and may control selected switches to copy the subset to the identified port group. The controller may establish network tunnels between the switches and the port group. In this way, the controller may control the switches to perform efficient traffic monitoring regardless of the location on the forwarding network at which the traffic monitoring network is connected and without interfering with normal packet forwarding operations through the forwarding network.

Abstract: A controller implemented on computing equipment may control switches in a network. The controller may provide flow tables that implement network policies to the switches to control packet forwarding through the network. The controller may provide debug table entries to the switches for use in a debug table that is separate from the flow table. The debug table entries may match incoming network packets and increment corresponding counters on the switches. The controller may retrieve count information from the counters for performing debugging operations on the network. For example, the controller may identify conflicts between fields of a selected flow table entry, determine whether elephant packet flows are present between switches, determine whether desired load balancing is being performed, determine whether a network path has changed, determine whether packet loss has occurred, and/or determine whether network packets are taking undesired paths based on the retrieved count information.

Abstract: A packet forwarding network may include switches that forward network traffic between end hosts and network tap devices that forward copied network traffic to an analysis network formed from client switches that are controlled by a controller. Network analysis devices and network service devices may be coupled to the client switches at interfaces of the analysis network. The controller may receive one or more network policies from a network administrator. A network policy may identify ingress interfaces, egress interfaces, matching rules, packet manipulation services to be performed. The controller may control the client switches to generate network paths that forward network packets that match the matching rules from the ingress interfaces to the egress interfaces through service devices that perform the services of the list. The controller may generate network paths for network policies based on network topology information and/or current network conditions maintained at the controller.

Abstract: A controller may control client switches in a network including client and non-client switches. The controller may maintain a link discovery table including entries that identify links between client switches. The controller may classify the links as direct or broadcast links. To classify links of the link discovery cable, the controller may direct client switches to send broadcast and directed discovery packets from switch ports. Client switches that receive the discovery packets from other client switches may forward the discovery packets to the controller. The controller may use the discovery packets to classify the links of the link discovery table. The controller may classify ports as broadcast or regular ports based on the classified links. Non-client broadcast domains of the network topology may be identified from the broadcast ports using the broadcast and direct links of the link discovery table.

Abstract: First and second controllers implemented on computing equipment may be used to control switches in a network. The switches may forward network packets between end hosts. The second controller may identify first and second redundant partitions of switches in the network that are each coupled to all of the end hosts. The first controller may instruct the first partition to install software while the second partition forwards network traffic and may instruct the second partition to install software while the first partition forwards network traffic. The first controller may install the software while the second controller is active and the second controller may install the software while the first controller is active. In this way, the switches and controllers may be provided with an uninterrupted software upgrade and packets may be forwarded between end hosts during the software upgrade without introducing packet loss or other noticeable reductions in network performance.

Abstract: A controller implemented on computing equipment may be used to control switches in a network. End hosts and service devices may be coupled to the switches in the network. The controller may generate a virtual network topology of virtual switches and virtual routers. The controller may control the virtual routers and/or virtual switches to perform service insertion. The controller may perform service insertion by controlling the virtual routers and/or virtual switches to redirect network traffic through one or more selected service devices. The controller may determine which network traffic is to be redirected to which service devices based on a service insertion policy that identifies network traffic and services to be performed on the network traffic.

Abstract: A controller may be used to control client switches in a network that includes non-client, switches. The controller may form client domains from groups of client switches that are separated by intervening non-client domains formed from non-client switches. The controller may determine a network domain topology from the client domains and non-client domains. The controller may determine a spanning tree that interconnects the nodes of the network domain topology. The controller may control client switches of the client domains to allow only network traffic between the client domains and the non-client domains along the spanning tree. The controller may use the network domain topology to generate inter-domain forwarding maps. The inter-domain forwarding maps may be used to determine network forwarding paths between end hosts in the network.

Abstract: A packet forwarding network may include switches that forward network traffic between end hosts that are coupled to the forwarding network. An analysis network may be connected to the forwarding network. A controller may control the switches in the forwarding network to implement desired forwarding paths. The controller may configure the switches to form switch port groups. The controller may identify a port group that is connected to the analysis network. The controller may select a subset of the forwarded packets and may control selected switches to copy the subset to the identified port group. The controller may establish network tunnels between the switches and the port group. In this way, the controller may control the switches to perform efficient traffic monitoring regardless of the location on the forwarding network at which the traffic monitoring network is connected and without interfering with normal packet forwarding operations through the forwarding network.

Abstract: A controller may control client switches in a network including client and non-client switches. The controller may maintain a link discovery table including entries that identify links between client switches. The controller may classify the links as direct or broadcast links. To classify links of the link discovery table, the controller may direct client switches to send broadcast and directed discovery packets from switch ports. Client switches that receive the discovery packets from other client switches may forward the discovery packets to the controller. The controller may use the discovery packets to classify the links of the link discovery table. The controller may classify ports as broadcast or regular ports based on the classified links. Non-client broadcast domains of the network topology may be identified from the broadcast ports using the broadcast and direct links of the link discovery table.

Abstract: A controller may control client switches in a network including client and non-client switches. The controller may maintain a link discovery table including entries that identify links between client switches. The controller may classify the links as direct or broadcast links. To classify links of the link discovery table, the controller may direct client switches to send broadcast and directed discovery packets from switch ports. Client switches that receive the discovery packets from other client switches may forward the discovery packets to the controller. The controller may use the discovery packets to classify the links of the link discovery table. The controller may classify ports as broadcast or regular ports based on the classified links. Non-client broadcast domains of the network topology may be identified from the broadcast ports using the broadcast and direct links of the link discovery table.

Abstract: A controller may control switches in a network that forwards network packets between end hosts. The controller may generate a directed acyclic graph based on maintained network topology information. The directed acyclic graph may include multiple network paths between any given pair of switches. For a given network packet received from an end host, the controller may generate an identifier or otherwise classify the network packet based on network attributes of the network packet. The network attributes may include packet header information retrieved from the network packet, information maintained by the controller such as which virtual switch is associated with the network packet, and/or other network attributes. The controller may use the network packet identifier to select a network forwarding path for the network packet from the directed acyclic graph.