Abstract: Some embodiments provide a method for applying a security policy defined for a logical network to an MHFE that integrates physical workloads (e.g., physical machines connected to the MHFE) with the logical network. The method applies the security policy to the MHFE by generating a set of ACL rules based on the security policy's definition and configuring the MHFE to apply the ACL rules on the network traffic that is forwarded to and/or from the physical machines. In order to configure an MHFE to implement the different LFEs of a logical network, some embodiments propagate an open source database stored on the MHFE, using an open source protocol. Some embodiments propagate a particular table of the database such that each record of the table creates an association between a port of an LFE stored in a logical forwarding table and one or more ACL rules stored in an ACL table.

Abstract: In one aspect, a computerized method useful for connecting to a multipath hub in a cluster includes the step of, with a gateway in a same network as the cluster, receiving, from a branch edge, a request to connect to a logical identifier (ID) of the multipath hub. The gateway recognizes a logical ID representing a cluster. The gateway determines a least-loaded edge in the cluster to be the multipath hub. The gateway returns a connectivity information for the multipath hub. The branch edge configures a tunnel to the multipath hub.

Abstract: Some embodiments provide a local network controller that manages a first managed forwarding element (MFE) operating to forward traffic on a host machine for several logical networks and configures the first MFE to forward traffic for a set of containers operating within a container virtual machine (VM) that connects to the first MFE. The local network controller receives, from a centralized network controller, logical network configuration information for a logical network to which the set of containers logically connect. The local network controller receives, from the container VM, a mapping of a tag value used by a second MFE operating on the container VM to a logical forwarding element of the logical network to which the set of containers connect. The local network controller configures the first MFE to apply the logical network configuration information to data messages received from the container VM that are tagged with the tag value.

Abstract: An approach for a software defined networking manager to perform a predictive analysis of proposed modifications to a software defined network (SDN) is presented. A method comprises receiving entity logical associations that are captured in a set of rules implemented in a SDN. Once a proposed modification to the entity logical associations is received, without implementing the proposed modification and without modifying the set of rules, impacted entity associations, from the entity logical associations, are identified. Upon receiving input indicating that the proposed modification is to be accepted, an updated set of rules for the SDN is generated by updating the set of rules based on the proposed modification, and the updated set of rules is implemented in the SDN.

Abstract: A novel design of a gateway that handles traffic in and out of a network by using a datapath pipeline is provided. The datapath pipeline includes multiple stages for performing various data-plane packet-processing operations at the edge of the network. The processing stages include centralized routing stages and distributed routing stages. The processing stages can include service-providing stages such as NAT and firewall. The gateway caches the result previous packet operations and reapplies the result to subsequent packets that meet certain criteria. For packets that do not have applicable or valid result from previous packet processing operations, the gateway datapath daemon executes the pipelined packet processing stages and records a set of data from each stage of the pipeline and synthesizes those data into a cache entry for subsequent packets.

Abstract: Example methods are provided to perform traffic forwarding between geographically dispersed first site and second site and to support traffic forwarding via a trunk interface. In one example, the method may include receiving, by a first edge device at the first site, network traffic having a plurality of packets via a trunk interface of the first edge device from a virtual tunnel endpoint, the virtual tunnel endpoint having decapsulated the packets prior to communicating the packets through the trunk interface. The method may further include reading an overlay network identifier from each of the packets to identify a source overlay network of the received network traffic from the multiple overlay networks; modifying each of the packets to include a virtual local area network (VLAN) identifier; and forwarding modified network traffic to a second edge device at the second site to identify the destination network based on the VLAN identifier.

Abstract: Described herein are systems, methods, and software to enhance packet . In one implementation, a host computing element identifies a packet from a process executing on the host computing element. In response to identifying the packet, the host computing element determines whether the packet originates from a container namespace corresponding to a container on the host computing element or a host namespace corresponding to the host computing element. If the packet originates from a container namespace, the host computing element may determine supplemental information for the container associated with the container namespace, and process the packet based on the supplemental information.

Abstract: The technology disclosed herein enables a dynamic chain of virtual service functions for processing network traffic in a virtual computing environment. In a particular embodiment, a method includes providing a service chain policy to a virtual routing element connecting the respective service functions and determining an initial classification of a network packet entering the dynamic service chain. The initial classification indicates at least a first service function in a sequence of the service functions for processing the network packet. The method further includes providing a service chain policy to a virtual routing element connecting the respective service functions.

Abstract: Some embodiments provide a method that receives a request for information regarding a path between endpoints of a logical network. The method provides, for display, a visualization of the path including (i) a set of logical network components between the endpoints and (ii) a set of physical network components that implement the logical network components. The physical network components and the logical network components are aligned in the display. In some embodiments, the method receives data regarding a packet tracing operation between the endpoints. The method generates a display including (i) a visualization of the path between the endpoints of the logical network and (ii) a representation of the received data regarding the packet tracing operation, with the packet tracing operation data is visually linked to the components of the path.

Abstract: Some embodiments provide a method for a set of central controllers that manages forwarding elements operating in a plurality of datacenters. The method receives a configuration for a bridge between (i) a logical L2 network that spans at least two datacenters and (ii) a physical L2 network. The configuration specifies a particular one of the datacenters for implementation of the bridge. The method identifies multiple managed forwarding elements that implement the logical L2 network and are operating in the particular datacenter. The method selects one of the identified managed forwarding elements to implement the bridge. The method distributes bridge configuration data to the selected managed forwarding element.

Abstract: Some embodiments of the invention provide a novel architecture for capturing contextual attributes on host computers that execute one or more machines, and for consuming the captured contextual attributes to perform services on the host computers. The machines are virtual machines (VMs) in some embodiments, containers in other embodiments, or a mix of VMs and containers in still other embodiments. Some embodiments execute a guest-introspection (GI) agent on each machine from which contextual attributes need to be captured. In addition to executing one or more machines on each host computer, these embodiments also execute a context engine and one or more attribute-based service engines on each host computer. Through the GI agents of the machines on a host, the context engine of that host in some embodiments collects contextual attributes associated with network events and/or process events on the machines.

Abstract: In one aspect, a computer-networking method useful for implementing dynamic high-availability (HA) mode based on current wide area network (WAN) connectivity, comprising the steps of: providing a first edge device of a local area network (LAN) with the WAN; providing a second edge device of the LAN with the WAN; and synchronizing a state of plurality of links with the WAN that are connected to the first edge device and the second edge device.

Abstract: Certain embodiments described herein are generally directed to enabling a group of host machines within a network to securely communicate an unknown unicast packet. In some embodiments, a key policy is defined exclusively for the secure communication of unknown unicast packets. The key policy is transmitted by a central controller to the group of host machines for negotiating session keys among each other when communicating unknown unicast packets.

Abstract: A novel method for fully utilizing the multicast or broadcast capability of a physical network is provided. The method identifies segments of the network within which broadcast traffic, multicast traffic, or traffic to unknown recipients (BUM traffic) is allowed or enabled. The identified segment encompasses parts of the network that the BUM traffic is able reach while excluding parts of the network nodes that the BUM traffic is unable to reach. Each identified segment includes network nodes that are interconnected by physical network hardware that supports BUM traffic. The method identifies multiple BUM traffic segments in a given network that each supports its own BUM traffic. The different BUM traffic segments are interconnected by physical network hardware that does not support BUM network traffic. Each identified segment is assigned an identifier that uniquely distinguishes the identified segment from other identified segments.

Abstract: Example methods are provided for a first routing component to handle failure at a logical router in a first network. One method may comprise learning first path information associated with a first path provided by an active second routing component, and second path information associated with a second path provided by a standby second routing component. The method may also comprise in response to detecting a first egress packet destined for a second network, sending the first egress packet to the active second routing component based on the first path information. The method may further comprise in response to detecting a failure at the active second routing component and detecting a second egress packet destined for the second network, sending the second egress packet to a new active second routing component based on the second path information.

Abstract: Described herein are systems, methods, and software to enhance network traffic management. In one implementation, a method of operating a network interface system on a host computing system includes receiving a plurality of network packets and, for each packet in the plurality of network packets, identifying whether the packet comprises a control packet for fault detection in a software defined network (SDN). The method further includes prioritizing, for processing by a main processing system of the computing system, each packet in the plurality of network packets based on whether the packet comprises a control packet for fault detection in a SDN.

Abstract: The technology disclosed herein enables multi-path routing in virtual edge systems of a virtual network environment. In a particular embodiment, a method provides establishing a connection for a communication with a client outside of the virtual network environment through a first virtual edge system of a plurality of virtual edge systems. The method further provides generating state information about the connection that indicates properties of the connection with respect to the first virtual edge system and updating a state information base of the first virtual edge system with the state information. Also, the method provides transferring the state information to one or more other virtual edge systems of the plurality of virtual edge systems and updating respective state information bases of the one or more other virtual edge systems with the state information.

Abstract: A novel method for dynamic network service allocation that maps generic services into specific configurations of service resources in a network is provided. An application that is assigned to be performed by computing resources in the network is associated with a set of generic services, and the method maps the set of generic services to the service resources based on the assignment of the application to the computing resources. The mapping of generic services is further based on a level of service that is chosen for the application, where the set of generic services are mapped to different sets of network resources according to different levels of services.

Abstract: Some embodiments provide a method for monitoring a distributed application. The method receives a request to perform data collection for the distributed application. The method identifies data compute nodes (DCNs) that implement the distributed application. The method sends commands to host machines on which the identified DCNs operate to detect events related to the DCNs and provide data regarding the detected events. The method uses the data regarding the detected events to generate a user interface (UI) display of the topology of the distributed application.

Abstract: Some embodiments provide novel inline switches that distribute data messages from source compute nodes (SCNs) to different groups of destination service compute nodes (DSCNs). In some embodiments, the inline switches are deployed in the source compute nodes datapaths (e.g., egress datapath). The inline switches in some embodiments are service switches that (1) receive data messages from the SCNs, (2) identify service nodes in a service-node cluster for processing the data messages based on service policies that the switches implement, and (3) use tunnels to send the received data messages to their identified service nodes. Alternatively, or conjunctively, the inline service switches of some embodiments (1) identify service-nodes cluster for processing the data messages based on service policies that the switches implement, and (2) use tunnels to send the received data messages to the identified service-node clusters.