Abstract: Some embodiments of the invention provide a novel method for interfacing between a first tuple-based controller and a second controller using a message-based protocol. The method of some embodiments identifies a set of changed tuples stored in a set of output tables, generates a set of messages based on the changed tuples, and sends the generated set of messages to a second controller. In some embodiments, the first and second controllers are parts of a network control system that manages forwarding elements to implement a logical network.

Abstract: For a virtual distributed network environment employing physical forwarding elements that includes both software forwarding elements and third party devices serving as hardware forwarding elements, a scalable method for synchronizing configuration data of logical forwarding elements that are distributed across the various physical forwarding elements is provided. The method generates and updates the configuration data at a set of central controllers and then distributes the configuration data to the physical forwarding elements. The method delivers the updated configuration data to some of the physical forwarding elements by (i) determining a delta/differential between the updated configuration data held at the central controller and the obsolete configuration data held at those physical forwarding elements and (ii) delivering the determined differential configuration data to the physical forwarding elements.

Abstract: Some embodiments provide, for a first controller application, a method for configuring a managed hardware forwarding element (MHFE) to implement one or more logical networks. The method of some embodiments receives logical network data that defines at least one logical forwarding element of a logical network to be implemented by the MHFE. The method then identifies a set of tables of a database instance that is instantiated on the MHFE in order to distribute the logical network data to the MHFE. In some embodiments, the method monitors the identified set of tables in order to determine whether a second controller application updates any one of the set of tables. The method distributes the logical network data to the MHFE so long as none of the tables in the set of tables is updated by the second controller application.

Abstract: Some embodiments provide an ARP-offload service node for several managed hardware forwarding elements (MHFEs) in a datacenter in order to offload ARP query processing by the MHFEs. The MHFEs are managed elements because one or more network controllers (e.g., one or more management servers) send configuration data to the MHFEs to configure their operations. In some of these embodiments, the network controllers configure the MHFEs to create logical forwarding elements (e.g., logical switches, logical routers, etc.) each of which can span two or more managed forwarding elements.

Abstract: For a managed network including multiple host machines implementing multiple logical networks, some embodiments provide a method that reduces the memory and traffic load required to implement the multiple logical networks. The method generates configuration data for each of multiple host machines including (i) data to configure a host machine to implement a set of logical forwarding elements that belong to a set of routing domains and (ii) identifiers for each routing domain in the set of routing domains. The method then receives data regarding tunnels endpoints operating on each of the host machines and an association with the routing identifiers sent to the host machines. The method then generates a routing domain tunnel endpoint list for each routing domain based on the data received from each of the host machines including a list of the tunnel endpoints associated with the routing domain which the host machines can use to facilitate packet processing.

Abstract: Some embodiments provide a set of one or more network controllers that communicates with a wide range of devices, ranging from switches to appliances such as firewalls, load balancers, etc. The set of network controllers communicates with such devices to connect them to its managed virtual networks. The set of network controllers can define each virtual network through software switches and/or software appliances. To extend the control beyond software network elements, some embodiments implement a database server on each dedicated hardware. The set of network controllers accesses the database server to send management data. The hardware then translates the management data to connect to a managed virtual network.

Abstract: Some embodiments provide a novel method for a network control system (or controllers of the network control system) to manage a set of hardware Virtual Tunnel End Points (VTEPs) used to implement a logical network. Many network devices or entities (such as interfaces or transport nodes) have a functionality to mark the device or entity as “administratively down”. In that mode, such a device does not participate in any further forwarding in the dataplane, until it is marked as administratively up. This feature is often used to troubleshoot networks, and/or to remove misbehaving or faulty devices.

Abstract: Certain embodiments described herein are generally directed to a hypervisor-wide data structure that holds service rule address information for multiple VIFs in a compact way, which can later be processed per-VIF, in order to perform VIF-specific address group updates. For example, certain embodiments described herein provide a network controller that maintains a global hash table for multiple VIFs that maps network addresses to groups of one or more service rules. In certain embodiments, a network address to service rules table for each VIF may be derived based on the global hash table by using set intersections.

Abstract: Some embodiments of the invention provide a novel method for interfacing between a first tuple-based controller and a second controller using a message-based protocol. The method of some embodiments identifies a set of changed tuples stored in a set of output tables, generates a set of messages based on the changed tuples, and sends the generated set of messages to a second controller. In some embodiments, the first and second controllers are parts of a network control system that manages forwarding elements to implement a logical network.

Abstract: Some embodiments provide a method for configuring a hardware switch to implement a security policy associated with a logical router of a logical network. The method receives a logical router definition. The logical router logically connects a physical machine, connected to a physical port of the hardware switch, to several VMs that execute on a set of host machines. The method defines a set of routing components for the logical router, each of which, has several interfaces. The method receives a security policy that includes a set of security rules for the physical machine and populates an ACL table with ACL rules data generated based on the received set of security rules. The method then for at least one interface of one of the routing components, generates linking data that links a set of one or more ACL rules in the ACL table to the interface of the routing component.

Abstract: Some embodiments provide a method for identifying unnecessary firewall rules for a distributed firewall of a logical network. The method identifies a firewall policy for network traffic of the logical network. The firewall policy includes a set of firewall rules. The method generates a set of data for implementing the firewall policy on a set of managed forwarding elements that implement the logical network. The method analyzes potential network traffic based on the generated set of data to identify a subset of unnecessary data. The method identifies a subset of unnecessary firewall rules of the set of firewall rules that corresponds to the subset of unnecessary data.

Abstract: Some embodiments provide a set of one or more network controllers that communicates with a wide range of devices, ranging from switches to appliances such as firewalls, load balancers, etc. The set of network controllers communicates with such devices to connect them to its managed virtual networks. The set of network controllers can define each virtual network through software switches and/or software appliances. To extend the control beyond software network elements, some embodiments implement a database server on each dedicated hardware. The set of network controllers accesses the database server to send management data. The hardware then translates the management data to connect to a managed virtual network.

Abstract: A novel method that uses the source port field in the transport or connection layer (L4) header to encode control plane information is provided. Specifically, the method encodes control plane information in UDP or TCP source port field of data plane tunnels in an overlay network such as VXLAN. Network virtualization is implemented by a network controller over an overlay network on the physical fabric. The network controller provides a mapping table to the data plane hosts for mapping the encoded bits in the source port field to semantically richer information. The data plane hosts in turn uses the encoded source bits and the mapping table to infer this semantically richer information. This semantically richer information is used to allow receivers of proxied traffic to learn the address of the original sender. The semantically richer information can also be used to enable ECMP for the transmitted packets.

Abstract: For a managed network including multiple host machines implementing multiple logical networks, some embodiments provide a method that reduces the memory and traffic load required to implement the multiple logical networks. The method generates configuration data for each of multiple host machines including (i) data to configure a host machine to implement a set of logical forwarding elements that belong to a set of routing domains and (ii) identifiers for each routing domain in the set of routing domains. The method then receives data regarding tunnels endpoints operating on each of the host machines and an association with the routing identifiers sent to the host machines. The method then generates a routing domain tunnel endpoint list for each routing domain based on the data received from each of the host machines including a list of the tunnel endpoints associated with the routing domain which the host machines can use to facilitate packet processing.

Abstract: Example methods are provided for assigning a routing domain identifier in a logical network environment that includes one or more logical distributed routers and one or more logical switches. In one example, the method may comprise obtaining network topology information specifying how the one or more logical distributed routers are connected with the one or more logical switches; and selecting, from the one or more logical switches, a particular logical switch for which routing domain identifier assignment is required. The method may also comprise: identifying a particular logical distributed router that is connected with the particular logical switch based on the network topology information; assigning the particular logical switch with the routing domain identifier that is associated with the particular logical distributed router; and using the routing domain identifier in a communication between a management entity and a host.

Abstract: For a network with host machines that are hosting virtual machines, a method for facilitating BUM (broadcast, unknown unicast, and multicast) traffic between a hardware switch (e.g., ToR switch) and the host machines is provided. The network has a set of host machines configured as a cluster of replicators for replicating BUM traffic from the hardware switch to the host machines. A set of network controllers establishes failure-detection tunnels for links between the hardware switch and the replicator cluster. The replicator cluster informs the set of controllers of a change in the membership of the replicator cluster to initiate an update to the active failure-detection sessions. The set of network controllers communicates with the replicator cluster and a ToR switch to establish bidirectional forwarding detection (BFD) sessions between one or more replicator nodes in the replicator cluster and the ToR switch.

Abstract: A managed hardware forwarding element (MHFE) that performs packet forwarding operations for a logical network is described. The MHFE receives configuration data for the logical network that defines a logical router and a set of logical switches for logically connecting several end machines that operate on different host machines to several physical machines that are connected to the MHFE. The logical router also includes multiple routing components. The MHFE also receives a first forwarding table and a second forwarding table. The first forwarding table stores linking data for each logical port of each logical switch in the set of logical switches that identifies a corresponding routing component in the logical router. The second forwarding table stores a set of routes for each routing component of the logical router. The MHFE uses the first and second forwarding tables to perform packet forwarding operations at the MHFE.

Abstract: A method for configuring a managed forwarding element (MFE) to perform logical routing operations in a logical network on behalf of a hardware switch is described. The method of some embodiments receives data that defines a logical router that logically connects several different end machines operating on several different host machines to different physical machines that are connected to the hardware switch. The method, based on the received data, defines a number of routing components for the logical router. In some embodiments, the method then configures the MFE to implement the routing components in order to enable the MFE to perform logical routing operations on behalf of the hardware switch.

Abstract: Some embodiments provide novel methods for controllers to communicate with managed hardware forwarding elements (MHFEs) in a transactional manner. The transactional communication methods of some embodiments ensure that an MHFE receives the entirety of a control plane update that a controller supplies to it, before the MHFE starts to modify its data plane forwarding data and operations. The transactional communication methods of some embodiments provide one or more transactional boundary controls to the controllers to define complete control plane data set updates. In some embodiments, the transactional controls ensure that an MHFE receives all of a control plane update before it starts to modify its data plane forwarding data. Controllers use one transactional control in some embodiments when they define logical forwarding elements (e.g., logical switches or routers) on the MHFEs.

Abstract: Certain embodiments described herein are generally directed to media access control (MAC) address learning for packets sent between end points (EPs) in a network (e.g., overlay network). For example, in some embodiments, VTEPs may be used to provide packet forwarding services, load balancing services, gateway services, etc., to EPs in the network. In certain embodiments, the VTEPs may be assigned unique labels, which are used by the VTEPs to map MAC addresses of packets to destination addresses for the packets.