Abstract: A method for configuring a managed forwarding element (MFE) to perform logical routing operations in a logical network on behalf of a hardware switch is described. The method of some embodiments receives data that defines a logical router that logically connects several different end machines operating on several different host machines to different physical machines that are connected to the hardware switch. The method, based on the received data, defines a number of routing components for the logical router. In some embodiments, the method then configures the MFE to implement the routing components in order to enable the MFE to perform logical routing operations on behalf of the hardware switch.

Abstract: For a virtual distributed network environment employing physical forwarding elements that includes both software forwarding elements and third party devices serving as hardware forwarding elements, a scalable method for synchronizing configuration data of logical forwarding elements that are distributed across the various physical forwarding elements is provided. The method generates and updates the configuration data at a set of central controllers and then distributes the configuration data to the physical forwarding elements. The method delivers the updated configuration data to some of the physical forwarding elements by (i) determining a delta/differential between the updated configuration data held at the central controller and the obsolete configuration data held at those physical forwarding elements and (ii) delivering the determined differential configuration data to the physical forwarding elements.

Abstract: A novel method that uses the source port field in the transport or connection layer (L4) header to encode control plane information is provided. Specifically, the method encodes control plane information in UDP or TCP source port field of data plane tunnels in an overlay network such as VXLAN. Network virtualization is implemented by a network controller over an overlay network on the physical fabric. The network controller provides a mapping table to the data plane hosts for mapping the encoded bits in the source port field to semantically richer information. The data plane hosts in turn uses the encoded source bits and the mapping table to infer this semantically richer information. This semantically richer information is used to allow receivers of proxied traffic to learn the address of the original sender. The semantically richer information can also be used to enable ECMP for the transmitted packets.

Abstract: Embodiments provide a network address translation (NAT) service for network devices. A network connection from at least one private network device to the NAT service is received and a network connection from at least one remote device to the NAT service is received. The private network device is positioned within a private network and the remote device is positioned within a public network. A network availability of the remote device is determined. If the remote device is unavailable or a network configuration setting associated with the remote device changes, the private network device is notified and a connection reset message is transmitted to the private network device.

Abstract: A method for configuring an edge MHFE for a logical network to communicate with other networks is described. The method receives data for the logical network that defines a logical router and a set of logical switches for logically connecting several end machines that operate on different host machines. The method, based on the received logical network data, identifies a physical port of the MHFE to bind a logical uplink port of the logical router to the identified physical port. The uplink port is for connecting the logical router to the external network. The method then binds the logical uplink port to the identified physical port by defining an uplink logical switch with a logical port that is associated with the identified physical port and assigning network and data link addresses of the logical uplink port to the logical port of the uplink logical switch.

Abstract: A managed hardware forwarding element (MHFE) that performs packet forwarding operations for a logical network is described. The MHFE receives configuration data for the logical network that defines a logical router and a set of logical switches for logically connecting several end machines that operate on different host machines to several physical machines that are connected to the MHFE. The logical router also includes multiple routing components. The MHFE also receives a first forwarding table and a second forwarding table. The first forwarding table stores linking data for each logical port of each logical switch in the set of logical switches that identifies a corresponding routing component in the logical router. The second forwarding table stores a set of routes for each routing component of the logical router. The MHFE uses the first and second forwarding tables to perform packet forwarding operations at the MHFE.

Abstract: A method for configuring a managed hardware forwarding element (MHFE) to perform packet forwarding operations for a logical network is described. The method receives data for the logical network that defines a logical router and a set of logical switches for logically connecting several end machines that operate on different host machines to several physical machines that are connected to the MHFE. The method defines multiple routing components for the logical router, where each routing component includes a separate set of logical ports. The method then configures a forwarding table on the MHFE by populating the forwarding table with tunnel endpoint data for each logical port of each routing component of the logical router that is associated with a logical port of a logical switch. The tunnel endpoint data populated for logical ports of one routing component indicate that no tunnel should be established for any of the logical ports.

Abstract: Some embodiments provide a managed hardware forwarding element (MHFE) controller that serves as an intermediary between one or more central controllers in a central control plane (CCP) cluster and one or more third-party hardware devices (e.g., physical switches and routers, applicances such as firewalls, load balancers, etc.). The MHFE controller of some embodiments uses (i) a first protocol to communicate with the CCP cluster and (ii) a second protocol to communicate with the one or more third-party devices managed by the MHFE controller, thereby enabling the CCP cluster to distribute logical network configuration information to the physical workloads (e.g., third-party servers connected to a third-party Top of Rack (TOR) switch).

Abstract: Some embodiments provide a novel method for managing hardware forwarding elements (MHFEs) that facilitate the creation of multiple logical networks on a set of shared physical forwarding elements. The method uses a set of logical controllers that generate data that defines a set of logical networks, and a set physical controllers to distribute the generated data to the hardware forwarding elements. In some embodiments, each MHFE can serve as either a master WIFE or a slave MHFE for one set of computing end nodes (e.g., VMs, containers, etc.) in a logical network. To ensure proper routing of data packets to the computing end nodes, each MHFE sends to its physical controller an inventory (e.g., a table, a list, etc.) of the set of computing end nodes for which it serves as the master MHFE or the slave MHFE. Each physical controller forwards the inventory for each logical network to the logical controller for the logical network.

Abstract: A method of suppressing ARP packets in a logical network comprising a set of data compute nodes (DCNs). The DCNs are hosted on a set of physical hosts. Each DCN has a protocol address and is connected to a forwarding elements (FE) on the corresponding host. Each FE has a set of flows that specifies a set of conditions to match a set of fields of each received packet and a set of actions to take on a packet that matches the set of conditions. An FE on a physical host receives a packet sent by a first DCN on the physical host and determines that the received packet is an ARP request packet by matching a set of fields in the packet with a set of conditions of a particular flow. The ARP request packet identifies a protocol address of a second DCN on the logical network.

Abstract: Some embodiments provide a network control system with techniques for handling failover of network controllers with minimal churn in the network state distributed to the forwarding elements of the network. Specifically, in some embodiments, the local controller designates a waiting period before computing output network state data entries based on the new version of the input network state data entries. Alternatively, or conjunctively, the local controller of some embodiments calculates the changes between the new version of input state data entries and its stored existing version of the input state data entries, and only generates new output network state data entries based on the calculated changes, in order to minimize unnecessary recalculations of the output network state data entries. The new output network state data entries may then be used by the local controller to provision its managed forwarding element.

Abstract: Some embodiments provide a network control system with techniques for handling failover of network controllers with minimal churn in the network state distributed to the forwarding elements of the network. Specifically, in some embodiments, the local controller designates a waiting period before computing output network state data entries based on the new version of the input network state data entries. Alternatively, or conjunctively, the local controller of some embodiments calculates the changes between the new version of input state data entries and its stored existing version of the input state data entries, and only generates new output network state data entries based on the calculated changes, in order to minimize unnecessary recalculations of the output network state data entries. The new output network state data entries may then be used by the local controller to provision its managed forwarding element.

Abstract: Some embodiments provide a method for identifying unnecessary firewall rules for a distributed firewall of a logical network. The method identifies a firewall policy for network traffic of the logical network. The firewall policy includes a set of firewall rules. The method generates a set of data for implementing the firewall policy on a set of managed forwarding elements that implement the logical network. The method analyzes potential network traffic based on the generated set of data to identify a subset of unnecessary data. The method identifies a subset of unnecessary firewall rules of the set of firewall rules that corresponds to the subset of unnecessary data.

Abstract: Some embodiments provide a set of one or more network controllers that communicates with a wide range of devices, ranging from switches to appliances such as firewalls, load balancers, etc. The set of network controllers communicates with such devices to connect them to its managed virtual networks. The set of network controllers can define each virtual network through software switches and/or software appliances. To extend the control beyond software network elements, some embodiments implement a database server on each dedicated hardware. The set of network controllers accesses the database server to send management data. The hardware then translates the management data to connect to a managed virtual network.

Abstract: The network control system of some embodiments implements logical port classifications to implement different features of logical networks onto a physical network. The network control system of some embodiments modifies flow entries at forwarding elements of the physical network to implement the logical network. The network control system classifies logical source and destination ports into disjoint equivalence classes for logical network flows in a virtualized network, and encodes this information in the tunneled traffic carrying the logical flow. The network control system of some such embodiments provides logical port classifications to minimize the necessary flow entries at each forwarding element of the physical network.

Abstract: A novel method that uses the source port field in the transport or connection layer (L4) header to encode control plane information is provided. Specifically, the method encodes control plane information in UDP or TCP source port field of data plane tunnels in an overlay network such as VXLAN. Network virtualization is implemented by a network controller over an overlay network on the physical fabric. The network controller provides a mapping table to the data plane hosts for mapping the encoded bits in the source port field to semantically richer information. The data plane hosts in turn uses the encoded source bits and the mapping table to infer this semantically richer information. This semantically richer information is used to allow receivers of proxied traffic to learn the address of the original sender. The semantically richer information can also be used to enable ECMP for the transmitted packets.

Abstract: A method for providing a “just-in-time” distributed capability for classification encoding is described. When a source transport node processes a new flow (a flow for the first time), the source transport node in some embodiments sends a metadata packet “just-in-time” to the destination transport node to propagate the classification encoding to use for the given flow.

Abstract: Some embodiments provide a set of one or more network controllers that communicates with a wide range of devices, ranging from switches to appliances such as firewalls, load balancers, etc. The set of network controllers communicates with such devices to connect them to its managed virtual networks. The set of network controllers can define each virtual network through software switches and/or software appliances. To extend the control beyond software network elements, some embodiments implement a database server on each dedicated hardware. The set of network controllers accesses the database server to send management data. The hardware then translates the management data to connect to a managed virtual network.

Abstract: Some embodiments provide a set of one or more network controllers that communicates with a wide range of devices, ranging from switches to appliances such as firewalls, load balancers, etc. The set of network controllers communicates with such devices to connect them to its managed virtual networks. The set of network controllers can define each virtual network through software switches and/or software appliances. To extend the control beyond software network elements, some embodiments implement a database server on each dedicated hardware. The set of network controllers accesses the database server to send management data. The hardware then translates the management data to connect to a managed virtual network.

Abstract: Some embodiments provide a set of one or more network controllers that communicates with a wide range of devices, ranging from switches to appliances such as firewalls, load balancers, etc. The set of network controllers communicates with such devices to connect them to its managed virtual networks. The set of network controllers can define each virtual network through software switches and/or software appliances. To extend the control beyond software network elements, some embodiments implement a database server on each dedicated hardware. The set of network controllers accesses the database server to send management data. The hardware then translates the management data to connect to a managed virtual network.