Abstract: Some embodiments provide a set of one or more network controllers that communicates with a wide range of devices, ranging from switches to appliances such as firewalls, load balancers, etc. The set of network controllers communicates with such devices to connect them to its managed virtual networks. The set of network controllers can define each virtual network through software switches and/or software appliances. To extend the control beyond software network elements, some embodiments implement a database server on each dedicated hardware. The set of network controllers accesses the database server to send management data. The hardware then translates the management data to connect to a managed virtual network.

Abstract: Some embodiments provide a non-transitory machine readable medium of a first middlebox element of several middlebox elements to implement a middlebox instance in a distributed manner in several hosts. The non-transitory machine readable medium stores a set of instructions for receiving (1) configuration data for configuring the middlebox instance to implement a middlebox in a logical network and (2) a particular identifier associated with the middlebox in the logical network. The non-transitory machine readable medium stores a set of instructions for generating (1) a set of rules to process packets for the middlebox in the logical network and (2) an internal identifier associated with the set of rules. The non-transitory machine readable medium stores a set of instructions for associating the particular identifier with the internal identifier for later processing of packets having the particular identifier.

Abstract: Some embodiments provide a method for a first network controller located at a first physical domain that manages a logical network spanning several physical domains including the first domain. The method stores a set of context identifiers for assignment to logical entities. The context identifiers are for use in packets sent between managed forwarding elements in order to store logical network information in the packets. While connected to a master controller for the logical network at a second physical domain of the several physical domains, the method forwards state input requiring assignment of context identifiers to the master controller. While connectivity is lost with the master controller, the method assigns context identifiers from the stored set of context identifiers to logical entities.

Abstract: A managed hardware forwarding element (MHFE) that performs packet forwarding operations for a logical network is described. The MHFE receives configuration data for the logical network that defines a logical router and a set of logical switches for logically connecting several end machines that operate on different host machines to several physical machines that are connected to the MHFE. The logical router also includes multiple routing components. The MHFE also receives a first forwarding table and a second forwarding table. The first forwarding table stores linking data for each logical port of each logical switch in the set of logical switches that identifies a corresponding routing component in the logical router. The second forwarding table stores a set of routes for each routing component of the logical router. The MHFE uses the first and second forwarding tables to perform packet forwarding operations at the MHFE.

Abstract: A managed hardware forwarding element (MHFE) that performs packet forwarding operations for a logical network is described. The MHFE receives configuration data for the logical network that defines a logical router and a set of logical switches for logically connecting several end machines that operate on different host machines to several physical machines that are connected to the MHFE. The logical router also includes multiple routing components. The MHFE also receives a first forwarding table and a second forwarding table. The first forwarding table stores linking data for each logical port of each logical switch in the set of logical switches that identifies a corresponding routing component in the logical router. The second forwarding table stores a set of routes for each routing component of the logical router. The MHFE uses the first and second forwarding tables to perform packet forwarding operations at the MHFE.

Abstract: Some embodiments provide a method for configuring a hardware switch to implement a security policy associated with a logical router of a logical network. The method receives a logical router definition. The logical router logically connects a physical machine, connected to a physical port of the hardware switch, to several VMs that execute on a set of host machines. The method defines a set of routing components for the logical router, each of which, has several interfaces. The method receives a security policy that includes a set of security rules for the physical machine and populates an ACL table with ACL rules data generated based on the received set of security rules. The method then for at least one interface of one of the routing components, generates linking data that links a set of one or more ACL rules in the ACL table to the interface of the routing component.

Abstract: Some embodiments provide a set of one or more network controllers that communicates with a wide range of devices, ranging from switches to appliances such as firewalls, load balancers, etc. The set of network controllers communicates with such devices to connect them to its managed virtual networks. The set of network controllers can define each virtual network through software switches and/or software appliances. To extend the control beyond software network elements, some embodiments implement a database server on each dedicated hardware. The set of network controllers accesses the database server to send management data. The hardware then translates the management data to connect to a managed virtual network.

Abstract: A method for configuring a managed hardware forwarding element (MHFE) to perform packet forwarding operations for a logical network is described. The method receives data for the logical network that defines a logical router and a set of logical switches for logically connecting several end machines that operate on different host machines to several physical machines that are connected to the MHFE. The method defines multiple routing components for the logical router, where each routing component includes a separate set of logical ports. The method then configures a forwarding table on the MHFE by populating the forwarding table with tunnel endpoint data for each logical port of each routing component of the logical router that is associated with a logical port of a logical switch. The tunnel endpoint data populated for logical ports of one routing component indicate that no tunnel should be established for any of the logical ports.

Abstract: Some embodiments provide a forwarding element that inspects the size of each of several packets in a data flow to determine whether the data flow is an elephant flow. The forwarding element inspects the size because, in order for the packet to be of a certain size, the data flow had to already have gone through a slow start in which smaller packets are transferred and by definition be an elephant flow. When the forwarding element receives a packet in a data flow, the forwarding element identifies the size of the packet. The forwarding element then determines if the size of the packet is greater than a threshold size. If the size is greater, the forwarding element specifies that the packet's data flow is an elephant flow.

Abstract: A method for configuring an edge MHFE for a logical network to communicate with other networks is described. The method receives data for the logical network that defines a logical router and a set of logical switches for logically connecting several end machines that operate on different host machines. The method, based on the received logical network data, identifies a physical port of the MHFE to bind a logical uplink port of the logical router to the identified physical port. The uplink port is for connecting the logical router to the external network. The method then binds the logical uplink port to the identified physical port by defining an uplink logical switch with a logical port that is associated with the identified physical port and assigning network and data link addresses of the logical uplink port to the logical port of the uplink logical switch.

Abstract: Some embodiments provide a method for a first network controller located at a first physical domain that manages a logical network spanning several physical domains including the first domain. The method stores a set of context identifiers for assignment to logical entities. The context identifiers are for use in packets sent between managed forwarding elements in order to store logical network information in the packets. While connected to a master controller for the logical network at a second physical domain of the several physical domains, the method forwards state input requiring assignment of context identifiers to the master controller. While connectivity is lost with the master controller, the method assigns context identifiers from the stored set of context identifiers to logical entities.

Abstract: Some embodiments provide a set of one or more network controllers that communicates with a wide range of devices, ranging from switches to appliances such as firewalls, load balancers, etc. The set of network controllers communicates with such devices to connect them to its managed virtual networks. The set of network controllers can define each virtual network through software switches and/or software appliances. To extend the control beyond software network elements, some embodiments implement a database server on each dedicated hardware. The set of network controllers accesses the database server to send management data. The hardware then translates the management data to connect to a managed virtual network.

Abstract: Some embodiments provide a method for a first network controller located at a first physical domain that manages a logical network spanning several physical domains including the first domain. The method stores a set of context identifiers for assignment to logical entities. The context identifiers are for use in packets sent between managed forwarding elements in order to store logical network information in the packets. While connected to a master controller for the logical network at a second physical domain of the several physical domains, the method forwards state input requiring assignment of context identifiers to the master controller. While connectivity is lost with the master controller, the method assigns context identifiers from the stored set of context identifiers to logical entities.

Abstract: Some embodiments provide a forwarding element that inspects the size of each of several packets in a data flow to determine whether the data flow is an elephant flow. The forwarding element inspects the size because, in order for the packet to be of a certain size, the data flow had to already have gone through a slow start in which smaller packets are transferred and by definition be an elephant flow. When the forwarding element receives a packet in a data flow, the forwarding element identifies the size of the packet. The forwarding element then determines if the size of the packet is greater than a threshold size. If the size is greater, the forwarding element specifies that the packet's data flow is an elephant flow.

Abstract: Some embodiments provide a network controller for managing a logical network that spans several physical domains. The network controller is located at a particular one of the several physical domains. The network controller includes a first storage for storing network state information that is local to the particular physical domain. The network controller includes a second storage for storing a first type of global network state information for the logical network. The network controller includes a third storage for storing a second type of global network state information for the logical network. The network controller includes an interface for communicating with other network controllers located at the other physical domains in the several physical domains spanned by the logical network. The interface is for sharing the first and second types of global network state information.

Abstract: Some embodiments provide a method for a first network controller located at a first domain that manages a logical network spanning several physical domains including the first domain. Upon reconnection to a second network controller located at a second physical domain of the several physical domains after a period of disconnect, the method receives a first set of updates indicating modifications to logical network state from the second network controller. The method reconciles any conflicts between (i) the logical network state stored at the first controller, (ii) the first set of updates received from the second network controller, and (iii) updates received from other network controllers located at different physical domains of the several physical domains. The method transmits a second set of updates to the second controller indicating modifications to the logical network state based on the reconciliation of conflicts.

Abstract: A method for configuring an edge MHFE for a logical network to communicate with other networks is described. The method receives data for the logical network that defines a logical router and a set of logical switches for logically connecting several end machines that operate on different host machines. The method, based on the received logical network data, identifies a physical port of the MHFE to bind a logical uplink port of the logical router to the identified physical port. The uplink port is for connecting the logical router to the external network. The method then binds the logical uplink port to the identified physical port by defining an uplink logical switch with a logical port that is associated with the identified physical port and assigning network and data link addresses of the logical uplink port to the logical port of the uplink logical switch.

Abstract: A managed hardware forwarding element (MHFE) that performs packet forwarding operations for a logical network is described. The MHFE receives configuration data for the logical network that defines a logical router and a set of logical switches for logically connecting several end machines that operate on different host machines to several physical machines that are connected to the MHFE. The logical router also includes multiple routing components. The MHFE also receives a first forwarding table and a second forwarding table. The first forwarding table stores linking data for each logical port of each logical switch in the set of logical switches that identifies a corresponding routing component in the logical router. The second forwarding table stores a set of routes for each routing component of the logical router. The MHFE uses the first and second forwarding tables to perform packet forwarding operations at the MHFE.

Abstract: A method for configuring a managed hardware forwarding element (MHFE) to perform packet forwarding operations for a logical network is described. The method receives data for the logical network that defines a logical router and a set of logical switches for logically connecting several end machines that operate on different host machines to several physical machines that are connected to the MHFE. The method defines multiple routing components for the logical router, where each routing component includes a separate set of logical ports. The method then configures a forwarding table on the MHFE by populating the forwarding table with tunnel endpoint data for each logical port of each routing component of the logical router that is associated with a logical port of a logical switch. The tunnel endpoint data populated for logical ports of one routing component indicate that no tunnel should be established for any of the logical ports.

Abstract: Some embodiments provide a method for a first network controller located at a first physical domain that manages a logical network spanning several physical domains including the first domain. The method detects that connectivity is lost between the first network controller and a second network controller located in a second one of the physical domains. The method identifies a set of forwarding elements managed by the first network controller that implement the logical network. The method instructs the set of forwarding elements to drop packets for the logical network received from forwarding elements in the second physical domain.