Abstract: Described herein are systems and methods to manage blacklists and duplicate addresses in software defined networks (SDNs). In one implementation, a method includes, in a control plane and data plane of an SDN environment, obtaining a blacklist for a logical port in the SDN environment. The method further includes deleting realized address bindings in a realized address list for the logical port that match the one or more address bindings in the blacklist and preventing subsequent address bindings that match the one or more address bindings in the blacklist from being added to the realized address list.

Abstract: In some embodiments, a first network device in a first site sets a first IP address for an interface of the first network device to a value of a second IP address of a second network device in a second site. Policies are added in a policy table to cover IP addresses used in the second site and a specific route for a third IP address associated with a first workload migrated from the second site to the first site is added into a routing table. The first workload is on a stretched network that is coupled via a layer 2 channel. The policy table configures the first network device to send a second packet from the first workload to a third workload in the second site via the layer 2 channel when an IP address for the third workload does not match an eligible route in the routing table.

Abstract: In some embodiments, a method determines when a packet is fragmented into multiple fragmented packets in a flow between a first workload and a second workload. The method switches from generating an outer source port in the outer header using layer 4 information from the inner header to using layer 3 information from the inner header. A fragmented packet is encapsulated with the outer header that includes an outer source port value that is generated using the layer 3 information. The method initiates a process to determine when to switch back to using layer 4 information from the inner header to generate the outer source port. When it is determined to switch back to using layer 4 information, the method switches back to using layer 4 information from the inner header to generate the source port in the outer header of a packet from the first workload.

Abstract: In some embodiments, a method receives, by a first network device, a packet from a first workload that is located in first site. The first site includes stretched networks across a second site and a third site. The packet includes a destination IP address for a device in the second site. The method determines that the destination IP address does not match an eligible route in a routing table. The first workload was migrated from the second site to the first site and is located on a stretched network between the first site and the second site. A site identifier associated with the first workload is determined where the site identifier identifies the second site. The method selects a site policy based on the site identifier and uses the site policy to send the packet through a layer 2 channel to the second network device in the second site.

Abstract: In some embodiments, a method determines when a packet is fragmented into multiple fragmented packets in a flow between a first workload and a second workload. The method switches from generating an outer source port in the outer header using layer 4 information from the inner header to using layer 3 information from the inner header. A fragmented packet is encapsulated with the outer header that includes an outer source port value that is generated using the layer 3 information. The method initiates a process to determine when to switch back to using layer 4 information from the inner header to generate the outer source port. When it is determined to switch back to using layer 4 information, the method switches back to using layer 4 information from the inner header to generate the source port in the outer header of a packet from the first workload.

Abstract: Techniques for transferring connection data for a migrated virtual computing instance are described. The connection data transfer process includes the steps of, responsive to determining the virtual computing instance is to be migrated, transmitting the connection data, from a first memory buffer shared between a first instance of a service virtual computing instance and a first hardware abstraction layer executing in a source host, to a second memory buffer shared between a second instance of the service virtual computing instance and a second hardware abstraction layer executing in a destination host; responsive to determining the virtual computing instance is stopped in the source host, packing connection data changes including changes made to the connection data at the source host during a time period beginning when the connection data is copied and ending when the virtual computing instance is stopped; and transmitting the connection data changes to the destination host.

Abstract: Described herein are systems and methods to manage Internet Protocol (IP) address discovery in a software defined networking (SDN) environment. In one example, a manager may generate an IP address discovery configuration and pass the IP address discovery configuration to a controller. Once received, the controller may obtain a discovered list from a hypervisor of one or more IP addresses associated with one or more logical ports and update a realized list for the one or more logical ports based on the discovered list and the IP address discovery configuration.

Abstract: In an embodiment, a computer-implemented method provides mechanisms for identifying a source location in a service chaining topology. In an embodiment, a method comprises: determining, at an egress interface of a host that hosts a virtual machine (“VM”), whether a service plane MAC address (“spmac”) in a packet header of a packet, provided to the egress interface, is the same as an inner destination MAC address in the packet; in response to determining that the spmac in the packet header of the packet, provided to the egress interface, is the same as the inner destination MAC address in the packet: encapsulating the packet with a destination virtual tunnel endpoint (“VTEP”) address retrieved from a mapping of VTEP-labels onto VTEP addresses; and causing providing the packet from the egress interface of the host that hosts the VM to a source host that hosts a source guest virtual machine (“GVM”).

Abstract: Some embodiments provide a method for deploying edge forwarding elements in a public or private software defined datacenter (SDDC). For an entity, the method deploys a default first edge forwarding element to process data message flows between machines of the entity in a first network of the SDDC and machines external to the first network of the SDDC. The method subsequently receives a request to allocate more bandwidth to a first set of the data message flows entering or exiting the first network of the SDDC. In response, the method deploys a second edge forwarding element to process the first set of data message flows of the entity in order to allocate more bandwidth to the first set of the data message flows, while continuing to process a second set of data message flows of the entity through the default first edge node.

Abstract: Some embodiments provide a method for proxying ARP requests. At an MFE that executes on a host computer operating at a first site to implement a distributed router along with at least one additional MFE at the first site, the method receives, from a router at a remote second site, an ARP request for an IP address associated with a logical switch that spans the first site and the remote second site, and to which both the distributed router and the router at the remote second site connect. The method determines whether a table that includes IP addresses for a set of DCNs that use the distributed router as a default gateway includes the IP address. When the IP address is in the table, the method proxies the request at the host computer. When the particular IP address is not in the table, the MFE does not proxy the request.

Abstract: In some embodiments, a method receives, by a first network device, a packet from a first workload that is located in first site. The first site includes stretched networks across a second site and a third site. The packet includes a destination IP address for a device in the second site. The method determines that the destination IP address does not match an eligible route in a routing table. The first workload was migrated from the second site to the first site and is located on a stretched network between the first site and the second site. A site identifier associated with the first workload is determined where the site identifier identifies the second site. The method selects a site policy based on the site identifier and uses the site policy to send the packet through a layer 2 channel to the second network device in the second site.

Abstract: The disclosure provides an approach for reducing congestion within a network, the network comprising a plurality of subnets, the plurality of subnets comprising a plurality of host machines and a plurality of virtual computing instances (VCIs) running on the plurality of host machines. Embodiments include receiving, by an edge services gateway (ESG) of a first subnet of the plurality of subnets, membership information for a group identifying a subset of the plurality of host machines. Embodiments include receiving a multicast packet directed to the group and selecting from the plurality of host machines, a replicator host machine for the multicast packet. Embodiments include sending, to the replicator host machine, the multicast packet along with metadata indicating that the replicator host machine is to replicate the multicast packet to remaining host machines of the subset of the plurality of host machines identified in the membership information for the group.

Abstract: In some embodiments, a first network device in a first site sets a first IP address for an interface of the first network device to a value of a second IP address of a second network device in a second site. Policies are added in a policy table to cover IP addresses used in the second site and a specific route for a third IP address associated with a first workload migrated from the second site to the first site is added into a routing table. The first workload is on a stretched network that is coupled via a layer 2 channel. The policy table configures the first network device to send a second packet from the first workload to a third workload in the second site via the layer 2 channel when an IP address for the third workload does not match an eligible route in the routing table.

Abstract: Described herein are systems and methods to manage Internet Protocol (IP) address discovery in a software defined networking (SDN) environment. In one example, a manager may generate an IP address discovery configuration and pass the IP address discovery configuration to a controller. Once received, the controller may obtain a discovered list from a hypervisor of one or more IP addresses associated with one or more logical ports and update a realized list for the one or more logical ports based on the discovered list and the IP address discovery configuration.

Abstract: Certain embodiments described herein are generally directed to a method for managing packets at a virtual forwarding element of a hypervisor. In one example, the method includes receiving a first plurality of packets at a virtual port of the virtual forwarding element. The method further includes detecting the first plurality of packets correspond to a signature configured at the virtual port. The method also includes dropping at least one packet of the first plurality of packets at the virtual port based on detecting the first plurality corresponds to the signature. The method further includes receiving a second plurality of packets at the virtual port of the virtual forwarding element, wherein the second plurality of packets do not correspond to the signature. The method also includes forwarding the second plurality of packets to one or more destinations by the virtual forwarding element.

Abstract: The disclosure provides an approach for workload migration. Embodiments include receiving logical network resource capacity information and logical network resource utilization information relating to a plurality of host computers and to one or more logical network resources. Embodiments include determining that a virtual computing instance (VCI) is to be run on one of the plurality of host computers and determining for each respective host computer of the plurality of host computers, a respective realization cost of the VCI for the respective host computer, wherein the respective realization cost relates to the one or more logical network resources. Embodiments include selecting, based on the logical network resource capacity information, the logical network resource utilization information, and the realization cost, a target host computer for the VCI from the plurality of host computers and loading the VCI on the target host computer.

Abstract: The disclosure provides an approach for workload migration. Embodiments include receiving logical network resource capacity information and logical network resource utilization information relating to a plurality of host computers and to one or more logical network resources. Embodiments include determining that a virtual computing instance (VCI) is to be run on one of the plurality of host computers and determining for each respective host computer of the plurality of host computers, a respective realization cost of the VCI for the respective host computer, wherein the respective realization cost relates to the one or more logical network resources. Embodiments include selecting, based on the logical network resource capacity information, the logical network resource utilization information, and the realization cost, a target host computer for the VCI from the plurality of host computers and loading the VCI on the target host computer.

Abstract: The disclosure provides an approach for reducing congestion within a network, the network comprising a plurality of subnets, the plurality of subnets comprising a plurality of host machines and a plurality of virtual computing instances (VCIs) running on the plurality of host machines. Embodiments include receiving, by an edge services gateway (ESG) of a first subnet of the plurality of subnets, membership information for a group identifying a subset of the plurality of host machines. Embodiments include receiving a multicast packet directed to the group and selecting from the plurality of host machines, a replicator host machine for the multicast packet. Embodiments include sending, to the replicator host machine, the multicast packet along with metadata indicating that the replicator host machine is to replicate the multicast packet to remaining host machines of the subset of the plurality of host machines identified in the membership information for the group.

Abstract: In an embodiment, a computer-implemented method provides mechanisms for identifying a source location in a service chaining topology. In an embodiment, a method comprises: determining, at an egress interface of a host that hosts a virtual machine (“VM”), whether a service plane MAC address (“spmac”) in a packet header of a packet, provided to the egress interface, is the same as an inner destination MAC address in the packet; in response to determining that the spmac in the packet header of the packet, provided to the egress interface, is the same as the inner destination MAC address in the packet: encapsulating the packet with a destination virtual tunnel endpoint (“VTEP”) address retrieved from a mapping of VTEP-labels onto VTEP addresses; and causing providing the packet from the egress interface of the host that hosts the VM to a source host that hosts a source guest virtual machine (“GVM”).

Abstract: A method for monitoring several data compute nodes (DCNs) on a group of managed host machines is provided. The method receives service usage data from a group of managed hosts. The service usage data identifies service usage for each of a plurality of entities associated with each managed host. The method aggregates the received service usage data. The method displays the aggregated service usage data.