Abstract: In some embodiments, a first network device in a first site sets a first IP address for an interface of the first network device to a value of a second IP address of a second network device in a second site. Policies are added in a policy table to cover IP addresses used in the second site and a specific route for a third IP address associated with a first workload migrated from the second site to the first site is added into a routing table. The first workload is on a stretched network that is coupled via a layer 2 channel. The policy table configures the first network device to send a second packet from the first workload to a third workload in the second site via the layer 2 channel when an IP address for the third workload does not match an eligible route in the routing table.

Abstract: In some embodiments, a method receives a control message from a second host. The control message includes a first address to use as a next hop to reach an active workload that has migrated to the second host from another host. The method reprograms a local route table to include a policy to send packets to check a liveness of the active workload with the next hop of the first address. A packet is sent from a standby workload to the active workload using the next hop of the first address to check the liveness of the active workload. The packet is encapsulated and sent between the first host and the second host using an overlay channel between a first endpoint of the overlay channel on the first host and a second endpoint of the channel on the second host.

Abstract: In some embodiments, a method determines when a packet is fragmented into multiple fragmented packets in a flow between a first workload and a second workload. The method switches from generating an outer source port in the outer header using layer 4 information from the inner header to using layer 3 information from the inner header. A fragmented packet is encapsulated with the outer header that includes an outer source port value that is generated using the layer 3 information. The method initiates a process to determine when to switch back to using layer 4 information from the inner header to generate the outer source port. When it is determined to switch back to using layer 4 information, the method switches back to using layer 4 information from the inner header to generate the source port in the outer header of a packet from the first workload.

Abstract: In some embodiments, a method receives, by a first network device, a packet from a first workload that is located in first site. The first site includes stretched networks across a second site and a third site. The packet includes a destination IP address for a device in the second site. The method determines that the destination IP address does not match an eligible route in a routing table. The first workload was migrated from the second site to the first site and is located on a stretched network between the first site and the second site. A site identifier associated with the first workload is determined where the site identifier identifies the second site. The method selects a site policy based on the site identifier and uses the site policy to send the packet through a layer 2 channel to the second network device in the second site.

Abstract: In some embodiments, a method determines when a packet is fragmented into multiple fragmented packets in a flow between a first workload and a second workload. The method switches from generating an outer source port in the outer header using layer 4 information from the inner header to using layer 3 information from the inner header. A fragmented packet is encapsulated with the outer header that includes an outer source port value that is generated using the layer 3 information. The method initiates a process to determine when to switch back to using layer 4 information from the inner header to generate the outer source port. When it is determined to switch back to using layer 4 information, the method switches back to using layer 4 information from the inner header to generate the source port in the outer header of a packet from the first workload.

Abstract: In some embodiments, a method receives a control message from a second host. The control message includes a first address to use as a next hop to reach an active workload that has migrated to the second host from another host. The method reprograms a local route table to include a policy to send packets to check a liveness of the active workload with the next hop of the first address. A packet is sent from a standby workload to the active workload using the next hop of the first address to check the liveness of the active workload. The packet is encapsulated and sent between the first host and the second host using an overlay channel between a first endpoint of the overlay channel on the first host and a second endpoint of the channel on the second host.

Abstract: Some embodiments provide a method for deploying edge forwarding elements in a public or private software defined datacenter (SDDC). For an entity, the method deploys a default first edge forwarding element to process data message flows between machines of the entity in a first network of the SDDC and machines external to the first network of the SDDC. The method subsequently receives a request to allocate more bandwidth to a first set of the data message flows entering or exiting the first network of the SDDC. In response, the method deploys a second edge forwarding element to process the first set of data message flows of the entity in order to allocate more bandwidth to the first set of the data message flows, while continuing to process a second set of data message flows of the entity through the default first edge node.

Abstract: Some embodiments provide a method for proxying ARP requests. At an MFE that executes on a host computer operating at a first site to implement a distributed router along with at least one additional MFE at the first site, the method receives, from a router at a remote second site, an ARP request for an IP address associated with a logical switch that spans the first site and the remote second site, and to which both the distributed router and the router at the remote second site connect. The method determines whether a table that includes IP addresses for a set of DCNs that use the distributed router as a default gateway includes the IP address. When the IP address is in the table, the method proxies the request at the host computer. When the particular IP address is not in the table, the MFE does not proxy the request.

Abstract: In some embodiments, a method receives, by a first network device, a packet from a first workload that is located in first site. The first site includes stretched networks across a second site and a third site. The packet includes a destination IP address for a device in the second site. The method determines that the destination IP address does not match an eligible route in a routing table. The first workload was migrated from the second site to the first site and is located on a stretched network between the first site and the second site. A site identifier associated with the first workload is determined where the site identifier identifies the second site. The method selects a site policy based on the site identifier and uses the site policy to send the packet through a layer 2 channel to the second network device in the second site.

Abstract: In some embodiments, a first network device in a first site sets a first IP address for an interface of the first network device to a value of a second IP address of a second network device in a second site. Policies are added in a policy table to cover IP addresses used in the second site and a specific route for a third IP address associated with a first workload migrated from the second site to the first site is added into a routing table. The first workload is on a stretched network that is coupled via a layer 2 channel. The policy table configures the first network device to send a second packet from the first workload to a third workload in the second site via the layer 2 channel when an IP address for the third workload does not match an eligible route in the routing table.

Abstract: The disclosure provides an approach for overcoming the limitations of a cloud provider network when a data center with software-defined network and multiple hosts, each with multiple virtual machines, operates on the cloud provider network. Single-host aware routers and a multiple-host aware distributed router are combined into a hybrid router in each host. The hybrid router receives a route table from the control plane of the data center and updates the received table based on the locations of VMs, such as edge VMs and management VAs on each of the hosts. An agent in each host also updates a router in the cloud provider network based on the locations of the virtual machines on the hosts. Thus, the hybrid routers maintain local routing information and global routing information for the virtual machines on the hosts in the data center.

Abstract: In an embodiment, a computer-implemented method for providing dynamic mechanisms for resource-path-based, dynamic group membership support for local and external membership groups is described. A method comprises: detecting, by a group resolver implemented in a management and control plane, that information about an object stored in the plane was created or updated; determining whether a URI of the object matches a URI regular expression and other conditions specified in membership criteria created for a membership group; in response to determining that a URI of the object matches a URI regular expression and other conditions specified in membership criteria created for a membership group: distributing the information about the object to network agents implemented in transport nodes to cause the network agents to automatically update a group membership policy associated with the membership group; and wherein the group membership policy affects packet forwarding behavior of a forwarding node.

Abstract: The disclosure provides an approach for overcoming the limitations of a cloud provider network when a data center with software-defined network and multiple hosts, each with multiple virtual machines, operates on the cloud provider network. Single-host aware routers and a multiple-host aware distributed router are combined into a hybrid router in each host. The hybrid router receives a route table from the control plane of the data center and updates the received table based on the locations of VMs, such as edge VMs and management VAs on each of the hosts. An agent in each host also updates a router in the cloud provider network based on the locations of the virtual machines on the hosts. Thus, the hybrid routers maintain local routing information and global routing information for the virtual machines on the hosts in the data center.

Abstract: Techniques are disclosed herein for providing an agent for implementing layer 2 (L2) communication on a layer 3 (L3) underlay network. In one embodiment, an agent in virtualization software determines a newly available network address of a VM, configures a network interface of the L3 network to be associated with the network address such that network traffic for the network address is directed to the network interface, adds a route to a virtual router in the virtualization software indicating the VM is local, and adds a router to an address resolution table to associate the network address with a MAC address. This permits a packet sent from one VM to another VM to be processed by the virtual router based on routes therein and forwarded to the other VM either internally or using the L3 underlay network.

Abstract: In an embodiment, a computer-implemented method for providing dynamic mechanisms for resource-path-based, dynamic group membership support for local and external membership groups is described. A method comprises: detecting, by a group resolver implemented in a management and control plane, that information about an object stored in the plane was created or updated; determining whether a URI of the object matches a URI regular expression and other conditions specified in membership criteria created for a membership group; in response to determining that a URI of the object matches a URI regular expression and other conditions specified in membership criteria created for a membership group: distributing the information about the object to network agents implemented in transport nodes to cause the network agents to automatically update a group membership policy associated with the membership group; and wherein the group membership policy affects packet forwarding behavior of a forwarding node.

Abstract: Techniques are disclosed herein for providing an agent for implementing layer 2 (L2) communication on a layer 3 (L3) underlay network. In one embodiment, an agent in virtualization software determines a newly available network address of a VM, configures a network interface of the L3 network to be associated with the network address such that network traffic for the network address is directed to the network interface, adds a route to a virtual router in the virtualization software indicating the VM is local, and adds a router to an address resolution table to associate the network address with a MAC address. This permits a packet sent from one VM to another VM to be processed by the virtual router based on routes therein and forwarded to the other VM either internally or using the L3 underlay network.

Abstract: Methods, apparatus, and other mechanisms are disclosed for merging lookup results, such as from one or more associative memory banks and/or memory devices. In one exemplary implementation, multiple associative memories or associative memory banks are configured to substantially simultaneously generate a plurality of lookup results based on a lookup value. Multiple memories are each configured to generate a corresponding result based on the lookup result generated by its corresponding associative memory or associative memory bank. A combiner is configured to receive and merge these corresponding results generated substantially simultaneously in order to identify the merged lookup result.

Abstract: Disclosed are, inter alia, methods, apparatus, data structures, computer-readable media, and mechanisms, for policy-based processing of packets, including mechanisms for managing the policies. A user is authenticated and its user group identifier is identified. A packet is received and is associated with the user group identifier, and one or more fields (typically other than the source address field) of the packet are used to identify a second group identifier. A lookup operation is then performed on a policy based on the first and second group identifiers to identify a packet processing action to be performed on the packet. These identifiers are typically not network addresses, which disassociates the policy from physical network addresses (which often are dynamically assigned and may also vary based on the access point into the network of a user), and allows a switching device to process packets based on a policy stated using group identifiers.

Abstract: Methods and apparatus are disclosed for performing lookup operations using associative memories, including, but not limited to modifying search keys within an associative memory based on modification mappings, forcing a no-hit condition in response to a highest-priority matching entry including a force no-hit indication, selecting among various sets or banks of associative memory entries in determining a lookup result, and detecting and propagating error conditions. In one implementation, each block retrieves a modification mapping from a local memory and modifies a received search key based on the mapping and received modification data. In one implementation, each of the associative memory entries includes a field for indicating that a successful match on the entry should or should not force a no-hit result. In one implementation, an indication of which associative memory blocks or sets of entries to use in a particular lookup operation is retrieved from a memory.

Abstract: A data center topology routes traffic between internal sub-nets and between a sub-net and an outside network through a common chain of services. The data center topology employs transparent layer 7 and layer 4 services on a common chassis or platform to provide routing, load balancing and firewall services while reducing the number of devices necessary to implement the data center and simplifying configuration.