Abstract: In some embodiments, a first network device in a first site sets a first IP address for an interface of the first network device to a value of a second IP address of a second network device in a second site. Policies are added in a policy table to cover IP addresses used in the second site and a specific route for a third IP address associated with a first workload migrated from the second site to the first site is added into a routing table. The first workload is on a stretched network that is coupled via a layer 2 channel. The policy table configures the first network device to send a second packet from the first workload to a third workload in the second site via the layer 2 channel when an IP address for the third workload does not match an eligible route in the routing table.

Abstract: Some embodiments provide a method for proxying ARP requests. At an MFE that executes on a host computer operating at a first site to implement a distributed router along with at least one additional MFE at the first site, the method receives, from a router at a remote second site, an ARP request for an IP address associated with a logical switch that spans the first site and the remote second site, and to which both the distributed router and the router at the remote second site connect. The method determines whether a table that includes IP addresses for a set of DCNs that use the distributed router as a default gateway includes the IP address. When the IP address is in the table, the method proxies the request at the host computer. When the particular IP address is not in the table, the MFE does not proxy the request.

Abstract: In some embodiments, a method receives, by a first network device, a packet from a first workload that is located in first site. The first site includes stretched networks across a second site and a third site. The packet includes a destination IP address for a device in the second site. The method determines that the destination IP address does not match an eligible route in a routing table. The first workload was migrated from the second site to the first site and is located on a stretched network between the first site and the second site. A site identifier associated with the first workload is determined where the site identifier identifies the second site. The method selects a site policy based on the site identifier and uses the site policy to send the packet through a layer 2 channel to the second network device in the second site.

Abstract: The disclosure provides an approach for overcoming the limitations of a cloud provider network when a data center with software-defined network and multiple hosts, each with multiple virtual machines, operates on the cloud provider network. Single-host aware routers and a multiple-host aware distributed router are combined into a hybrid router in each host. The hybrid router receives a route table from the control plane of the data center and updates the received table based on the locations of VMs, such as edge VMs and management VAs on each of the hosts. An agent in each host also updates a router in the cloud provider network based on the locations of the virtual machines on the hosts. Thus, the hybrid routers maintain local routing information and global routing information for the virtual machines on the hosts in the data center.

Abstract: In an embodiment, a computer-implemented method for providing dynamic mechanisms for resource-path-based, dynamic group membership support for local and external membership groups is described. A method comprises: detecting, by a group resolver implemented in a management and control plane, that information about an object stored in the plane was created or updated; determining whether a URI of the object matches a URI regular expression and other conditions specified in membership criteria created for a membership group; in response to determining that a URI of the object matches a URI regular expression and other conditions specified in membership criteria created for a membership group: distributing the information about the object to network agents implemented in transport nodes to cause the network agents to automatically update a group membership policy associated with the membership group; and wherein the group membership policy affects packet forwarding behavior of a forwarding node.

Abstract: The disclosure provides an approach for overcoming the limitations of a cloud provider network when a data center with software-defined network and multiple hosts, each with multiple virtual machines, operates on the cloud provider network. Single-host aware routers and a multiple-host aware distributed router are combined into a hybrid router in each host. The hybrid router receives a route table from the control plane of the data center and updates the received table based on the locations of VMs, such as edge VMs and management VAs on each of the hosts. An agent in each host also updates a router in the cloud provider network based on the locations of the virtual machines on the hosts. Thus, the hybrid routers maintain local routing information and global routing information for the virtual machines on the hosts in the data center.

Abstract: Techniques are disclosed herein for providing an agent for implementing layer 2 (L2) communication on a layer 3 (L3) underlay network. In one embodiment, an agent in virtualization software determines a newly available network address of a VM, configures a network interface of the L3 network to be associated with the network address such that network traffic for the network address is directed to the network interface, adds a route to a virtual router in the virtualization software indicating the VM is local, and adds a router to an address resolution table to associate the network address with a MAC address. This permits a packet sent from one VM to another VM to be processed by the virtual router based on routes therein and forwarded to the other VM either internally or using the L3 underlay network.

Abstract: In an embodiment, a computer-implemented method for providing dynamic mechanisms for resource-path-based, dynamic group membership support for local and external membership groups is described. A method comprises: detecting, by a group resolver implemented in a management and control plane, that information about an object stored in the plane was created or updated; determining whether a URI of the object matches a URI regular expression and other conditions specified in membership criteria created for a membership group; in response to determining that a URI of the object matches a URI regular expression and other conditions specified in membership criteria created for a membership group: distributing the information about the object to network agents implemented in transport nodes to cause the network agents to automatically update a group membership policy associated with the membership group; and wherein the group membership policy affects packet forwarding behavior of a forwarding node.

Abstract: Techniques are disclosed herein for providing an agent for implementing layer 2 (L2) communication on a layer 3 (L3) underlay network. In one embodiment, an agent in virtualization software determines a newly available network address of a VM, configures a network interface of the L3 network to be associated with the network address such that network traffic for the network address is directed to the network interface, adds a route to a virtual router in the virtualization software indicating the VM is local, and adds a router to an address resolution table to associate the network address with a MAC address. This permits a packet sent from one VM to another VM to be processed by the virtual router based on routes therein and forwarded to the other VM either internally or using the L3 underlay network.

Abstract: Methods, apparatus, and other mechanisms are disclosed for merging lookup results, such as from one or more associative memory banks and/or memory devices. In one exemplary implementation, multiple associative memories or associative memory banks are configured to substantially simultaneously generate a plurality of lookup results based on a lookup value. Multiple memories are each configured to generate a corresponding result based on the lookup result generated by its corresponding associative memory or associative memory bank. A combiner is configured to receive and merge these corresponding results generated substantially simultaneously in order to identify the merged lookup result.

Abstract: Disclosed are, inter alia, methods, apparatus, data structures, computer-readable media, and mechanisms, for policy-based processing of packets, including mechanisms for managing the policies. A user is authenticated and its user group identifier is identified. A packet is received and is associated with the user group identifier, and one or more fields (typically other than the source address field) of the packet are used to identify a second group identifier. A lookup operation is then performed on a policy based on the first and second group identifiers to identify a packet processing action to be performed on the packet. These identifiers are typically not network addresses, which disassociates the policy from physical network addresses (which often are dynamically assigned and may also vary based on the access point into the network of a user), and allows a switching device to process packets based on a policy stated using group identifiers.

Abstract: Methods and apparatus are disclosed for performing lookup operations using associative memories, including, but not limited to modifying search keys within an associative memory based on modification mappings, forcing a no-hit condition in response to a highest-priority matching entry including a force no-hit indication, selecting among various sets or banks of associative memory entries in determining a lookup result, and detecting and propagating error conditions. In one implementation, each block retrieves a modification mapping from a local memory and modifies a received search key based on the mapping and received modification data. In one implementation, each of the associative memory entries includes a field for indicating that a successful match on the entry should or should not force a no-hit result. In one implementation, an indication of which associative memory blocks or sets of entries to use in a particular lookup operation is retrieved from a memory.

Abstract: A data center topology routes traffic between internal sub-nets and between a sub-net and an outside network through a common chain of services. The data center topology employs transparent layer 7 and layer 4 services on a common chassis or platform to provide routing, load balancing and firewall services while reducing the number of devices necessary to implement the data center and simplifying configuration.