Abstract: Some embodiments provide a method for a first network controller that manages a set of logical forwarding elements implemented in several managed forwarding elements. The method receives a request to trace a specified packet having a particular source on a logical forwarding element. The method generates the packet according to the packet specification. The generated packet includes an indicator that the packet is for a trace operation. The method sends the packet to a second network controller that manages a managed forwarding element associated with the particular source. The method receives a first set of messages regarding operations performed on the packet from a set of network controllers that receives a second set of messages regarding operations performed on the packet from a set of managed forwarding elements that process the packet.

Abstract: Some embodiments provide a method for a network controller that manages multiple managed forwarding elements (MFEs) that implement multiple logical networks. The method stores (i) a first data structure including an entry for each logical entity in a desired state of the multiple logical networks and (ii) a second data structure including an entry for each logical entity referred to by an update for at least one MFE. Upon receiving updates specifying modifications to the logical entities, the method adds separate updates to separate queues for the MFEs that require the update. The separate updates reference the logical entity entries in the second data structure. When the second data structure reaches a threshold size in comparison to the first data structure, the method compacts the updates in at least one of the queues so that each queue has no more than one update referencing a particular logical entity entry.

Abstract: A novel method for distributing firewall configuration of a software defined data center is provided. The network manager of the data center receives update requests from tenants of the data center and correspondingly generates update fragments and delivers the generated update fragment to local control planes controlling the enforcing devices. Each local control plane in turn integrates the update fragments it receives into its firewall rules table. For each rule and/or section thusly integrated, the local control plane uses the rule or the section's assigned priority number to establish ordering in the firewall rules table of the local control plane.

Abstract: Some embodiments provide a method for a network controller that manages a flow-based managed forwarding element (MFE). The method receives multiple service rules for implementation by the MFE. Each service rule matches over a set of network addresses. At least one network address is in the set of network addresses for at least two service rules. The method groups the network addresses into non-overlapping groups of network addresses, each of which addresses that are all matched by only a same set of service rules. The method generates flow entries that match over the groups of network addresses for the MFE to use to implement the service rules.

Abstract: A novel method for managing firewall configuration of a software defined data center is provided. Such a firewall configuration is divided into multiple sections that each contains a set of firewall rules. Each tenant of the software defined data center has a corresponding set of sections in the firewall configuration. The method allows each tenant to independently access and update/manage its own corresponding set of sections. Multiple tenants or users are allowed to make changes to the firewall configuration simultaneously.

Abstract: Some embodiments provide a method for identifying a realization status of one or more logical entities of a logical network. In some embodiments the method is implemented by a controller that controls network data communications in a logical network. The method receives a request for realization status of a set of logical entities at a particular point of time that is associated with a particular value of a realization number. The method determines whether configuration data up to the particular point of time for each logical entity in the set has been processed and distributed to a set of local controllers that operates on a set of host machines. The method returns a realization reply that includes a successful realization message when the configuration data up to the particular point in time for each logical entity in the set has been processed and distributed to the set of local controllers.

Abstract: Some embodiments provide a method for determining a realization status of one or more logical entities of a logical network. The method, each time a particular event occurs, increments the value of a realization number and publishes the incremented value to a set of controllers of the logical network. Upon receiving data that specifies the state of a logical entity of the logical network, the method publishes the logical entity state's data to the set of controllers. In some embodiments, the method queries the set of controllers for a realization status of the state data for a set of logical entities that is published to the set of controllers up to a particular point of time. The submitted query, in some embodiments, includes a particular value of the realization number associated with the particular point of time.

Abstract: Some embodiments provide a novel network control system that provides publications for managing different slices (e.g., logical and/or physical entities) of a network. The publications are published from publisher controllers in the network control system to subscriber controllers. The network control system uses publications with generation numbers and buffered subscribers to implement the fixed points in order to help maintain a consistent network state. The information published with a publication is useful for resolving conflicts in the network control system when multiple publisher controllers provide conflicting inputs to a subscriber controller.

Abstract: Some embodiments provide a method for a network controller. The method receives configuration data, for a logical router managed by the network controller, that specifies at least one logical port for the logical router. The method automatically generates connected routes for the logical router based on network address ranges specified for the logical ports of the logical router. The method receives a manually input static route for the logical router. The method generates data tuples, for distribution to several managed network elements, based on the connected and static routes for the logical router in order for the several managed network elements to implement the logical router.

Abstract: A network control system that achieves high availability for forwarding state computation within a controller cluster by replicating different levels of table state between controllers of the controller cluster. To build a highly available controller cluster, the tables for storing the forwarding state are replicated across the controllers. In order to take responsibility for a slice, the slave controller of some embodiments performs merging of replicated state on a slice-by-slice basis. The merging is performed in a manner to prevent disruptions to the network state while the slave controller is updated.

Abstract: Some embodiments provide a method for a network controller. The method receives configuration data, for a logical router managed by the network controller, that specifies at least one logical port for the logical router. The method automatically generates connected routes for the logical router based on network address ranges specified for the logical ports of the logical router. The method receives a manually input static route for the logical router. The method generates data tuples, for distribution to several managed network elements, based on the connected and static routes for the logical router in order for the several managed network elements to implement the logical router.

Abstract: Some embodiments provide a method for a first network controller that manages a set of logical forwarding elements implemented in several managed forwarding elements. The method receives a request to trace a specified packet having a particular source on a logical forwarding element. The method generates the packet according to the packet specification. The generated packet includes an indicator that the packet is for a trace operation. The method sends the packet to a second network controller that manages a managed forwarding element associated with the particular source. The method receives a first set of messages regarding operations performed on the packet from a set of network controllers that receives a second set of messages regarding operations performed on the packet from a set of managed forwarding elements that process the packet.

Abstract: Some embodiments provide a method for a managed forwarding element that operates on a host machine to process packets for at least one logical network. The method receives a packet that includes a particular piece of data to maintain with the packet. The particular piece of data is not stored in a payload of the packet and is not protocol-specific data. The method stores the particular piece of data in a register while processing the packet. The method identifies a next destination of the packet that operates on the host machine. The method generates an object to represent the packet for the identified destination. The particular piece of data is stored in a field of the generated object.

Abstract: Some embodiments provide a method for a network controller that manages several managed forwarding elements. The method receives a request to trace a specified packet having a particular source on a logical switching element. The method generates the packet at the network controller according to the packet specification. The generated packet includes an indicator that the packet is for a trace operation. The method inserts the packet into a managed forwarding element associated with the particular source. The method receives a set of messages from a set of managed forwarding elements that process the packet regarding operations performed on the packet.

Abstract: Some embodiments provide a method for a first network controller that manages a set of logical forwarding elements implemented in several managed forwarding elements. The method receives a request to trace a specified packet having a particular source on a logical forwarding element. The method generates the packet according to the packet specification. The generated packet includes an indicator that the packet is for a trace operation. The method sends the packet to a second network controller that manages a managed forwarding element associated with the particular source. The method receives a first set of messages regarding operations performed on the packet from a set of network controllers that receives a second set of messages regarding operations performed on the packet from a set of managed forwarding elements that process the packet.

Abstract: Some embodiments provide a network controller for managing a logical network implemented across several managed network elements. The logical network includes at least one logical router. The network controller includes an input interface for receiving configuration state for the logical router. The network controller includes a table mapping engine for generating data tuples for distribution to the managed network elements in order for the managed network elements to implement the logical router. The network controller includes a route processing engine for receiving a set of input routes from the table mapping engine based on the configuration state for the logical router, performing a recursive route traversal process to generate a set of output routes, and returning the set of output routes to the table mapping engine. The table mapping engine uses the set of output routes to generate the data tuples for distribution to the plurality of managed network elements.

Abstract: Some embodiments provide a method for a network controller that manages several managed forwarding elements. The method receives a request to trace a specified packet having a particular source on a logical switching element. The method generates the packet at the network controller according to the packet specification. The generated packet includes an indicator that the packet is for a trace operation. The method inserts the packet into a managed forwarding element associated with the particular source. The method receives a set of messages from a set of managed forwarding elements that process the packet regarding operations performed on the packet.

Abstract: Some embodiments provide a method for a network controller that manages a plurality of managed forwarding elements. The method receives a request to trace a specified packet having a particular source on a logical forwarding element. The method generates the packet according to the packet specification. The generated packet includes an indicator that the packet is for a trace operation. The method inserts the packet into a managed forwarding element associated with the particular source such that the managed forwarding element processes the packet as though the packet was received from the particular source. The method receives, from a set of managed forwarding elements, a set of messages regarding logical processing operations and physical forwarding operations that each managed forwarding element in the set of managed forwarding elements performs on the packet.

Abstract: Some embodiments provide a novel network control system that uses secondary input queues to receive and store inputs from multiple input sources prior to moving the inputs to a primary input queue for processing. The secondary input queues provide a separate storage for each input source so that the inputs from the different sources do not get mixed with each other to ensure that fixed points and barriers sent to the controller maintain their integrity.

Abstract: Some embodiments provide a novel network control system that provides publications for managing different slices (e.g., logical and/or physical entities) of a network. The publications are published from publisher controllers in the network control system to subscriber controllers. The network control system uses publications with generation numbers and buffered subscribers to implement the fixed points in order to help maintain a consistent network state. Buffered subscribers buffer the inputs received from a publisher in case the publisher becomes unavailable. Rather than deleting all of the output state that is based on the published inputs, the buffered subscriber allows the subscriber to maintain the network state until an explicit change to the state is received at the subscriber from a publisher (e.g., a restarted publisher, a backup publisher, etc.).