Abstract: Some embodiments provide a system that includes a set of network controllers for receiving definitions of first and second logical switching elements. The system includes several managed switching elements. The set of network controllers configure the several managed switching elements to implement the defined first and second logical switching elements. The system includes several network hosts that are each (1) communicatively coupled to one of the several managed switching elements and (2) associated with one of the first and second logical switching elements. Network data communicated between network hosts associated with the first logical switching element are isolated from network data communicated between network hosts associated with the second logical switching element.

Abstract: A control system including several controllers for managing several switching elements. A first controller registers a second controller for receiving a notification when a data tuple changes in a network information base (NIB) storage of the first controller that stores data for managing a set of switching elements. The first controller changes the data tuple in the NIB. The first controller sends the notification to the second controller of the change to the data tuple in the NIB. The first and second controllers operate on two different computing devices. Each controller receives logical control plane data for specifying logical datapath sets and converts the logical control plane data to physical control plane data for enabling the switching elements to implement the logical datapath sets.

Abstract: A network system that includes a first set of network hosts in a first domain and a second set of network hosts in a second domain. Within each of the domains, the system includes several edge switching elements (SEs) that each couple to the network hosts and forward network data to and from the set of network hosts. Within the first domain, the system includes (i) an interior SE that couples to a particular edge SE in order to receive network data for forwarding from the edge SE when the edge SE does not recognize a destination location of the network data and (ii) an interconnection SE that couples to the interior SE, the edge SE, and the second domain through an external network. When the edge SE receives network data with a destination address in the second domain, it forwards the network data directly to the interconnection SE.

Abstract: Some embodiments provide a system for implementing a logical network that includes a set of end machines, a first logical middlebox, and a second logical middlebox connected by a set of logical forwarding elements. The system includes a set of nodes. Each of several nodes includes (i) a virtual machine for implementing an end machine of the logical network, (ii) a managed switching element for implementing the set of logical forwarding elements of the logical network, and (iii) a middlebox element for implementing the first logical middlebox of the logical network. The system includes a physical middlebox appliance for implementing the second logical middlebox.

Abstract: Some embodiments provide a method that processes network data through a network. The method receives a packet destined for a network host associated with a logical datapath set implemented by a set of managed edge switching elements and a set of managed non-edge switching elements in the network. The method determines whether the packet is a known packet. When the packet is a known packet, the method forwards the packet to a managed switching element in the set of managed edge switching elements for forwarding to the network host. When the packet is not a known packet, the method forwards the packet to a managed switching element in the set of managed non-edge switching elements for further processing.

Abstract: A network system that includes a first set of network hosts in a first domain and a second set of network hosts in a second domain. Within each of the domains, the system includes several edge switching elements (SEs) that each couple to the network hosts and forward network data to and from the set of network hosts. Within the first domain, the system includes (i) an interior SE that couples to a particular edge SE in order to receive network data for forwarding from the edge SE when the edge SE does not recognize a destination location of the network data and (ii) an interconnection SE that couples to the interior SE, the edge SE, and the second domain through an external network. When the edge SE receives network data with a destination address in the second domain, it forwards the network data directly to the interconnection SE.

Abstract: Some embodiments provide a system for implementing a logical network that includes a set of end machines, a first logical middlebox, and a second logical middlebox connected by a set of logical forwarding elements. The system includes a set of nodes. Each of several nodes includes (i) a virtual machine for implementing an end machine of the logical network, (ii) a managed switching element for implementing the set of logical forwarding elements of the logical network, and (iii) a middlebox element for implementing the first logical middlebox of the logical network. The system includes a physical middlebox appliance for implementing the second logical middlebox.

Abstract: Some embodiments of the invention provide a a method of processing packets associated with a logical switching element implemented by multiple physical switching elements executing on multiple host computers on which multiple machines execute. At a first physical switching element of a first host computer, the method receives a packet from a first machine associated with the logical switching element. For the packet, the method identifies a logical ingress port of the logical switch that is associated with the packet. For the packet, the method also uses the logical ingress port to identify a logical egress port of the logical switch that is associated with the packet. For the packet, the method also uses the logical egress port to identify a physical egress port of the first host computer to use to send the packet along to a second machine associated with the logical egress port.

Abstract: A network control system for managing a plurality of switching elements that implement a plurality of logical datapath sets. The network control system includes first and second controllers for generating requests for modifications to first and second logical datapath sets. The first controller is further for determining whether to make modifications to the first logical datapath set. The second controller is further for determining whether to make modifications to the second logical datapath set. Each controller is further for receiving logical control plane data that specifies logical datapath sets and for converting the logical control plane data to physical control plane data for propagating to the switching elements.

Abstract: Some embodiments provide a method for configuring a logical middlebox in a hosting system that includes a set of nodes. The logical middlebox is part of a logical network that includes a set of logical forwarding elements that connect a set of end machines. The method receives a set of configuration data for the logical middlebox. The method uses a stored set of tables describing physical locations of the end machines to identify a set of nodes at which to implement the logical middlebox. The method provides the logical middlebox configuration for distribution to the identified nodes.

Abstract: Systems and methods for managing a network are described. A view of current state of the network is maintained where the current state of the network characterizes network topology and network constituents, including network entities and network elements residing in or on the network. Events are announced that correspond to changes in the state of the network and one or more network elements can be configured accordingly. Methods for managing network traffic are described that ensure forwarding and other actions taken by network elements implement globally declared network policy and refer to high-level names, independently of network topology and the location of network constituents. Methods for discovering network constituents are described, whereby are automatically configured. Routing may be performed using ACL and packets can be intercepted to permit host to continue in sleep mode. The methods are applicable to virtual environments.

Abstract: Some embodiments provide a method that processes network data through a network. The method receives a packet destined for a network host associated with a logical datapath set implemented by a set of managed edge switching elements and a set of managed non-edge switching elements in the network. The method determines whether the packet is a known packet. When the packet is a known packet, the method forwards the packet to a managed switching element in the set of managed edge switching elements for forwarding to the network host. When the packet is not a known packet, the method forwards the packet to a managed switching element in the set of managed non-edge switching elements for further processing.

Abstract: Some embodiments provide a method for configuring a logical middlebox in a hosting system that includes a set of nodes. The logical middlebox is part of a logical network that includes a set of logical forwarding elements that connect a set of end machines. The method receives a set of configuration data for the logical middlebox. The method uses a stored set of tables describing physical locations of the end machines to identify a set of nodes at which to implement the logical middlebox. The method provides the logical middlebox configuration for distribution to the identified nodes.

Abstract: A method of implementing a logical switching element. The method generates data for programming a set of two or more physical forwarding elements to implement the logical switching element. The method uses a first controller to distribute at least a first portion of the generated data to a first plurality of physical forwarding elements in the set of physical forwarding elements. The first controller serves as the master controller for the first plurality of physical forwarding elements. The method uses a second controller to distribute at least a second portion of the generated data to a second plurality of physical forwarding elements in the set of physical forwarding elements. The second controller serves as the master controller for the second plurality of physical forwarding elements.

Abstract: In general, the present invention relates to a virtual platform in which one or more distributed virtual switches can be created for use in virtual networking. According to some aspects, the distributed virtual switch according to the invention provides the ability for virtual and physical machines to more readily, securely, and efficiently communicate with each other even if they are not located on the same physical host and/or in the same subnet or VLAN. According other aspects, the distributed virtual switches of the invention can support integration with traditional IP networks and support sophisticated IP technologies including NAT functionality, stateful firewalling, and notifying the IP network of workload migration. According to further aspects, the virtual platform of the invention creates one or more distributed virtual switches which may be allocated to a tenant, application, or other entity requiring isolation and/or independent configuration state.

Abstract: A network control system that includes several controllers for managing several switching elements. In some embodiments, each switching element implements at least one logical switching element and has a master controller. In some embodiments, at least one controller is a master of at least two switching elements. The network control system accepts definitions of the logical switching elements and, in some embodiments, each logical switching element has a master controller. In some embodiments, at least one controller is a master for at least two logical switching elements.

Abstract: Some embodiments provide a system for implementing a logical network that includes a set of end machines, a first logical middlebox, and a second logical middlebox connected by a set of logical forwarding elements. The system includes a set of nodes. Each of several nodes includes (i) a virtual machine for implementing an end machine of the logical network, (ii) a managed switching element for implementing the set of logical forwarding elements of the logical network, and (iii) a middlebox element for implementing the first logical middlebox of the logical network. The system includes a physical middlebox appliance for implementing the second logical middlebox.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed related to policy declarations for cloud management system. An example apparatus includes memory, instructions, and processor circuitry to execute the instructions. The processor circuitry is to convert first network state data in a first format to a first data tuple in a unified format, the first network state data from a first cloud management application that manages a first aspect of a network and convert second network state data in a second format to a second data tuple in the unified format, the second network state data from a second cloud management application that manages a second aspect of the network, the first format different than the second format.

Abstract: In general, the present invention relates to a virtual platform in which one or more distributed virtual switches can be created for use in virtual networking. According to some aspects, the distributed virtual switch according to the invention provides the ability for virtual and physical machines to more readily, securely, and efficiently communicate with each other even if they are not located on the same physical host and/or in the same subnet or VLAN. According other aspects, the distributed virtual switches of the invention can support integration with traditional IP networks and support sophisticated IP technologies including NAT functionality, stateful firewalling, and notifying the IP network of workload migration. According to further aspects, the virtual platform of the invention creates one or more distributed virtual switches which may be allocated to a tenant, application, or other entity requiring isolation and/or independent configuration state.

Abstract: Some embodiments provide a system for implementing a logical network that includes a set of end machines, a first logical middlebox, and a second logical middlebox connected by a set of logical forwarding elements. The system includes a set of nodes. Each of several nodes includes (i) a virtual machine for implementing an end machine of the logical network, (ii) a managed switching element for implementing the set of logical forwarding elements of the logical network, and (iii) a middlebox element for implementing the first logical middlebox of the logical network. The system includes a physical middlebox appliance for implementing the second logical middlebox.