Abstract: A controller of a network control system for configuring several middlebox instances is described. The middlebox instances implement a middlebox in a distributed manner in several hosts. The controller assigns a first set of identifiers to a first middlebox instance that associates an identifier in the first set with a first packet. The controller assigns a second set of identifiers to a second middlebox instance that associates an identifier in the second set with a second packet.

Abstract: A controller of a network control system for configuring several middlebox instances is described. The middlebox instances implement a middlebox in a distributed manner in several hosts. The controller assigns a first set of identifiers to a first middlebox instance that associates an identifier in the first set with a first packet. The controller assigns a second set of identifiers to a second middlebox instance that associates an identifier in the second set with a second packet.

Abstract: Some embodiments provide a method for a network controller in a network control system that manages a plurality of logical networks. The method receives a specification of a logical network that comprises a logical router with a logical port that connects to an external network. The method selects several host machines to host a L3 gateway that implements the connection to the external network for the logical router from a set of host machines designated for hosting logical routers. The method generates data tuples for provisioning a set of managed forwarding elements that implement the logical network to send data packets that require processing by the L3 gateway to the selected host machines. The data tuples specify for the managed forwarding elements to distribute the data packets across the selected host machines.

Abstract: Some embodiments provide a method for a network controller in a network control system that manages a plurality of logical networks. The method receives a specification of a logical network that includes a logical router. The method selects at least two host machines to implement a routing table for the logical router from several host machines designated for hosting logical routers. The selected host machines include a designated master host machine for the routing table. The method generates data tuples for provisioning a set of managed forwarding elements that implement the logical network to send data packets that require processing by the routing table to the selected host machines. The data tuples specify an order for the selected host machines with the designated master host machine as the first host machine in the specified order.

Abstract: Some embodiments provide a method for configuring a logical middlebox in a hosting system that includes a set of nodes. The logical middlebox is part of a logical network that includes a set of logical forwarding elements that connect a set of end machines. The method receives a set of configuration data for the logical middlebox. The method uses a stored set of tables describing physical locations of the end machines to identify a set of nodes at which to implement the logical middlebox. The method provides the logical middlebox configuration for distribution to the identified nodes.

Abstract: Some embodiments provide a novel method for forwarding a packet at a managed switching element in a first domain. The method receives a packet from a local machine. The method encapsulates the packet with a first context identifier that identifies a first logical port of a first logical switching element that couples to machines in both the first domain and a second domain. The first logical port maps to a destination address of the packet. Based on a mapping of the first logical port to a second logical port of a second logical switching element that couples to machines in only the first domain, the method encapsulates the packet with a second context identifier that identifies the second logical port. The method transmits the twice-encapsulated packet out of a port of the managed switching element based on the second context identifier.

Abstract: Some embodiments provide a system for implementing a logical network that includes a set of end machines, a first logical middlebox, and a second logical middlebox connected by a set of logical forwarding elements. The system includes a set of nodes. Each of several nodes includes (i) a virtual machine for implementing an end machine of the logical network, (ii) a managed switching element for implementing the set of logical forwarding elements of the logical network, and (iii) a middlebox element for implementing the first logical middlebox of the logical network. The system includes a physical middlebox appliance for implementing the second logical middlebox.

Abstract: For a network that includes several managed edge switching elements and several managed non-edge switching elements that are for implementing a logical switching element, some embodiments provide a method of distributing packet processing across the several managed non-edge switching elements. The method receives a packet for processing through the logical switching element. Based on a determination that the packet needs to be processed by a managed non-edge switching element, the method determines a particular managed non-edge switching element of the several managed non-edge switching elements to forward the packet. The method forwards the packet to the particular managed non-edge switching element for the particular managed non-edge switching element to process the packet.

Abstract: Some embodiments provide a method for a network controller that manages several logical networks. The method receives a specification of a logical network that includes at least one logical forwarding element attached to a logical service (e.g., DHCP). The method selects at least one host machine to host the specified logical service from several host machines designated for hosting logical services. The method generates logical service configuration information for distribution to the selected host machine. In some embodiments, the method selects a master host machine and a backup host machine for hosting logical service. In some embodiments, a particular one of the designated host machines hosts at least two DHCP services for two different logical networks as separate processes operating on the particular host machine.

Abstract: Some embodiments provide a method for an application operating on a host machine. The method receives a configuration of a Dynamic Host Configuration Protocol (DHCP) service for implementation within a virtualized container on the host machine. The configuration includes several database table entries. The method converts the several database table entries into a configuration file for use by a process that operates in the virtualized container. the method initializes the process in the virtualized container. The process in the virtualized container reads the configuration file in order to perform DHCP services for machines connected to at least one logical forwarding element of a logical network.

Abstract: Port security in some embodiments is a technique to apply to a particular port of a logical switching element such that the network data entering and existing the logical switching element through the particular logical port have certain addresses that the switching element has restricted the logical port to use. For instance, a logical switching element may restrict a particular logical port to one or more certain network addresses To enable a logical port of a logical switch for port security, the control application of some embodiments receives user inputs that designate a particular logical port and a logical switch to which the particular logical port belongs. The control application in some embodiments formats the user inputs into logical control plane data specifying the designation. The control application in some embodiments then converts the logical control plane data into logical forwarding data that specify port security functions.

Abstract: A novel method for logically routing a packet between a source machine that is in a first logical domain and a destination machine that is in a second logical domain is described. The method configures a managed switching element as a second-level managed switching element. The method configures a router in a host that includes the second-level managed switching element. The method communicatively couples the second-level managed switching element with the router. The method causes the router to route a packet when the router receives a packet from the first logical domain that is addressed to the second logical domain.

Abstract: Some embodiments provide a method for a first network controller that manages a set of logical forwarding elements implemented in several managed forwarding elements. The method receives a request to trace a specified packet having a particular source on a logical forwarding element. The method generates the packet according to the packet specification. The generated packet includes an indicator that the packet is for a trace operation. The method sends the packet to a second network controller that manages a managed forwarding element associated with the particular source. The method receives a first set of messages regarding operations performed on the packet from a set of network controllers that receives a second set of messages regarding operations performed on the packet from a set of managed forwarding elements that process the packet.

Abstract: Some embodiments provide a method for a network controller that manages a plurality of managed forwarding elements. The method receives a request to trace a specified packet having a particular source on a logical forwarding element. The method generates the packet according to the packet specification. The generated packet includes an indicator that the packet is for a trace operation. The method inserts the packet into a managed forwarding element associated with the particular source such that the managed forwarding element processes the packet as though the packet was received from the particular source. The method receives, from a set of managed forwarding elements, a set of messages regarding logical processing operations and physical forwarding operations that each managed forwarding element in the set of managed forwarding elements performs on the packet.

Abstract: Some embodiments provide a method for a network controller that manages several managed forwarding elements. The method receives a request to trace a specified packet having a particular source on a logical switching element. The method generates the packet at the network controller according to the packet specification. The generated packet includes an indicator that the packet is for a trace operation. The method inserts the packet into a managed forwarding element associated with the particular source. The method receives a set of messages from a set of managed forwarding elements that process the packet regarding operations performed on the packet.

Abstract: In a hierarchical switching architecture that includes at least one lower level managed switching element that connects to several higher level managed switching elements, some embodiments provide a method of identifying a higher level managed switching element to which the lower level managed switching element forwards a packet for further processing. The method computes a value based on a set of attributes of the packet. The method identifies a record from a hierarchy traversal table based on the computed value. The record specifies (1) a first higher level managed switching element as a primary higher level managed switching element and (2) a second higher level managed switching element as a secondary higher level managed switching element. The primary and secondary higher level managed switching elements are for forwarding the packet for further processing. The method forwards the packet to one of the higher level managed switching elements.

Abstract: A controller of a network control system for configuring several middlebox instances is described. The middlebox instances implement a middlebox in a distributed manner in several hosts. The controller assigns a first set of identifiers to a first middlebox instance that associates an identifier in the first set with a first packet. The controller assigns a second set of identifiers to a second middlebox instance that associates an identifier in the second set with a second packet.

Abstract: A particular network controller receives a first set of inputs from the first controller and a second set of inputs from the second controller. The particular controller then starts to compute a set of outputs using the first set of inputs. After a failure of the first controller, the particular controller receives a third set of inputs from the second controller. The third set of inputs and the first or second set of inputs makes up a group of inputs for being processed together and separately from another group of inputs. The particular controller then receives an indicator from the second controller, which indicates that all inputs of the group of inputs have arrived at the particular controller. After receiving the indicator and after computing the set of outputs completely, the particular controller sends the set of outputs to a fourth controller or to a managed forwarding element.

Abstract: Available buffers in the memory space of a guest operating system of a virtual machine are provided to a network interface controller (NIC) for use during direct memory access (DMA) and the guest operating system is notified accordingly when data is written into such available buffers. These capabilities obviate the requirement of using hypervisor memory as a staging area to determine which virtual machine to forward incoming data.

Abstract: Available buffers in the memory space of a guest operating system of a virtual machine are provided to a network interface controller (NIC) for use during direct memory access (DMA) and the guest operating system is notified accordingly when data is written into such available buffers. These capabilities obviate the requirement of using hypervisor memory as a staging area to determine which virtual machine to forward incoming data.