Abstract: Example methods are provided for flow-based forwarding element configuration in a network environment. An example method may comprise obtaining a set of security policies associated with the group of workloads; and based on the set of security policies, identifying an allowed forwarding path between a destination and a first workload. The method may also comprise configuring a whitelist set of flow entries and sending configuration information to the flow-based forwarding element to cause the flow-based forwarding element to apply the whitelist set. The whitelist set may include a first flow entry specifying match fields and a first action to allow communication over the allowed forwarding path, but excludes a second flow entry specifying a second action to block communication over a forbidden forwarding path between the destination and the second workload. The match fields may include transport layer information and network layer information.

Abstract: The technology disclosed herein enables segregation of network traffic on an application basis. In a particular embodiment, a method is performed in a virtual network interface for a first guest Operating System (OS) executing on a host and includes receiving guest data packets from the first guest OS. The method further includes associating the guest data packets with respective ones of a plurality of applications executing within the first guest OS and separating the guest data packets into respective ones of a plurality of application port interfaces each corresponding to at least one of the plurality of applications. The method also includes passing the guest data packets to a host network interface using the plurality of application port interfaces.

Abstract: The technology disclosed herein enables segregation of network traffic on an application basis. In a particular embodiment, a method is performed in a virtual network interface for a first guest Operating System (OS) executing on a host and includes receiving guest data packets from the first guest OS. The method further includes associating the guest data packets with respective ones of a plurality of applications executing within the first guest OS and separating the guest data packets into respective ones of a plurality of application port interfaces each corresponding to at least one of the plurality of applications. The method also includes passing the guest data packets to a host network interface using the plurality of application port interfaces.

Abstract: The technology disclosed herein enables the automatic discovery of MTU size across a software defined network (SDN). In a particular embodiment, a method provides, in a management plane of the SDN, receiving a first MTU request from a first endpoint of the SDN that indicates a second endpoint of the SDN to which the first endpoint will transfer first data. The method further provides tracing a first path through the SDN for the first data between the first endpoint and the second endpoint, determining the smallest MTU along the first path, and setting a first MTU to a value less than or equal to the smallest MTU along the first path. The method also includes providing the first MTU to the first endpoint.

Abstract: Example methods are provided for flow-based forwarding element configuration in a network environment. An example method may comprise obtaining a set of security policies associated with the group of workloads; and based on the set of security policies, identifying an allowed forwarding path between a destination and a first workload. The method may also comprise configuring a whitelist set of flow entries and sending configuration information to the flow-based forwarding element to cause the flow-based forwarding element to apply the whitelist set. The whitelist set may include a first flow entry specifying match fields and a first action to allow communication over the allowed forwarding path, but excludes a second flow entry specifying a second action to block communication over a forbidden forwarding path between the destination and the second workload. The match fields may include transport layer information and network layer information.

Abstract: The technology disclosed herein enables the automatic discovery of MTU size across a software defined network (SDN). In a particular embodiment, a method provides, in a management plane of the SDN, receiving a first MTU request from a first endpoint of the SDN that indicates a second endpoint of the SDN to which the first endpoint will transfer first data. The method further provides tracing a first path through the SDN for the first data between the first endpoint and the second endpoint, determining the smallest MTU along the first path, and setting a first MTU to a value less than or equal to the smallest MTU along the first path. The method also includes providing the first MTU to the first endpoint.

Abstract: An example method is provided for a first edge device to perform traffic forwarding in a network with geographically dispersed first site and second site. The method may comprise reconfiguring, for a workload migrated from the second site to the first site, the first edge device located at the first site as a default gateway of the workload from the second edge device located at the second site by causing the workload to learn an association between a default gateway Internet Protocol (IP) address associated with the second edge device to a Media Access Control (MAC) address associated with the first edge device. The method may further comprise receiving, from the workload, traffic for forwarding to a destination, and in response to determination that the destination is not within the second site, forwarding the received traffic to the destination without using the second edge device.

Abstract: An example method is provided for a first edge device to perform traffic forwarding in a network with geographically dispersed first site and second site. The method may comprise reconfiguring, for a workload migrated from the second site to the first site, the first edge device located at the first site as a default gateway of the workload from the second edge device located at the second site by causing the workload to learn an association between a default gateway Internet Protocol (IP) address associated with the second edge device to a Media Access Control (MAC) address associated with the first edge device. The method may further comprise receiving, from the workload, traffic for forwarding to a destination, and in response to determination that the destination is not within the second site, forwarding the received traffic to the destination without using the second edge device.