Abstract: Some embodiments of the invention provide a novel method for specifying firewall rules. In some embodiments, the method provides the ability to specify for a particular firewall rule, a set of network nodes (also called a set of enforcement points below) at which the particular firewall should be enforced. To provide this ability, the method of some embodiments adds an extra tuple (referred to below as the AppliedTo tuple) to a firewall rule. This added AppliedTo tuple lists the set of enforcement points at which the firewall rule has to be applied (i.e., enforced).

Abstract: Exemplary methods, apparatuses, and systems include a first host device determining that a first packet from a first virtual machine (VM) within the first host device is to be transmitted to a second VM on a second host device and that the first host device and the second host device each transmit or receive packets via ports within a first link aggregation group (LAG). In response to determining that the first host device and the second host device each transmit or receive packets via ports within the first LAG, the first host device transmits the first packet from a first synchronization port of the first host device to a second synchronization port of the second host device. The first and second synchronization ports are excluded from sharing a common LAG with any ports of another host device.

Abstract: Exemplary methods, apparatuses, and systems configure a first set of ports of a first host device and a second set of ports to be included within a first link aggregation group (LAG). The first and second host devices further configure, respectively, a first synchronization port that does not share a common LAG with the second host device and a second synchronization port that does not share a common LAG with the first host device. The first host device receives a first packet destined for a virtual machine running on the second host device, the first packet including source and destination information. The first host device determines from the source or destination information that the first packet is destined for a virtual machine running on another host device. In response, the first host device forwards the packet via the first synchronization port to the second host device.

Abstract: Exemplary methods, apparatuses, and systems configure a first set of ports of a host device to be included within a link aggregation group (LAG) with a switch coupled to the first set of one or more ports. A second set of one or more ports of a second host device is also included within the LAG. The configuration of the LAG includes the switch performing load balancing between ports within the LAG. The first host device receives, via the LAG, a packet to be processed by a service implemented by each of one or more virtual machines running on the first host device. The first host device receives the packet as a result of the switch selecting a port within the first and second sets of ports based upon the load balancing between uplinks to the ports within the LAG.

Abstract: The disclosure herein describes a system, which provides uniform access to a gateway in an extended virtualized layer-2 network. During operation, the system identifies a media access control (MAC) address, which is associated with a respective gateway in the extended virtualized layer-2 network, in a layer-2 header of a data frame. This MAC address is specific to the extended virtualized layer-2 network (e.g., for a different extended virtualized layer-2 network, a different MAC address is associated with a respective gateway). The system modifies the layer-2 header by swapping the MAC address with another MAC address, which uniquely identifies a gateway in the extended virtualized layer-2 network, in the layer-2 header and forwards the frame with the modified header to the gateway.

Abstract: The disclosure herein describes an edge device of a network for distributed policy enforcement. During operation, the edge device receives an initial packet for an outgoing traffic flow, and identifies a policy being triggered by the initial packet. The edge device performs a reverse lookup to identify at least an intermediate node that is previously traversed by the initial packet and traffic parameters associated with the initial packet at the identified intermediate node. The edge device translates the policy based on the traffic parameters at the intermediate node, and forwards the translated policy to the intermediate node, thus facilitating the intermediate node in applying the policy to the traffic flow.