Abstract: A network control system for managing several switching elements. The network control system includes first and second controllers for generating data for managing first and second sets of switching elements. The first controller is further for serving as a master controller of the first set of switching elements. The second controller is further for serving as a master controller of the second set of switching elements. The master controller for a particular set of switching elements is the only controller that is allowed to propagate data to the particular set of switching elements data for managing the particular set of switching elements.

Abstract: Some embodiments provide a method for configuring a logical firewall in a hosting system that includes a set of nodes. The logical firewall is part of a logical network that includes a set of logical forwarding elements. The method receives a configuration for the firewall that specifies packet processing rules for the firewall. The method identifies several of the nodes on which to implement the logical forwarding elements. The method distributes the firewall configuration for implementation on the identified nodes. At a node, the firewall of some embodiments receives a a packet, from a managed switching element within the node, through a software port between the managed switching element and the distributed firewall application. The firewall determines whether to allow the packet based on the received configuration. When the packet is allowed, the firewall the packet back to the managed switching element through the software port.

Abstract: For a logical switching element implemented across several managed switching elements, some embodiments provide a method that receives a packet for processing through the logical switching element. The method performs a set of logical forwarding operations for determining a particular destination at the logical switching element to forward the packet. Based on the particular destination at the logical switching element, the method performs a set of physical forwarding operations for determining a destination at a managed switching element of the several managed switching elements that corresponds to the particular destination at the logical switching element. The method forwards the packet to the destination at the managed switching element.

Abstract: In general, the present invention relates to a virtual platform in which one or more distributed virtual switches can be created for use in virtual networking. According to some aspects, the distributed virtual switch according to the invention provides the ability for virtual and physical machines to more readily, securely, and efficiently communicate with each other even if they are not located on the same physical host and/or in the same subnet or VLAN. According other aspects, the distributed virtual switches of the invention can support integration with traditional IP networks and support sophisticated IP technologies including NAT functionality, stateful firewalling, and notifying the IP network of workload migration. According to further aspects, the virtual platform of the invention creates one or more distributed virtual switches which may be allocated to a tenant, application, or other entity requiring isolation and/or independent configuration state.

Abstract: A non-transitory machine readable medium storing a program that configures a managed forwarding element to perform logical L2 switching and L3 routing is described. The program generates a first set of flow entries for configuring the first managed forwarding element to perform (1) a first logical L2 processing for a first logical L2 domain, (2) a logical L3 processing, (3) a load balancing processing to select a second managed forwarding element from a plurality of managed forwarding elements to which to forward packets and (4) a logical ingress L2 processing for a second logical L2 domain on the packets. The program generates a second set of flow entries for configuring the second managed forwarding element to perform a second logical L2 processing for a second logical L2 domain on the packets.

Abstract: Some embodiments provide a forwarding element that inspects the size of each of several packets in a data flow to determine whether the data flow is an elephant flow. The forwarding element inspects the size because, in order for the packet to be of a certain size, the data flow had to already have gone through a slow start in which smaller packets are transferred and by definition be an elephant flow. When the forwarding element receives a packet in a data flow, the forwarding element identifies the size of the packet. The forwarding element then determines if the size of the packet is greater than a threshold size. If the size is greater, the forwarding element specifies that the packet's data flow is an elephant flow.

Abstract: Some embodiments provide a system that detects whether a flow is an elephant flow; and if so, the system treats it differently than a mouse flow. The system of some embodiment detect elephants based on one or more of the following: statistics associated with a flow, packet segment size, and invoked system calls. Also, some embodiments use one or more various methods to handle elephant flows. Examples of such methods include marking each packet belonging to an elephant with a particular marking, breaking the elephants into mice, reporting the elephant to a network controller, and selectively choosing a route for each packet belonging to the elephant.

Abstract: Some embodiments provide a forwarding element that detects and handles elephant flows. In detecting, the forwarding element of some embodiments monitors statistics or measurements relating to a data flow. In handling, the forwarding element marks each packet associated with a detected elephant flow in some manner to differentiate it from a packet associated with a mouse flow. Alternatively, the forwarding element of break elephant flows into a number mouse flow by facilitating in sending packets associated with the detected elephant flow along different paths.

Abstract: Some embodiments provide a method of processing a packet through a logical switching element implemented by several managed switching elements. The method receives a packet for processing through a processing pipeline of the logical switching element. The method processes the packet through the processing pipeline. The method stores state information in the packet for indicating that the packet has been processed through the processing pipeline in order to prevent other managed switching elements from processing the packet through the processing pipeline. The method forwards the processed packet to a managed switching element of the several managed switching elements.

Abstract: Some embodiments provide a system for implementing a logical network that includes a set of end machines, a first logical middlebox, and a second logical middlebox connected by a set of logical forwarding elements. The system includes a set of nodes. Each of several nodes includes (i) a virtual machine for implementing an end machine of the logical network, (ii) a managed switching element for implementing the set of logical forwarding elements of the logical network, and (iii) a middlebox element for implementing the first logical middlebox of the logical network. The system includes a physical middlebox appliance for implementing the second logical middlebox.

Abstract: Some embodiments provide a method for configuring a logical middlebox in a hosting system that includes a set of nodes. The logical middlebox is part of a logical network that includes a set of logical forwarding elements that connect a set of end machines. The method receives a set of configuration data for the logical middlebox. The method uses a stored set of tables describing physical locations of the end machines to identify a set of nodes at which to implement the logical middlebox. The method provides the logical middlebox configuration for distribution to the identified nodes.

Abstract: Some embodiments provide a method for a first managed forwarding element that implements logical forwarding elements of a logical network. The method receives a first packet from a second managed forwarding element. The first packet includes context information that indicates a logical network destination that maps to a physical destination connected to the first managed forwarding element. At the first managed forwarding element, the method dynamically generates a flow entry for processing subsequent packets received by the first managed forwarding element from the physical destination and sent to a source of the first packet. The method processes a second packet received by the first managed forwarding element from the physical destination with the dynamically generated flow entry. The dynamically generated flow entry specifies to send the second packet to the second managed forwarding element before logically forwarding the second packet through the logical network.

Abstract: Some embodiments provide a method for a first managed forwarding element that implements a logical network. The method receives a packet from a second managed forwarding element. The first packet has an initial set of characteristics defining a first connection between a source machine connected to the second managed forwarding element and a destination machine connected to the first managed forwarding element. The method determines whether a second connection exists with the initial set of characteristics between a different machine connected to a third managed forwarding element and the destination machine. When a second connection exists with the initial set of characteristics, the method modifies at least one characteristic of the packet such that the modified packet does not have the same set of characteristics. The method delivers the modified packet to the destination machine.

Abstract: Some embodiments provide a method for configuring a logical firewall in a hosting system that includes a set of nodes. The logical firewall is part of a logical network that includes a set of logical forwarding elements. The method receives a configuration for the firewall that specifies packet processing rules for the firewall. The method identifies several of the nodes on which to implement the logical forwarding elements. The method distributes the firewall configuration for implementation on the identified nodes. At a node, the firewall of some embodiments receives a packet, from a managed switching element within the node, through a software port between the managed switching element and the distributed firewall application. The firewall determines whether to allow the packet based on the received configuration. When the packet is allowed, the firewall the packet back to the managed switching element through the software port.

Abstract: A control system that includes several controllers for managing several switching elements. A first controller receives a request to modify a data tuple stored in a network information base (NIB) storage of the first controller that stores data for managing a set of switching elements. The first controller determines whether the received request to modify should be processed by the first controller. When the received request should be modified by the first controller, the first controller modifies the set of data in the NIB storage. The first controller updates a request list that is propagated between the controllers to disseminate requests to modify different data tuples that are stored in the NIB storages of the different controllers.

Abstract: Some embodiments provide a network system that includes several non-edge switching elements that are each for forwarding network data to other non-edge switching elements. The network system includes several edge switching elements that are each for (1) coupling to a set of network hosts and (2) forwarding network data to the non-edge switching elements and to the set of network hosts. Each of the non-edge switching elements of the several non-edge switching elements is further for forwarding network data to the several edge switching elements. The network system includes a set of network controllers for (1) receiving a definition of a logical switching element that couples to the sets of network hosts and (2) managing the several edge switching elements by configuring the several edge switching elements to forward network data between the sets of network hosts based on the definition of the logical switching element.

Abstract: A controller of a network control system for configuring several middlebox instances is described. The middlebox instances implement a middlebox in a distributed manner in several hosts. The controller assigns a first set of identifiers to a first middlebox instance that associates an identifier in the first set with a first packet. The controller assigns a second set of identifiers to a second middlebox instance that associates an identifier in the second set with a second packet.

Abstract: Some embodiments provide a method for a forwarding element that forwards packets. The method receives a packet. The method consults a tree structure to generate a wildcard mask. The consulting includes traversing the tree structure by tracing a set of bits from the packet header and un-wildcarding the corresponding set of bits from the wildcard mask. The method identifies a matching rule for the packet. The method generates a flow based on the matching rule and the wildcard mask. The flow is used to process each other packet that matches each un-wildcarded bit of the flow.

Abstract: A controller of a network control system for configuring several middlebox instances is described. The middlebox instances implement a middlebox in a distributed manner in several hosts. The controller assigns a first set of identifiers to a first middlebox instance that associates an identifier in the first set with a first packet. The controller assigns a second set of identifiers to a second middlebox instance that associates an identifier in the second set with a second packet.

Abstract: Some embodiments provide a method for a forwarding element that forwards packets. The method receives a packet and performs a hash lookup operation on one or more hash tables to find a matching rule for a packet. The method consults a common match data set to generate a wildcard mask. The method generates a flow based on the matching rule and the wildcard mask. The flow is used to process other packets that match each bit which is un-wildcarded.