Abstract: A network controller for managing several managed switching elements that forward data in a network that includes the managed switching elements. The network controller is further for creating a logical switching element to be implemented in a set of managed switching elements. The network controller includes a set of modules for receiving input data specifying a logical switching element and for creating, based on the received input data, a set of logical switch constructs for the logical switching element by performing a set of database join operations. At least one of the logical switch constructs is for facilitating non-forwarding behavior of the logical switching element.

Abstract: A network control system that achieves high availability for forwarding state computation within a controller cluster by replicating different levels of table state between controllers of the controller cluster. To build a highly available controller cluster, the tables for storing the forwarding state are replicated across the controllers. In order to reduce network traffic between the controllers, fewer tables are replicated to slave controllers, which then recompute the forwarding state of the master controller in order to have a replicate copy of the master controller's forwarding state for possible failover. In other embodiments, more tables are replicated to minimize the recomputations and processor load on the slave controller. The network control system of some embodiments performs continuous snapshotting to minimize downtime associated with reaching a fixed point and replicating the state.

Abstract: Some embodiments provide a method for configuring a logical middlebox in a hosting system that includes a set of nodes. The logical middlebox is part of a logical network that includes a set of logical forwarding elements that connect a set of end machines. The method receives a set of configuration data for the logical middlebox. The method uses a stored set of tables describing physical locations of the end machines to identify a set of nodes at which to implement the logical middlebox. The method provides the logical middlebox configuration for distribution to the identified nodes.

Abstract: A network system that includes a first set of network hosts in a first domain and a second set of network hosts in a second domain. Within each of the domains, the system includes several edge switching elements (SEs) that each couple to the network hosts and forward network data to and from the set of network hosts. Within the first domain, the system includes (i) an interior SE that couples to a particular edge SE in order to receive network data for forwarding from the edge SE when the edge SE does not recognize a destination location of the network data and (ii) an interconnection SE that couples to the interior SE, the edge SE, and the second domain through an external network. When the edge SE receives network data with a destination address in the second domain, it forwards the network data directly to the interconnection SE.

Abstract: Some embodiments provide a system for implementing a logical network that includes a set of end machines, a first logical middlebox, and a second logical middlebox connected by a set of logical forwarding elements. The system includes a set of nodes. Each of several nodes includes (i) a virtual machine for implementing an end machine of the logical network, (ii) a managed switching element for implementing the set of logical forwarding elements of the logical network, and (iii) a middlebox element for implementing the first logical middlebox of the logical network. The system includes a physical middlebox appliance for implementing the second logical middlebox.

Abstract: Some embodiments provide a method for a first network controller that manages a set of logical forwarding elements implemented in several managed forwarding elements. The method receives a request to trace a specified packet having a particular source on a logical forwarding element. The method generates the packet according to the packet specification. The generated packet includes an indicator that the packet is for a trace operation. The method sends the packet to a second network controller that manages a managed forwarding element associated with the particular source. The method receives a first set of messages regarding operations performed on the packet from a set of network controllers that receives a second set of messages regarding operations performed on the packet from a set of managed forwarding elements that process the packet.

Abstract: Some embodiments provide a forwarding element that detects and handles elephant flows. In detecting, the forwarding element of some embodiments monitors statistics or measurements relating to a data flow. In handling, the forwarding element marks each packet associated with a detected elephant flow in some manner to differentiate it from a packet associated with a mouse flow. Alternatively, the forwarding element of break elephant flows into a number mouse flow by facilitating in sending packets associated with the detected elephant flow along different paths.

Abstract: For a network control system that receives, from a user, logical datapath sets that logically express desired forwarding behaviors that are to be implemented by a set of managed switching elements, a controller for managing several managed switching elements that forward data in a network that includes the managed switching elements is described. The controller includes a set of modules for detecting a change in one or more managed switching elements and for updating logical datapath set based on the detected change. The logical datapath set is for subsequent translation into a set of physical forwarding behaviors of the managed switching elements.

Abstract: A novel design of a gateway that handles traffic in and out of a network by using a datapath daemon is provided. The datapath daemon is a run-to-completion process that performs various data-plane packet-processing operations at the edge of the network. In some embodiments, the datapath daemon dispatches packets to other processes or processing threads outside of the daemon. In some embodiments, the datapath daemon dispatches packets to a kernel network stack in order to support packet traffic monitoring.

Abstract: Some embodiments provide a method that uses headerspace analysis. The method receives several flow entries for distribution to a set of forwarding elements that implement a logical network. The method models each of the flow entries as a function that operates on a representation of a packet header. The method uses the modeled functions to identify a set of paths from a packet source to a packet destination. For each particular path of the identified paths, the method uses inverses of the modeled functions to determine a set of packet headers. Packets sent from the packet source with any packet header in the set of packet headers follow the particular path through the flow entries.

Abstract: A controller of a network control system for configuring several middlebox instances is described. The middlebox instances implement a middlebox in a distributed manner in several hosts. The controller configures, in a first host, a first middlebox instance to receive a notification from a migration module before a virtual machine (VM) running in the first host migrates to a second host and to send middlebox state related to the VM to the migration module.

Abstract: A network control system that achieves high availability for forwarding state computation within a controller cluster by replicating different levels of table state between controllers of the controller cluster. To build a highly available controller cluster, the tables for storing the forwarding state are replicated across the controllers. In order to reduce network traffic between the controllers, fewer tables are replicated to slave controllers, which then recompute the forwarding state of the master controller in order to have a replicate copy of the master controller's forwarding state for possible failover. In other embodiments, more tables are replicated to minimize the recomputations and processor load on the slave controller. The network control system of some embodiments performs continuous snapshotting to minimize downtime associated with reaching a fixed point and replicating the state.

Abstract: Some embodiments provide a method that processes network data through a network. The method receives a packet destined for a network host associated with a logical datapath set implemented by a set of managed edge switching elements and a set of managed non-edge switching elements in the network. The method determines whether the packet is a known packet. When the packet is a known packet, the method forwards the packet to a managed switching element in the set of managed edge switching elements for forwarding to the network host. When the packet is not a known packet, the method forwards the packet to a managed switching element in the set of managed non-edge switching elements for further processing.

Abstract: Some embodiments provide a non-transitory machine readable medium of a first middlebox element of several middlebox elements to implement a middlebox instance in a distributed manner in several hosts. The non-transitory machine readable medium stores a set of instructions for receiving (1) configuration data for configuring the middlebox instance to implement a middlebox in a logical network and (2) a particular identifier associated with the middlebox in the logical network. The non-transitory machine readable medium stores a set of instructions for generating (1) a set of rules to process packets for the middlebox in the logical network and (2) an internal identifier associated with the set of rules. The non-transitory machine readable medium stores a set of instructions for associating the particular identifier with the internal identifier for later processing of packets having the particular identifier.

Abstract: Some embodiments of the invention provide a novel method of tunneling data packets. The method establishes a tunnel between a first forwarding element and a second forwarding element. For each data packet directed to the second forwarding element from the first forwarding element, the method encapsulates the data packet with a header that includes a tunnel option. The method then sends the data packet from the first forwarding element to the second forwarding element through the established tunnel. In some embodiments, the data packet is encapsulated using a protocol that is adapted to change with different control plane implementations and the implementations' varying needs for metadata.

Abstract: A network system that includes a first set of network hosts in a first domain and a second set of network hosts in a second domain. Within each of the domains, the system includes several edge switching elements (SEs) that each couple to the network hosts and forward network data to and from the set of network hosts. Within the first domain, the system includes (i) an interior SE that couples to a particular edge SE in order to receive network data for forwarding from the edge SE when the edge SE does not recognize a destination location of the network data and (ii) an interconnection SE that couples to the interior SE, the edge SE, and the second domain through an external network. When the edge SE receives network data with a destination address in the second domain, it forwards the network data directly to the interconnection SE.

Abstract: Some embodiments provide a forwarding element that detects and handles elephant flows. In detecting, the forwarding element of some embodiments monitors statistics or measurements relating to a data flow. In handling, the forwarding element marks each packet associated with a detected elephant flow in some manner to differentiate it from a packet associated with a mouse flow. Alternatively, the forwarding element of break elephant flows into a number mouse flow by facilitating in sending packets associated with the detected elephant flow along different paths.

Abstract: Some embodiments provide a system for implementing a logical network that includes a set of end machines, a first logical middlebox, and a second logical middlebox connected by a set of logical forwarding elements. The system includes a set of nodes. Each of several nodes includes (i) a virtual machine for implementing an end machine of the logical network, (ii) a managed switching element for implementing the set of logical forwarding elements of the logical network, and (iii) a middlebox element for implementing the first logical middlebox of the logical network. The system includes a physical middlebox appliance for implementing the second logical middlebox.

Abstract: A novel design of a gateway that handles traffic in and out of a network by using a datapath daemon is provided. The datapath daemon is a run-to-completion process that performs various data-plane packet-processing operations at the edge of the network. The datapath daemon dispatches packets to other processes or processing threads outside of the daemon. At least one of these other processes is a control plane process that consumes the packet.

Abstract: For a network controller for managing hosts in a network, a method for configuring a host to resolve network addresses is described. The method configures an address resolution module in a host to resolve a network address. The method configures a managed forwarding element in the host to (1) avoid sending a request to resolve the network address to another host by using the address resolution module to resolve the network address and (2) forward packets using the resolved network address.