US Pat. No. 9,264,330

TRACING HOST-ORIGINATED LOGICAL NETWORK PACKETS

NICIRA, INC., Palo Alto,...

1. For a first host machine that hosts a virtual machine connected to a particular logical network, a method comprising:
receiving a command to test connectivity between the first host machine and a set of at least one additional host machine
that also hosts virtual machines on the particular logical network;

at the first host machine, generating a packet for sending to the set of additional host machines in order to test the connectivity;
appending to the generated packet (i) information that identifies the particular logical network and (ii) a flag indicating
that the packet is for connectivity testing;

encapsulating the generated packet with tunnel endpoint addresses, including a tunnel endpoint located at the first host machine;
and

sending the encapsulated packet from the first host machine to the set of additional host machines according to the tunnel
encapsulation,

wherein when connectivity is up between the first host machine and a particular host machine in the set of additional host
machines, an initial encapsulated packet sent to the particular host machine in response to the command reaches a tunnel endpoint
of the particular host machine irrespective of a number of intervening network elements.

US Pat. No. 9,049,153

LOGICAL PACKET PROCESSING PIPELINE THAT RETAINS STATE INFORMATION TO EFFECTUATE EFFICIENT PROCESSING OF PACKETS

NICIRA, INC., Palo Alto,...

1. A method of processing a packet at a first managed switching element that implements a logical switching element, along
with a plurality of additional managed switching elements, the method comprising:
receiving, at an ingress port of the first managed switching element, a packet for processing through the logical switching
element's processing pipeline comprising a physical to logical mapping, logical processing, a logical to physical mapping,
and physical processing;

processing the packet through a portion of the logical processing of the processing pipeline of the logical switching element
at the first managed switching element, wherein the logical processing comprises processing the packet against a logical Layer
2 (L2) or Layer 3 (L3) forwarding table;

storing context information in the packet that indicates the portion of the processing pipeline through which the packet has
been processed in order to prevent the additional managed switching elements from processing the packet through the same portion
of the processing pipeline; and

forwarding the packet with the stored context information to a second managed switching element of the plurality of additional
managed switching elements.

US Pat. No. 9,178,833

CHASSIS CONTROLLER

NICIRA, INC., Palo Alto,...

1. A network control system for generating physical control plane data for managing a set of managed forwarding elements that
implements forwarding operations associated with a logical datapath set, the system comprising:
a first controller instance operating on a controller computer having one or more processing units for executing the first
controller instance and a memory for storing the first controller instance, the first controller instance for (i) receiving
input data defining the logical datapath set and performing a first conversion of data for the logical datapath set to generate
intermediate data tuples for the logical datapath set, and (ii) distributing the intermediate data tuples to a set of hosts
on which the set of managed forwarding elements operates; and

a second controller instance operating on a particular one of the hosts for (i) receiving the intermediate data tuples for
the logical datapath set and (ii) converting the intermediate data tuples into physical control plane data for use by a managed
forwarding element operating on the particular host.

US Pat. No. 9,137,107

PHYSICAL CONTROLLERS FOR CONVERTING UNIVERSAL FLOWS

NICIRA, INC., Palo Alto,...

1. A network control system for generating physical control plane data for managing a set of managed forwarding elements that
implement forwarding operations associated with a first logical datapath set, the system comprising:
a first controller computer comprising a first network information base (NIB) storage, the first controller computer for (i)
receiving logical control plane data that define the logical datapath set, (ii) converting the logical control plane data
to universal physical control plane (UPCP) data that define a first set of forwarding behaviors that is common between every
managed forwarding element in the set of managed forwarding elements, and (iii) storing the UPCP data in the first NIB storage;
and

a second controller computer comprising a second NIB storage, the second controller computer for (i) receiving the UPCP data
from the first NIB storage, (ii) converting the UPCP data to customized physical control plane (CPCP) data that define a second
set of forwarding behaviors for a particular managed forwarding element in the set of managed forwarding elements, and (iii)
storing the CPCP data in the second NIB storage.

US Pat. No. 9,407,566

DISTRIBUTED NETWORK CONTROL SYSTEM

NICIRA, INC., Palo Alto,...

1. For a first controller computer of a distributed network control system comprising a plurality of controllers for managing
a plurality of forwarding elements that forward data in a network, a method for managing a set of forwarding elements, the
method comprising:
changing a set of data tuples stored in a relational database of the first controller computer that stores data tuples containing
data for managing the set of forwarding elements in order to implement a set of logical forwarding elements of a logical network;
and

sending the changed data tuples to at least a second controller computer of the network control system, wherein the second
controller computer processes the received changed data tuples to customize the changed data tuples for at least one of the
managed forwarding elements in the set and sends the processed data tuples to the managed forwarding element in order for
the managed forwarding element to implement the set of logical forwarding elements and forward the logical network data.

US Pat. No. 9,215,214

PROVISIONING FIREWALL RULES ON A FIREWALL ENFORCING DEVICE

NICIRA, INC., Palo Alto,...

1. A machine implemented method of creating a firewall rule data store for a firewall enforcing device, the method comprising:
from a controller, receiving a plurality of firewall rules that includes a first set of firewall rules for enforcing on packets
of a first set of data end nodes connected to the firewall enforcing device and a second set of firewall rules for enforcing
on packets of a second set of data end nodes not connected to the firewall enforcing device;

for the first set of data end nodes, using the first set of firewall rules to create at least a first firewall data store;
upon connection of a data end node from the second set of data end nodes, using the second set of firewall rules to create
a second firewall data store for the newly connected data end node; and

enforcing firewall rules for the connected data end nodes by using the rules in their respective firewall data stores to determine
whether packets for data end nodes should be forwarded.

US Pat. No. 9,172,603

WAN OPTIMIZER FOR LOGICAL NETWORKS

NICIRA, INC., Palo Alto,...

1. A non-transitory machine readable medium of a controller of a network control system, the non-transitory machine readable
medium storing sets of instructions for:
receiving network configuration data that specifies a logical network comprising (i) a plurality of logical forwarding elements
(LFEs) that logically connect a plurality of end machines to each other, the plurality of end machines residing on a plurality
of host machines, wherein each of the host machines hosts a subset of the end machines and (ii) a logical wide area network
(WAN) optimizer for optimizing network data transmitted out of the logical network, the network configuration data comprising
a configuration for the logical WAN optimizer;

generating data for implementing the LFEs, the generated data for distribution to a plurality of additional network controllers
in the network control system, each additional network controller for managing at least one managed forwarding element (MFE)
that implements the LFEs to which the end machines residing on the same host machine as the MFE logically connect; and

distributing the configuration for the logical WAN optimizer to a particular network controller in the network control system
that manages a WAN optimizer machine, wherein the WAN optimizer machine, based on the configuration for the logical WAN optimizer
received from the particular network controller, instantiates a WAN optimizer instance to implement the logical WAN optimizer
as one of a plurality of logical WAN optimizers implemented as WAN optimizer instances on the WAN optimizer machine, wherein
each logical WAN optimizer instantiated on the WAN optimizer machine couples to a different logical network.

US Pat. No. 9,106,587

DISTRIBUTED NETWORK CONTROL SYSTEM WITH ONE MASTER CONTROLLER PER MANAGED SWITCHING ELEMENT

NICIRA, INC., Palo Alto,...

1. A network control system for managing a plurality of switching elements, each switching element for forwarding data packets
in the network, the network control system comprising:
first and second controllers for receiving logical datapath sets and for generating data that, once propagated to the switching
elements, enables the switching elements to implement the logical datapath sets by managing forwarding behaviors of the switching
elements,

the first controller further for serving as a master controller for a first logical datapath set and for a first set of switching
elements,

the second controller further for serving as a master controller for a second logical datapath set and for a second set of
switching elements, wherein the first controller is further for sending data to the second controller that the first controller
generates for managing the second set of switching elements to implement the first logical datapath set,

wherein the master controller for a particular set of switching elements is the only controller that is allowed to propagate
data to the particular set of switching elements for managing the forwarding behaviors of the particular set of switching
elements, wherein the master controller for a particular logical datapath set is the only controller that generates data for
propagating to a group of switching elements that implement the particular logical datapath set.

US Pat. No. 9,137,052

FEDERATING INTERCONNECTION SWITCHING ELEMENT NETWORK TO TWO OR MORE LEVELS

NICIRA, INC., Palo Alto,...

1. A network control system for interconnecting a plurality of separate networks arranged in a plurality of domains at at
least two different levels, wherein a first domain at a first level contains at least two domains at a second level, the system
comprising:
a plurality of interconnection switching elements, each interconnection switching element in the plurality for connecting
one of the separate networks to a common interconnecting network; and

a first set of network controllers for managing a first set of the interconnection switching elements at a first set of the
separate networks that form a first domain at the second level by defining a first logical datapath set, the first logical
datapath set having logical ports to which networks within the first set of separate networks couple and to which at least
a second logical datapath set couples, the first logical datapath set for implementation by the first set of interconnection
switching elements in order for machines at the first set of separate networks to communicate with each other, wherein at
least one of the network controllers in the first set of network controllers is for managing a plurality of the interconnection
switching elements of the first set of interconnection switching elements;

a second set of network controllers for managing a second set of the interconnection switching elements at a second set of
the separate networks that form a second domain at the second level by defining the second logical datapath set, the second
logical datapath set having logical ports to which networks within the second set of separate networks couple and to which
at least the first logical datapath set couples, the second logical datapath set for implementation by the second set of interconnection
switching elements in order for machines at the second set of separate networks to communicate with each other, wherein at
least one of the network controllers in the second set of network controllers is for managing a plurality of the interconnection
switching elements of the second set of interconnection switching elements; and

a third set of network controllers for managing the first and second sets of network controllers by defining a third logical
datapath set having logical ports to which the networks in the first and second sets of separate networks couple, the third
logical datapath set for implementation by the first and second sets of interconnection switching elements in order for machines
at the first set of separate networks to communicate with machines at the second set of separate networks, wherein the first
and second sets of separate networks belong to the first domain at the first level, which contains the first and second domains
at the second level,

wherein each network controller in the first, second, and third sets of network controllers is for execution by at least one
processing unit of a server.

US Pat. No. 9,432,204

DISTRIBUTED MULTICAST BY ENDPOINTS

NICIRA, INC., Palo Alto,...

1. A method of performing multicast in a network, the method comprising:
receiving a message at a particular endpoint of a network, the message specifying a particular multi cast group;
replicating the message to a first set of endpoints belonging to the particular multicast group, wherein the first set of
endpoints are located in a local segment of the network that includes the particular endpoint; and

replicating the message to a second set of endpoints belonging to the particular multicast group by replicating the message
to a set of proxies that are selected for the particular multicast group, each proxy for forwarding the message to a set of
endpoints belonging to the particular multicast group in a remote segment of the network,

wherein each multicast group in a plurality of multicast groups has a designated proxy in the remote segment, at least two
of the multicast groups having different designated proxies in the remote segment.

US Pat. No. 9,225,597

MANAGED GATEWAYS PEERING WITH EXTERNAL ROUTER TO ATTRACT INGRESS PACKETS

NICIRA, INC., Palo Alto,...

1. A network system comprising:
a first plurality of host machines hosting virtual machines that connect to each other through a logical network; and
a second plurality of host machines hosting virtualized containers that operate as gateways to process packets entering the
logical network from external sources, wherein each of the virtualized containers advertises itself to an external router
as a next hop for packets entering the logical network such that the external router uses equal-cost multi-path forwarding
to distribute the packets across the virtualized containers on the second plurality of host machines.

US Pat. No. 9,489,519

METHOD AND APPARATUS FOR ENCRYPTING DATA MESSAGES AFTER DETECTING INFECTED VM

NICIRA, INC., Palo Alto,...

1. For a host machine on which a set of virtual machines (VMs) execute, an encryption method comprising:
detecting that a first VM in the set of VMs executing on the host machine is infected with malware by analyzing introspection
data gathered from an agent installed on the first VM; and based on the detected malware infection, encrypting data messages
transmitted by at least a second VM in the set of VMs executing on the host machine.

US Pat. No. 9,203,701

NETWORK VIRTUALIZATION APPARATUS AND METHOD WITH SCHEDULING CAPABILITIES

NICIRA, INC., Palo Alto,...

1. A controller computer for managing a network comprising a plurality of managed forwarding elements that implement different
logical networks, the controller computer comprising:
an interface for receiving input logical control plane data in terms of input events, said input logical control plane data
comprising updates to logical control planes of logical networks, wherein each logical network is implemented by a set of
managed forwarding elements;

an input scheduler for (i) categorizing the input events into different groups related to different logical networks and (ii)
defining a schedule for supplying each group of the input events related to a different logical network to a converter so
that the converter processes each group of input events related to a different logical network together;

the converter for converting the input logical control plane data for each logical network to output logical forwarding plane
data for the logical network; and

a network information base (NIB) data structure for (i) storing, for each logical network, the output logical forwarding plane
data for subsequent translation into physical control plane data for the set of managed forwarding elements that implements
the logical network, and (ii) transmitting the physical control plane data to one or more other controllers that manage the
set of managed forwarding elements.

US Pat. No. 9,185,069

HANDLING REVERSE NAT IN LOGICAL L3 ROUTING

NICIRA, INC., Palo Alto,...

1. A non-transitory machine readable medium storing a program which when executed by at least one processing unit configures
a plurality of managed forwarding elements (MFEs) to implement a logical topology that comprises a logical L3 router and at
least one logical L2 switch that logically couples to a plurality of machines, the program comprising sets of instructions
for:
for a first MFE that implements the logical topology and couples directly to a particular one of the plurality of machines,
generating a first set of data records for configuring the first MFE to install a first set of flow entries that (i) implement
the logical L2 switch and logical L3 router, (ii) perform source network address translation (NAT) processing on a first packet
received from the particular machine and addressed to a particular destination, (iii) send, to a second MFE, the first packet
with information indicating that the NAT processing has been performed on the first packet, and (iv) perform reverse source
NAT processing on a second packet sent by the particular destination in response to the first packet;

for a second MFE that implements the logical topology, generating a second set of data records for configuring the second
MFE to install a second set of flow entries that (i) implement the logical L2 switch and logical L3 router for a subset of
packets for which the second MFE is the initial MFE to process the packets and (ii) send the second packet, received from
the particular destination in response to the first packet and for which the second MFE is the initial MFE to process the
packet, to the first MFE without performing processing for the logical L3 router and the logical L2 switch on the second packet
based on the information indicating that NAT processing was performed on the first packet.

US Pat. No. 9,154,433

PHYSICAL CONTROLLER

NICIRA, INC., Palo Alto,...

1. A network control system for generating physical control plane data for managing a set of managed forwarding elements that
implement forwarding operations associated with a logical datapath set, the system comprising:
a first controller computer having one or more processing units for executing a program for (i) receiving logical control
plane data that define the logical datapath set, and (ii) converting the logical control plane data to universal physical
control plane (UPCP) data that define forwarding behaviors of the set of managed forwarding elements in terms of generic expressions
of forwarding attributes of every managed forwarding element in the set of managed forwarding elements; and

a second controller computer having one or more processing units for executing a program for (i) receiving the UPCP data from
the first controller computer, and (ii) converting the UPCP data to customized physical control plane (CPCP) data for defining
a forwarding behavior of a particular managed forwarding element in terms of expressions of forwarding attributes that are
specific to the particular managed forwarding element and not to the remaining managed forwarding elements in the set.

US Pat. No. 9,432,252

UNIFIED REPLICATION MECHANISM FOR FAULT-TOLERANCE OF STATE

NICIRA, INC., Palo Alto,...

1. For a first controller instance that manages a first set of forwarding elements implementing logical datapath sets of a
network control system, a machine-readable medium storing a program executable by at least one processing unit of the first
controller instance, the program comprising sets of instructions for:
maintaining a first set of forwarding state data that represents a forwarding state of the first set of forwarding elements;
receiving a second set of forwarding state data that represents a forwarding state of a second set of forwarding elements
from a second controller instance;

propagating the first set of forwarding state data to the first set of forwarding elements;
upon detecting a failure of the second controller instance, merging the second set of forwarding state data into the first
set of forwarding state data to produce a third set of forwarding state data; and

propagating the third set of forwarding state data to the first and second sets of forwarding elements.

US Pat. No. 9,231,891

DEPLOYMENT OF HIERARCHICAL MANAGED SWITCHING ELEMENTS

NICIRA, INC., Palo Alto,...

1. For a network controller that manages a network comprising a plurality of lower level switching elements for forwarding
packets among a plurality of network hosts coupled to the lower level switching elements and a plurality of higher level switching
elements for facilitating the lower level switching elements to forward packets among the network hosts, a method comprising:
establishing a set of tunnels among the lower level switching elements and the higher level switching elements in a mesh configuration
that, for each lower level switching element, has a tunnel established between the lower level switching element and at least
one higher level switching element;

populating each higher level switching element in the plurality of higher level switching elements with a set of data for
configuring the higher level switching element to process packets for a set of lower level switching elements connected to
the higher level switching element through the established set of tunnels; and

populating each lower level switching element in the plurality of lower level switching elements with a set of data for configuring
the lower level switching element to forward packets to other lower level switching elements, to a set of higher level switching
elements through the established set of tunnels, and to the network hosts coupled to the lower level switching element.

US Pat. No. 9,215,210

MIGRATING FIREWALL CONNECTION STATE FOR A FIREWALL SERVICE VIRTUAL MACHINE

NICIRA, INC., Palo Alto,...

1. A non-transitory machine readable medium storing a program for migrating firewall connection state data as a guest virtual
machine (GVM) migrates from a first host computing device to a second host computing device, the program comprising sets of
instructions for:
receiving a configuration data set from a firewall service virtual machine (SVM) regarding how to migrate connection state
data that relates to firewall rule processing of the SVM for a migrating GVM;

receiving indication that the GVM is migrating from the first host to the second host;
when the configuration data set is a first configuration data set, performing a first set of operations to gather the connection
state data relating to the firewall SVM's firewall rule processing for the GVM;

when the configuration data set is a second configuration data set, performing a second set of operations to gather the connection
state data relating to the firewall SVM's firewall rule processing for the GVM; and

transferring the gathered connection state data to the second host.

US Pat. No. 9,215,213

METHOD AND APPARATUS FOR DISTRIBUTING FIREWALL RULES

NICIRA, INC., Palo Alto,...

1. A method of distributing firewall rules, the method comprising:
specifying a firewall rule and an enforcement node identifier that identifies a set of enforcement nodes at which the firewall
rule should be enforced by a set of enforcement devices;

distributing the specified firewall rule to each enforcing device in the set of enforcement devices, wherein at least a first
enforcement device in the set enforces the firewall rule for at least a group of two enforcement nodes;

modifying the set of enforcement devices by adding a particular enforcement node to the group of enforcement nodes; and
in response to the modification, communicating with the first enforcement device to add the particular enforcement node to
the group of enforcement nodes.

US Pat. No. 9,203,703

PACKET CONFLICT RESOLUTION

NICIRA, INC., Palo Alto,...

1. For a first managed forwarding element that implements a logical network, a method comprising:
receiving a first packet from a second managed forwarding element, the first packet having an initial set of characteristics
defining a first connection between a source machine connected to the second managed forwarding element and a destination
machine connected to the first managed forwarding element;

determining whether a second connection exists with the initial set of characteristics between a different machine connected
to a third managed forwarding element and the destination machine;

when a second connection exists with the initial set of characteristics, modifying at least one characteristic of the packet
such that the modified packet does not have the initial set of characteristics; and

delivering the modified packet to the destination machine.

US Pat. No. 9,197,529

TRACING NETWORK PACKETS THROUGH LOGICAL AND PHYSICAL NETWORKS

NICIRA, INC., Palo Alto,...

1. For a network controller that manages a set of managed forwarding elements in order to implement a set of logical forwarding
elements across the set of managed forwarding elements, a method comprising:
generating a first set of flow entries for causing a particular managed forwarding element to perform a set of logical processing
operations on a packet sent through a particular logical forwarding element;

generating a second set of flow entries for causing the particular managed forwarding element to send, to the network controller,
a set of observation messages regarding the set of logical processing operations when the packet is marked for a trace operation;
and

distributing the first and second sets of flow entries to the particular managed forwarding element, wherein each flow entry
specifies (i) a set of matching conditions and (ii) an action that the managed forwarding element is to perform based on the
packet when the specified set of matching conditions is met.

US Pat. No. 9,331,937

EXCHANGE OF NETWORK STATE INFORMATION BETWEEN FORWARDING ELEMENTS

NICIRA, INC., Palo Alto,...

1. A computer configured as a first host in a network managed by at least one network controller, the computer comprising:
a set of processing units;
a non-volatile storage storing:
a first managed forwarding element for execution by at least one processing unit in the set of processing units, the first
managed forwarding element for forwarding data packets to and from virtual machines operating on the first host based on forwarding
state records, wherein at least a plurality of the forwarding state records are provided by a network controller; and

a daemon for execution by at least one processing unit in the set of processing units, the daemon for (i) providing, to the
first managed forwarding element, a set of forwarding state records required by the first managed forwarding element in order
to forward a particular data packet and (ii) requesting forwarding state from a second managed forwarding element operating
in a different second host to obtain the required set of forwarding state records from the second forwarding element to forward
the particular data packet when the daemon does not have the set of forwarding state records locally available, the second
managed forwarding element for forwarding data packets for a second set of virtual machines that operate on the second host.

US Pat. No. 9,059,999

LOAD BALANCING IN A LOGICAL PIPELINE

NICIRA, INC., Palo Alto,...

1. A non-transitory machine readable medium storing a program which when executed by at least one processing unit configures
a plurality of managed forwarding elements (MFEs) to implement a logical L3 router and a plurality of logical L2 switches
that each logically couple to a plurality of machines, the program comprising sets of instructions for:
for each MFE of a set of MFEs that implement a particular logical L2 switch, generating a first set of data records for configuring
the MFE to install a first set of flow entries that implement the particular logical L2 switch and the logical L3 router for
processing packets sent to a network address that logically couples to the particular logical L2 switch; and

for each MFE of the set of MFEs, generating a second set of data records for configuring the MFE to install a second set of
flow entries that implement load balancing processing on a subset of packets sent to the network address that logically couples
to the particular logical L2 switch, the second set of flow entries specifying to balance the subset of packets across a plurality
of machines that logically couple to the particular logical L2switch and are physically coupled to a plurality of different
MFEs.

US Pat. No. 9,407,580

MAINTAINING DATA STORED WITH A PACKET

NICIRA, INC., Palo Alto,...

1. For a managed forwarding element that operates on a host machine to process packets for at least one logical network, a
method comprising:
at the managed forwarding element operating on the host machine, receiving a packet comprising a particular piece of data
to maintain with the packet, wherein the particular piece of data is not stored in a payload of the packet and is not protocol-specific
data;

storing the particular piece of data in a register while processing the packet at the managed forwarding element;
identifying a next destination for the packet, wherein the next destination also operates on the host machine; and
generating an object to represent the packet for the identified destination, wherein the particular piece of data is stored
in a field of the generated object.

US Pat. No. 9,331,938

EXTENSION OF LOGICAL NETWORKS ACROSS LAYER 3 VIRTUAL PRIVATE NETWORKS

NICIRA, INC., Palo Alto,...

1. A non-transitory machine readable medium storing a program which when executed by at least one processing unit manages
a set of managed forwarding elements that forward data between machines, the program comprising sets of instructions for:
configuring, by a network controller, first, second, and third managed forwarding elements to operate in first, second, and
third networks, respectively, the first network using first and second address spaces that at least partially overlap with
each other, the second network using the first address space and the third network using the second address space,

the first managed forwarding element implementing first and second logical forwarding elements, the first logical forwarding
element having a first logical port that is mapped to the second managed forwarding element and the second logical forwarding
element having a second logical port that is mapped to the third managed forwarding element,

said configuring comprising directing the first managed forwarding element to forward a first set of data to the second managed
forwarding element and a second set of data to the third managed forwarding element without exposing an address of the network
controller.

US Pat. No. 9,300,603

USE OF RICH CONTEXT TAGS IN LOGICAL DATA PROCESSING

NICIRA, INC., Palo Alto,...

1. For a first managed switching element that implements a logical switching element along with a plurality of additional
managed switching elements, a method comprising:
receiving, from a source machine at an ingress port of the first managed switching element, a packet for processing through
a processing pipeline comprising a physical to logical mapping, logical processing for processing the packet through the logical
switching element to a destination machine, a logical to physical mapping, and physical processing;

performing the logical processing of the processing pipeline on the packet;
storing, in the packet, a set of context tag values for results of the logical processing performed on the packet, the set
of context tag values comprising at least a logical output port of the logical switching element for the packet; and

forwarding the packet to a second managed switching element of the plurality of additional managed switching elements for
the second managed switching element to provide the packet to the destination machine based on the logical output port in
the set of context tag values stored in the packet.

US Pat. No. 9,485,185

ADJUSTING CONNECTION VALIDATING CONTROL SIGNALS IN RESPONSE TO CHANGES IN NETWORK TRAFFIC

Nicira, Inc., Palo Alto,...

1. A method for regulating transmission of control signals in a network, the network comprising a link connecting first and
second network entities, the method comprising:
transmitting bidirectional forwarding detection (BFD) control signals from the first network entity to the second network
entity on the link at an initial BFD control signal rate;

monitoring a rate of data transmission on the link; and
when the monitored rate of data transmission is below a threshold for a period of time, reducing the BFD control signal rate
and transmitting the BFD control signals at a reduced BFD control signal rate.

US Pat. No. 9,432,215

HIERARCHICAL NETWORK MANAGERS

NICIRA, INC., Palo Alto,...

1. A network system comprising:
a plurality of host machines, each comprising a non-transitory machine readable medium, for hosting virtual machines, the
host machines divided into a plurality of different domains;

a plurality of local domain management servers for the plurality of domains, wherein each local domain management server of
each domain is for (i) initiating creation of at least one set of distributed virtual switch ports associated with at least
one particular logical network identifier on a set of host machines within its domain and (ii) attaching a set of virtual
machines on the set of host machines to a created port associated with the particular logical network identifier in order
for the virtual machines to send traffic through their respective logical networks; and

a second level management server for (i) receiving a specification for a logical network, the specification comprising a plurality
of virtual machines to connect to the logical network and a set of at least first and second domains in which the virtual
machines are located and (ii) coordinating the use of logical network identifiers between multiple different local domain
management servers by selecting a logical network identifier for the logical network and providing the selected logical network
identifier to at least first and second local domain management servers with data indicating on which host machines in the
respective domains to initiate creation of distributed virtual switch ports in order to allow the logical network to span
across at least the first and second local domains so that a first virtual machine in the first local domain communicates
via the logical network with a second virtual machine in the second domain.

US Pat. No. 9,461,960

LOGICAL L3 DAEMON

NICIRA, INC., Palo Alto,...

1. For a managed forwarding element (MFE) that operates in a host machine to implement a plurality of logical networks for
a plurality of machines operating on the host machine, a method comprising:
at the MFE, receiving a packet from a particular machine operating on the host machine;
at the MFE, performing logical L2 switching for a first logical L2 domain to which the particular machine belongs to logically
send the packet to a logical port that couples to a logical router;

while performing logical L3 routing for the logical router at the MFE, determining that a destination network address of the
packet requires address resolution;

using an address resolution module operating on the host machine to resolve the network address; and
forwarding the packet using the resolved network address.

US Pat. No. 9,419,897

METHODS AND SYSTEMS FOR PROVIDING MULTI-TENANCY SUPPORT FOR SINGLE ROOT I/O VIRTUALIZATION

NICIRA, INC., Palo Alto,...

1. A method for providing support for multi-tenancy in a single root input/output virtualization (SR-IOV) enabled physical
network interface controller (NIC) associated with a host, the SR-IOV providing a physical function (PF) and a set of virtual
functions (VFs) for the NIC, the method comprising:
at a VF of the physical NIC, receiving a mapping table of an overlay network, the mapping table associating an identification
of each of a set of virtual machines (VMs) of a tenant on the host to an identification of a tunnel end point on the overlay
network;

at the VF, receiving a transmit packet from a VM connected to the VF;
at the VF, performing a lookup in the mapping table to identify source and destination tunnel end points associated with source
and destination VMs in the packet; and

at the VF, encapsulating the packet, for transmission through the tunnel end point associated with the source VM.

US Pat. No. 9,391,928

METHOD AND APPARATUS FOR INTERACTING WITH A NETWORK INFORMATION BASE IN A DISTRIBUTED NETWORK CONTROL SYSTEM WITH MULTIPLE CONTROLLER INSTANCES

NICIRA, INC., Palo Alto,...

11. A method of managing a set of managed forwarding elements of a plurality of managed forwarding elements managed by a plurality
of controllers in a network control system, the method comprising:
at a first controller, changing the set of data stored in a local network information base (NIB) storage of the first controller,
wherein the local NIB storage stores data for managing the set of managed forwarding elements; and

from the first controller, sending a notification to a secondary storage of a second controller of the change to the set of
data in the local NIB storage of the first controller after recording the change in a secondary storage of the first controller,
wherein the second controller updates a local NIB storage of the second controller after detecting the change in the secondary
storage of the second controller and propagates a corresponding change to a particular managed forwarding element of the set
of managed forwarding elements to modify forwarding behaviors of the particular managed forwarding element based on the corresponding
change, wherein the first and second controllers execute on separate physical machines from the managed forwarding elements
managed by the controllers.

US Pat. No. 9,356,906

LOGICAL L3 ROUTING WITH DHCP

NICIRA, INC., Palo Alto,...

1. For a network controller for managing a set of hosts, a method for configuring a physical machine to provide Dynamic Host
Configuration Protocol (DHCP) service, the method comprising:
configuring a DHCP module in a first physical machine to provide DHCP service for a plurality of logical networks by providing
network addresses to machines belonging to the plurality of logical networks, wherein each logical network comprises a logical
router having logical ports to which the network addresses provided for the machines of the logical network map, each logical
network logically connecting a set of machines operating on a plurality of host machines, wherein the set of machines of a
first logical network are isolated from the sets of machines of the other logical networks;

configuring a first managed forwarding element (MFE) operating in the first physical machine to (i) forward to the DHCP module
requests to obtain network addresses, received from a plurality of other MFEs, for machines of the plurality of logical networks,
and (ii) forward data packets for the plurality of logical networks; and

configuring a second MFE operating in a second physical machine to (i) forward to the first MFE requests to obtain network
addresses received by the second MFE from a set of machines for which the second MFE is a first-hop MFE and (ii) forward data
packets received from the machines of the set of machines for which the second MFE is the first-hop MFE according to the respective
logical networks of the machines from which the packets are received, wherein the set of machines for which the second MFE
is the first-hop MFE comprises machines from at least two of the logical networks.

US Pat. No. 9,350,696

HANDLING NAT IN LOGICAL L3 ROUTING

NICIRA, INC., Palo Alto,...

1. A non-transitory machine readable medium storing a program which when executed by at least one processing unit configures
a plurality of managed forwarding elements (MFEs) to implement a logical network that comprises a logical L3 router and at
least one logical L2 switch that logically couples to a plurality of machines, the program comprising sets of instructions
for:
for each MFE of the plurality of MFEs that implement the logical network and couple directly to at least one of the machines,
generating a first set of data records for configuring the MFE to install a first set of flow entries that implement the logical
L2 switch and logical L3 router for packets sent by the at least one machine that couples directly to the MFE, wherein each
MFE of the plurality of MFEs operates on a separate physical machine to implement the logical L2 switch and logical L3 router
on the separate physical machine; and

for each MFE of the plurality of MFEs, generating a second set of data records for configuring the MFE to install a second
set of flow entries that implement network address translation (NAT) processing on a subset of packets sent by the at least
one machine that couples directly to the MFE, the subset of packets comprising packets sent to a destination that does not
logically couple to a same logical L2 switch as the machine that sent the packet to the MFE.

US Pat. No. 9,253,109

COMMUNICATION CHANNEL FOR DISTRIBUTED NETWORK CONTROL SYSTEM

NICIRA, INC., Palo Alto,...

1. For a particular controller that computes forwarding state for managing managed forwarding elements that forward data in
a network, a method for computing the forwarding state using a set of inputs from a first controller and a second controller
that is a back up controller for the first controller, the method comprising:
receiving a first subset of the set of inputs from the first controller at the particular controller, wherein the particular
controller is a master of a set of the managed forwarding elements;

after failure of the first controller, receiving a second subset of the set of inputs from the second controller at the particular
controller, at least one input of the second subset of the set of inputs being duplicative of an input in the first subset;

computing forwarding state using the first and second subsets of the set of inputs but without using the duplicative input;
and

distributing the computed forwarding state from the particular controller to the set of managed forwarding elements.

US Pat. No. 9,894,188

PACKET DATA RESTORATION FOR FLOW-BASED FORWARDING ELEMENT

NICIRA, INC., Palo Alto,...

1. A method for preserving temporary storage values of a packet processed by a managed forwarding element (MFE), the method
comprising:
while processing a packet at the MFE, determining that the packet does not match any cache entries of the MFE;
sending the packet to a processing module of the MFE for processing the packet through a plurality of stages of tables;
at the processing module, identifying that the packet is to be recirculated as a new packet for the MFE, wherein a set of
packet field values used for processing the packet by the MFE are associated with the packet;

storing the set of packet field values with an identifier value;
recirculating the packet with the identifier value attached to the packet; and
upon receiving the recirculated packet, using the identifier value to restore the set of packet field values for the recirculated
packet.

US Pat. No. 9,444,651

FLOW GENERATION FROM SECOND LEVEL CONTROLLER TO FIRST LEVEL CONTROLLER TO MANAGED SWITCHING ELEMENT

NICIRA, INC., Palo Alto,...

1. For a first set of network controllers, a method for managing a network, the method comprising:
receiving a definition of a logical switching element that couples to both a first set of network hosts in a first domain
and a second set of network hosts in a second domain;

using a rules engine to generate a first set of lookups at a higher-level logical forwarding plane for implementing the logical
switching element by converting a first set of input tables to a first set of output tables;

using the rules engine to generate a second set of lookups at a lower-level logical forwarding plane based on the first set
of lookups by converting a second set of input tables to a second set of output tables;

distributing a first portion of the second set of lookups to a second set of network controllers that manage the first domain;
and

distributing a second portion of the second set of lookups to a third set of network controllers that manage the second domain.

US Pat. No. 9,300,593

SCHEDULING DISTRIBUTION OF LOGICAL FORWARDING PLANE DATA

NICIRA, INC., Palo Alto,...

1. A controller computer for managing a plurality of managed forwarding elements that implement different logical networks,
the controller computer comprising:
an interface that receives input logical control plane data in terms of input events, said input logical control plane data
comprising updates to logical control planes of logical networks, wherein each logical network is implemented by a set of
managed forwarding elements;

a converter that converts the input logical control plane data for each logical network to output logical forwarding plane
data for the logical network by processing the input events, said logical forwarding plane data for subsequent translation
into physical control plane data for the set of managed forwarding elements that implements the logical network; and

an input scheduler that (i) categorizes the input events into different groups related to different logical networks, and
(ii) defines a schedule for supplying each group of the input events for each logical network to the converter in a manner
that ensures that each group of input events related to each logical network is processed together by the converter.

US Pat. No. 9,294,524

MAPPING VIRTUAL MACHINES FROM A PRIVATE NETWORK TO A MULTI-TENANT PUBLIC DATACENTER

NICIRA, INC., Palo Alto,...

1. A method for creating a plurality of virtual machines (“VMs”) on a public datacenter, the method comprising:
from a first network controller of a private network, directing a second network controller of the public datacenter to create
the VMs;

from the first network controller of the private network, communicating with the second network controller of the public datacenter
to determine a type of the second network controller;

when the type of the second network controller is one of a pre-defined set of network controller types:
using application programming interfaces (APIs) of the second network controller to set up a primary virtual local area network
(VLAN) between the plurality of VMs; and

using the APIs of the second network controller to set up a plurality of secondary VLANs, wherein each secondary VLAN is between
a subset of the plurality of VMs that restricts communication within the primary VLAN between VMs on the secondary VLAN to
communication with other VMs on the secondary VLAN, wherein a set of host machines implement each secondary VLAN to send signals
between the secondary VLAN's subset of the plurality of VMs on the public datacenter without passing the signals through the
private network; and

when the type of the second network controller is not one of the pre-defined set of network controller types, setting up a
system of communication in which all communication between the VMs created on the public datacenter pass through the private
network.

US Pat. No. 9,276,904

SPECIFYING POINT OF ENFORCEMENT IN A FIREWALL RULE

NICIRA, INC., Palo Alto,...

1. A method of specifying firewall rules, the method comprising:
specifying a plurality of high-level firewall rules that each includes a high-level construct tuple that identifies a set
of high-level constructs in a network where the high-level firewall rule has to be enforced;

translating each high-level firewall rule to a set of lower-level firewall rules, each lower-level firewall rule comprising
a lower-level enforcement-node tuple that identifies a first set of lower-level enforcement nodes associated with the high-level
construct of the high-level firewall rule; and

distributing at least two different subsets of the lower-level firewall rules to at least two enforcement devices, each enforcement
device comprising a second set of lower-level enforcement nodes for which the distributed subset of lower-level firewall rules
are enforced according to a precedence hierarchy that defines a precedence order for the lower-level firewall rules.

US Pat. No. 9,246,833

PULL-BASED STATE DISSEMINATION BETWEEN MANAGED FORWARDING ELEMENTS

NICIRA, INC., Palo Alto,...

1. For a controller that manages managed forwarding elements that forward data in a network, a method for configuring the
managed forwarding elements, the method comprising:
computing forwarding state and sending the computed forwarding state to the managed forwarding elements, the forwarding state
defining forwarding behaviors of the managed forwarding elements; and

configuring the managed forwarding elements to exchange forwarding state with each other, the configuring comprising:
configuring a first managed forwarding element to send a forwarding state information request to a second managed forwarding
element;

configuring the second managed forwarding element (i) to respond to the forwarding state information request by performing
a lookup in a forwarding state information repository and (ii) to update the forwarding state information repository with
forwarding state information received from a third managed forwarding element; and

configuring the third managed forwarding element to send a removal request to the second managed forwarding element to remove
certain forwarding state information from the forwarding state information repository when the third managed forwarding element
determines that the certain forwarding state information is no longer valid.

US Pat. No. 9,419,889

METHOD AND SYSTEM FOR DISCOVERING A PATH OF NETWORK TRAFFIC

Nicira, Inc., Palo Alto,...

1. A method for discovering a path of network traffic that travels from a source host to a destination host, the method comprising:
at the source host, generating probe packets that have:
a five-tuple of header fields that is identical to a corresponding five-tuple of header fields of packets that are generated
by an application for transmission from the source host to the destination host; and

a path discovery signature comprised of bits from at least one of a network layer header and a transport layer header of the
probe packets; and

transmitting the probe packets from the source host to the destination host;
at the source host:
recognizing a path discovery signature in reply packets that are received at the source host in response to the transmitted
probe packets; and

directing the reply packets to a path discovery controller instead of to a network layer and transport layer protocol stack
of the source host.

US Pat. No. 9,407,599

HANDLING NAT MIGRATION IN LOGICAL L3 ROUTING

NICIRA, INC., Palo Alto,...

1. For a network controller for managing first and second managed forwarding elements that respectively execute on first and
second hosts, a method for configuring the first host to facilitate migration of a virtual machine (VM) to the second host,
the method comprising:
for the VM, configuring the first managed forwarding element of the first host to perform (i) route processing for a logical
forwarding element to route VM packets between a first logical network domain and a second network domain, and (ii) network
address translation (NAT) processing to translate between a first set of internet protocol (IP) addresses in the first logical
network domain and a second set of IP addresses in the second network domain, wherein the VM belongs to a logical network
that includes a logical forwarding element that is implemented by the first and second managed forwarding elements of the
first and second hosts;

configuring the first host to transmit NAT information to the second host when the VM migrates to the second host; and
configuring the second managed forwarding element of the second host to perform the NAT processing for the migrated VM to
translate between the first set of IP addresses in the first logical network domain and the second set of IP addresses using
the transmitted information.

US Pat. No. 9,397,920

MULTI-PATH NETWORK BANDWIDTH ESTIMATION

NICIRA, INC., Palo Alto,...

1. A non-transitory machine readable medium storing a program that when executed by at least one processing unit measures
an estimated bandwidth between two endpoints of a network, the program comprising sets of instructions for:
identifying a plurality of different routing paths between the two endpoints, wherein each routing path comprises a set of
intermediate nodes and a set of links each of which connects a pair of intermediate nodes in the set of intermediate nodes;

calculating an estimated bandwidth for each identified routing path in the plurality of routing paths by (i) identifying a
flow signature for the routing path and (ii) generating a set of probing packets with the identified flow signature to calculate
an estimated bandwidth for each link on the identified routing path;

aggregating the calculated bandwidths of the plurality of routing paths; and
using the aggregated bandwidth to calculate an estimated bandwidth between the two endpoints.

US Pat. No. 9,350,657

ENCAPSULATING DATA PACKETS USING AN ADAPTIVE TUNNELLING PROTOCOL

NICIRA, INC., Palo Alto,...

1. For a first forwarding element, a method for processing packets using an adaptive tunnel protocol, the method comprising:
using a particular tunnel protocol to encapsulate a first packet with a first logical context tag header;
using the particular tunnel protocol to encapsulate a second packet with a second logical context tag header, the first logical
context tag header having a different length than the second logical context tag header; and

forwarding the first packet to a second forwarding element and the second packet to a third forwarding element.

US Pat. No. 9,344,349

TRACING NETWORK PACKETS BY A CLUSTER OF NETWORK CONTROLLERS

NICIRA, INC., Palo Alto,...

1. For a first network controller that manages a set of logical forwarding elements implemented in a plurality of managed
forwarding elements, a method comprising:
receiving, at the first network controller, a request to trace a specified packet having a particular source on a logical
forwarding element;

generating the specified packet according to the request, the generated packet comprising an indicator that the packet is
for a trace operation;

sending the generated packet to a second network controller that manages a managed forwarding element associated with the
particular source; and

receiving, from a set of network controllers, a first set of messages regarding operations performed on the packet, wherein
the set of network controllers receives a second set of messages regarding operations performed on the packet from a set of
managed forwarding elements that process the packet.

US Pat. No. 9,083,609

NETWORK OPERATING SYSTEM FOR MANAGING AND SECURING NETWORKS

NICIRA, INC., Palo Alto,...

1. For a network operating system that executes on a network controller computing device and manages a network comprising
a plurality of network elements that forward data flows in the network, a method comprising:
configuring forwarding behaviors of the plurality of network elements according to network policies declared by a set of management
applications that operate on top of the network operating system, wherein the forwarding behavior of each of the plurality
of network elements is specified by a set of flow entries stored on the respective network element;

receiving a packet from a particular network element of the plurality of network elements for a particular data flow when
the particular network element is unable to match the packet to a flow entry of the set of flow entries stored on the particular
network element;

analyzing the packet according to the declared network policies and a current view of the network comprising a current topology
of the plurality of network elements to determine whether to modify a forwarding behavior of the particular network element;
and

when the forwarding behavior of the particular network element is to be modified, configuring the particular network element
to forward additional packets for the particular data flow.

US Pat. No. 9,319,338

TUNNEL CREATION

NICIRA, INC., Palo Alto,...

1. A non-transitory machine readable medium storing a program which when executed by at least one processing unit configures
managed forwarding elements to establish tunnels between the managed forwarding elements, the program comprising sets of instructions
for:
from a first managed forwarding element, receiving information regarding coupling of a network element to the first managed
forwarding element;

upon receiving the information, generating a set of universal flow entries for configuring a second managed forwarding element
to establish a tunnel to the first managed forwarding element and for configuring a third managed forwarding element to establish
a tunnel to the first managed forwarding element; and

sending the generated set of universal flow entries to the second managed forwarding element and the third managed forwarding
element, wherein the set of universal flow entries are subsequently converted into two different sets of customized flow entries
for the second and third managed forwarding elements.

US Pat. No. 9,397,857

METHODS AND APPARATUS FOR STATELESS TRANSPORT LAYER TUNNELING

NICIRA, INC., Palo Alto,...

1. At a first device comprising a network interface controller (NIC), a method of processing data packets for tunneling to
a second device, the method comprising:
receiving a data packet that comprises a first header having a first format;
identifying a plurality of packet processing operations to perform in order to transmit the data packet to the second device
through a tunnel that is established between the first and second devices;

determining that the NIC performs a subset of the plurality of packet processing operations on data packets that have headers
in a second format that is different from the first format; and

encapsulating the data packet with a second header of the second format in order to offload the subset of packet processing
operations to the NIC.

US Pat. No. 9,385,954

HASHING TECHNIQUES FOR USE IN A NETWORK ENVIRONMENT

NICIRA, INC., Palo Alto,...

1. A non-transitory machine readable medium storing a program that, when executed by at least one processing unit, generates
a hash to process a packet, the program comprising sets of instructions for:
dividing at least a portion of a packet's header into a plurality of chunks, including a set of chunks that are of equal size;
hashing the set of chunks to generate a set of hashes;
for each remaining chunk, hashing the remaining chunk into one of the generated hashes in the set of hashes;
merging the set of hashes with one another to produce a final hash for the portion of the header; and
processing the packet based on the final hash.

US Pat. No. 9,338,091

PROCEDURES FOR EFFICIENT CLOUD SERVICE ACCESS IN A SYSTEM WITH MULTIPLE TENANT LOGICAL NETWORKS

NICIRA, INC., Palo Alto,...

1. A method of providing efficient access to cloud services in a network comprising a plurality of tenant logical networks
and a set of service logical networks, the method comprising:
receiving a first packet from a particular virtual machine (VM) of a tenant logical network, the first packet specifying a
destination address associated with a service VM of a service logical network;

based on the destination address of the first packet, replacing a source network address and a source port number of the first
packet with one of a set of network address and port number pairs allocated for accessing service VMs;

receiving a second packet from the particular VM, the second packet specifying a destination address outside the tenant logical
network but not associated with any service VM; and

without modifying a source address and port number of the second packet, forwarding the second packet to a default gateway
of the tenant logical network.

US Pat. No. 9,313,129

LOGICAL ROUTER PROCESSING BY NETWORK CONTROLLER

NICIRA, INC., Palo Alto,...

1. A network controller for managing a logical network that is implemented across a plurality of managed network elements,
the logical network comprising at least one logical router, the network controller comprising:
an input interface for receiving configuration state for the logical router;
a table mapping engine for generating data tuples for distribution to the plurality of managed network elements in order for
the managed network elements to implement the logical router; and

a route processing engine for (i) receiving a set of input routes from the table mapping engine based on the configuration
state for the logical router, (ii) performing a recursive route traversal process to generate a set of output routes, and
(iii) returning the set of output routes to the table mapping engine,

wherein the table mapping engine uses the set of output routes to generate the data tuples for distribution to the plurality
of managed network elements.

US Pat. No. 9,282,019

TRACING LOGICAL NETWORK PACKETS THROUGH PHYSICAL NETWORK

NICIRA, INC., Palo Alto,...

1. For a network controller that manages a plurality of managed forwarding elements, a method comprising:
receiving a request to trace a specified packet having a particular source on a logical switching element;
generating the packet at the network controller according to the packet specification, the generated packet comprising an
indicator that the packet is for a trace operation;

sending the packet to a managed forwarding element associated with the particular source; and
receiving a set of messages from a set of managed forwarding elements that process the packet regarding operations performed
on the packet,

wherein each managed forwarding element in the set generates a message based on a set of flow entries in its forwarding table,
each flow entry of the forwarding table specifying (i) a matching condition and (ii) a corresponding set of actions that the
managed forwarding element is to perform when the specified matching condition is met.

US Pat. No. 9,692,698

METHODS AND SYSTEMS TO OFFLOAD OVERLAY NETWORK PACKET ENCAPSULATION TO HARDWARE

NICIRA, INC., Palo Alto,...

1. A method for offloading packet encapsulation for an overlay network, the method comprising:
sending a mapping table of the overlay network from a host machine to a physical network interface controller (NIC) of the
host machine, the mapping table associating each VM of a set of VMs of a tenant with an associated tunnel endpoint on the
overlay network;

determining whether the overlay network encapsulation of a packet received at the host from a VM of the tenant is to be offloaded
to the physical NIC;

when the encapsulation of the packet is to be offloaded to the physical NIC, tagging the received packet at the host for encapsulation
by the physical NIC and sending the packet to the physical NIC without encapsulation, wherein when the packet is tagged, the
physical NIC encapsulates the packet for the overlay network by using the mapping table to identify the tunnel endpoint based
on an identifier of the VM; and

when the encapsulation of the packet is not to be offloaded to the physical NIC, encapsulating the received packet at the
host by using the mapping table to identify the tunnel endpoint associated with the VM based on the identifier of the VM and
sending the encapsulated packet without a tag to the physical NIC.

US Pat. No. 9,582,308

AUTO DETECTING LEGITIMATE IP ADDRESSES USING SPOOFGUARD AGENTS

NICIRA, INC., Palo Alto,...

1. A non-transitory machine readable medium storing a program which, when implemented by at least one processing unit blocks
spoofed packets, the program comprising sets of instructions for:
receiving a first packet with a first source address from a virtual machine;
storing the first source address of the first packet;
receiving, from the virtual machine, a second packet with a second source address;
comparing the first source address to the second source address;
when the second source address is the same as the first source address, allowing the second packet to be forwarded; and
when the second source address is not the same as the first source address, blocking the second packet.

US Pat. No. 9,319,336

SCHEDULING DISTRIBUTION OF LOGICAL CONTROL PLANE DATA

NICIRA, INC., Palo Alto,...

1. A computer for distributing logical control plane data to controllers, the computer comprising:
a set of processing units for processing instructions;
a non-transitory machine readable medium storing sets of instructions for:
receiving user inputs to define logical datapath sets;
translating the user inputs to output logical control plane data, said logical control plane data for subsequent translation
into logical forwarding plane data by a plurality of controllers;

storing output logical control plane data for each controller that is a master controller of at least one logical datapath
set; and

sending in batch each controller's stored output logical control plane data to the controller.

US Pat. No. 9,276,897

DISTRIBUTED LOGICAL L3 ROUTING

NICIRA, INC., Palo Alto,...

1. A non-transitory machine readable medium storing a program which when executed by at least one processing unit implements
a first managed forwarding element for implementing a plurality of logical networks for a plurality of machines that connect
to the first managed forwarding element, the program comprising sets of instructions for:
receiving a packet from a particular machine that connects to the first managed forwarding element;
performing logical L2 processing for a first logical L2 domain, to which the particular machine logically couples, to logically
forward the packet to a logical router, said performing logical L2 processing for the first domain comprising identifying
the logical router by identifying a logical egress port of the first logical L2 domain that is associated with a media access
control (MAC) address of the logical router;

performing logical L3 processing for the logical router to logically forward the packet to a second logical L2 domain to which
a machine associated with a destination address of the packet belongs;

performing logical L2 processing for the second logical L2 domain; and
based on the logical L2 processing for the second logical L2 domain, forwarding the packet to a second managed forwarding
element with context information stored in the packet indicating that the logical L2 processing for the second logical L2
domain was performed by the first managed forwarding element,

said logical L2 and L3 processing performed by analyzing logical L2 and L3 attributes of the first and second logical L2 domains,
said L2 logical attributes comprising said logical egress port.

US Pat. No. 9,306,843

USING TRANSACTIONS TO COMPUTE AND PROPAGATE NETWORK FORWARDING STATE

NICIRA, INC., Palo Alto,...

1. For a controller for managing a network comprising a plurality of managed forwarding elements that forward data in the
network, a method for configuring the managed forwarding elements, the method comprising:
generating a first set of configuration data for configuring a managed forwarding element as a first-hop forwarding element
for (i) receiving a packet directly from an end machine that is a source of the packet and (ii) forwarding the packet towards
an end machine that is a destination of the packet;

generating a second set of configuration data for configuring a set of managed forwarding elements as non-first-hop forwarding
elements for (i) receiving the packet not directly from the source end machine and (ii) forwarding the packet towards the
destination end machine; and

sending the second set of configuration data to the set of managed forwarding elements prior to sending the first set of configuration
data to the managed forwarding element.

US Pat. No. 9,306,909

CONNECTION IDENTIFIER ASSIGNMENT AND SOURCE NETWORK ADDRESS TRANSLATION

NICIRA, INC., Palo Alto,...

1. A non-transitory machine readable medium of a controller of a network control system for configuring a logical middlebox
in a plurality of hosts, the network control system comprising a plurality of controllers, the non-transitory machine readable
medium storing sets of instructions for:
receiving configuration data for configuring, in each host of the plurality of hosts, a middlebox instance to provide a source
network address translation (SNAT) service to a virtual machine operating in the host;

identifying a set of additional controllers of the network control system that manage the plurality of middlebox instances
for implementing the configuration data; and

sending the configuration data to the identified set of additional controllers for the additional controllers to subsequently
distribute the configuration data to the plurality of middlebox instances.

US Pat. No. 9,288,104

CHASSIS CONTROLLERS FOR CONVERTING UNIVERSAL FLOWS

NICIRA, INC., Palo Alto,...

1. A network control system for generating physical control plane data for managing a set of managed forwarding elements that
implements forwarding operations associated with a logical datapath set, the system comprising:
a plurality of host computers, each of the plurality of host computers executing a managed forwarding element;
a first controller computer comprising (i) one or more processing units, (ii) a memory for storing a first controller instance
executable by the one or more processing units of the first controller computer, and (iii) a network information base (NIB)
storage, the first controller instance comprising sets of instructions for:

receiving input data defining the logical datapath set and performing a first conversion of data for the logical datapath
set to generate intermediate data tuples for the logical datapath set;

storing the intermediate data tuples in the NIB storage; and
distributing the intermediate data tuples from the NIB storage to a set of the plurality of host computers that executes the
set of managed forwarding elements; and

a second controller instance executing on a particular one of the plurality of host computers, the second controller instance
comprising sets of instructions for:

receiving the intermediate data tuples for the logical datapath set from the NIB storage; and
converting the intermediate data tuples into physical control plane data for use by a managed forwarding element executing
on the particular one of the plurality of host computers.

US Pat. No. 9,195,491

MIGRATING MIDDLEBOX STATE FOR DISTRIBUTED MIDDLEBOXES

NICIRA, INC., Palo Alto,...

1. A non-transitory machine readable medium of a controller of a network control system for configuring a plurality of middlebox
instances to implement a middlebox in a distributed manner in a plurality of hosts, the non-transitory machine readable medium
storing sets of instructions for:
configuring, in a first host, a first middlebox instance to:
receive a notification from a migration module before a virtual machine (VM) running in the first host migrates to a second
host; and

send middlebox state related to the VM to the migration module,
wherein the migration module migrates the middlebox state to the second host.

US Pat. No. 9,306,875

MANAGED SWITCH ARCHITECTURES FOR IMPLEMENTING LOGICAL DATAPATH SETS

NICIRA, INC., Palo Alto,...

1. A system comprising:
a plurality of network controller instances for identifying definitions of a first logical datapath set (LDPS) and a second
LDPS;

a plurality of managed edge (ME) switching elements comprising a set of hardware switching elements and a set of software
switching elements;

a plurality of machines that are each (1) communicatively coupled to one of the plurality of ME switching elements and (2)
associated with at least one of the first LDPS and the second LDPS; and

a set of managed non-edge (MNE) switching elements for facilitating communication between the ME switching elements,
wherein the plurality of network controller instances are further for managing the ME and MNE switching elements by providing
the ME and MNE switching elements with configuration data for specifying flow entries for forwarding network data between
machines of the plurality of machines based on the identified definitions of the first LDPS and the second LDPS.

US Pat. No. 9,413,644

INGRESS ECMP IN VIRTUAL DISTRIBUTED ROUTING ENVIRONMENT

NICIRA, INC., Palo Alto,...

1. A method of operating a logical network over a network virtualization infrastructure that comprises a plurality of host
machines, the method comprising:
defining a logical routing element (LRE) for routing data packets between different segments of the logical network, wherein
each host machine operates a set of virtual machines (VMs) and a local instance of the LRE as a managed physical routing element
(MPRE) for routing packets from the set of VMs locally at the host machine, the LRE comprising a plurality of logical interfaces
(LIFs), each LIF for interfacing with a different segment of the logical network, wherein a particular LIF is addressable
by a plurality of different LIF addresses;

assigning each LIF address of the particular LIF to a different host machine in the plurality of host machines; and
advertising the plurality of LIF addresses of the particular LIF as a plurality of next-hops to an external router for sending
packets to be routed by the LRE.

US Pat. No. 9,288,081

CONNECTING UNMANAGED SEGMENTED NETWORKS BY MANAGING INTERCONNECTION SWITCHING ELEMENTS

NICIRA, INC., Palo Alto,...

1. A non-transitory machine readable medium storing a program which when executed by at least one processing unit implements
a network controller for managing a plurality of interconnection switching elements in a network, the program comprising sets
of instructions for:
receiving a definition of a logical switching element that connects a set of network segments located at different segmented
networks, the definition binding each logical port of the logical switching element to a different network segment, wherein
each different network segment comprises a separate plurality of machines having unique destination addresses; and

configuring a set of interconnection switching elements located at each of the different segmented networks to implement the
logical switching element by distributing forwarding instructions to the interconnection switching elements, each of the interconnection
switching elements connecting a different one of the network segments to a same interconnecting network to which each of the
interconnection switching elements connects, wherein the forwarding instructions specify to forward packets having any of
the destination addresses of the machines for a particular network segment through the interconnecting network to the interconnection
switching element that connects the particular network segment to the interconnecting network.

US Pat. No. 9,860,151

TRACING NETWORK PACKETS THROUGH LOGICAL AND PHYSICAL NETWORKS

NICIRA, INC., Palo Alto,...

1. For a network controller that manages a network comprising a set of managed forwarding elements (MFEs), a method comprising:
receiving a request to trace a packet having a particular source corresponding to a particular logical port of a logical forwarding
element;

at the network controller, defining packet data for the requested packet, the packet data comprising an indicator that the
packet is for a trace operation;

inserting the defined packet data into a particular MFE associated with the particular logical port in order for the MFE to
process the packet data as though receiving a packet from the particular source; and

from a set of MFEs that includes the particular MFE, receiving a set of messages regarding both logical processing operations
and physical forwarding operations that each MFE in the set of MFEs performs on the packet data.

US Pat. No. 9,419,855

STATIC ROUTES FOR LOGICAL ROUTERS

NICIRA, INC., Palo Alto,...

1. For a network controller, a method comprising:
receiving configuration data, for a logical router managed by the network controller, that specifies at least one logical
port for the logical router;

automatically generating connected routes at the network controller for the logical router based on network address ranges
specified for the logical ports of the logical router;

at the network controller, receiving a manually input static route for the logical router;
generating data tuples based on the connected and static routes for the logical router; and
distributing the generated data tuples from the network controller to a plurality of managed network elements in order for
the managed network elements to implement the logical router by processing packets according to the connected and static routes.

US Pat. No. 9,419,874

PACKET TRACING IN A SOFTWARE-DEFINED NETWORKING ENVIRONMENT

NICIRA, INC., Palo Alto,...

1. A method for a Software-Defined Networking (SDN) controller device to perform packet tracing in an SDN environment comprising
the SDN controller device and a plurality of forwarding devices configurable by the SDN controller device, the method comprising:
configuring the plurality of forwarding devices to generate trace information of packets associated with a communication flow
in the SDN environment;

receiving, from the plurality of forwarding devices, trace information of packets associated with the communication flow,
wherein the trace information includes first header information and first payload information from a first forwarding device
and second header information and second payload information from a second forwarding device; and

based on the trace information, generating aggregated trace information by
identifying a particular packet processed by the first forwarding device based the first header information and first payload
information; and

identifying that the particular packet is processed by the second forwarding device by comparing the first header information
and first payload information with the second header information and second payload information.

US Pat. No. 9,306,864

SCHEDULING DISTRIBUTION OF PHYSICAL CONTROL PLANE DATA

NICIRA, INC., Palo Alto,...

1. A controller computer for managing a plurality of managed forwarding elements that implement different logical networks,
the controller computer comprising:
an interface that receives input logical forwarding plane data in terms of input events, said input logical forwarding plane
data comprising updates to logical forwarding planes of logical networks, wherein each logical network comprises a set of
logical forwarding elements that is implemented by a set of managed forwarding elements;

a converter that converts the input logical forwarding plane data for each logical network to output physical control plane
data for the logical network by processing the input events, said physical control plane data for subsequent translation into
customized physical control plane data for each managed forwarding element; and

an input scheduler that (i) categorizes the input events into different groups related to different logical networks, and
(ii) defines a schedule for supplying each group of the input events for each logical network to the converter in a manner
such that each group of input events related to each logical network is processed together by the converter.

US Pat. No. 9,231,882

MAINTAINING QUALITY OF SERVICE IN SHARED FORWARDING ELEMENTS MANAGED BY A NETWORK CONTROL SYSTEM

NICIRA, INC., Palo Alto,...

1. A non-transitory machine readable medium of a controller computer storing a program which when executed by at least one
processing unit of the controller computer manages a plurality of managed forwarding elements that forward data through a
network, the program comprising sets of instructions for:
receiving inputs that define forwarding performance constraints of a set of managed forwarding elements;
based on the inputs, generating a set of universal flow entries for configuring the set of managed forwarding elements to
apply the forwarding performance constraints to data traffic forwarded by the managed forwarding elements; and

from the controller computer, sending the generated set of universal flow entries to a controller that manages a managed forwarding
element wherein the controller (1) directs the managed forwarding element to create a set of network constructs for applying
the forwarding performance constraints based on the set of universal flow entries and (2) converts the set of universal flow
entries into a set of customized flow entries for the managed forwarding element based on information about the created set
of network constructs received from the managed forwarding element.

US Pat. No. 9,112,811

MANAGED SWITCHING ELEMENTS USED AS EXTENDERS

NICIRA, INC., Palo Alto,...

1. A network system for connecting a plurality of machines that logically connect through a logical switching element, the
system comprising:
a first network comprising a plurality of unmanaged switching elements, at least one of which connects to a first machine
that communicates with other machines of the plurality of machines through the logical switching element;

a second network comprising a plurality of managed switching elements that collectively implement the logical switching element
and communicate with each other via tunnels provided by tunneling protocols, wherein a first managed switching element that
implements the logical switching element connects to a second machine that communicates through the logical switching element,
and a second managed switching element connects to a third machine that also communicates through the logical switching element;
and

a network extending managed switching element located at an edge of the first network for facilitating implementation of the
logical switching element that logically connects the first, second, and third machines between the first network and the
second network, wherein the network extending managed switching element adds logical context tags to packets sent by the first
machine and received from the at least one unmanaged switching element before forwarding said packets to the second network
and removes logical context tags from packets received from the second network before forwarding said packets to the at least
one unmanaged switching element and the first machine.

US Pat. No. 9,369,478

OWL-BASED INTELLIGENT SECURITY AUDIT

Nicira, Inc., Palo Alto,...

1. A computer-implemented method for facilitating intelligent auditing of security log data and validation of firewall configuration,
the method comprising:
receiving a set of rules translated from a security policy, wherein a respective rule from the set of rules is translated
to be represented as a Semantic Web Rule Language (SWRL) statement;

correlating log data with the translated set of rules, the correlating comprising:
converting the log data into Web Ontology Language (OWL)-based format by converting original relational database(RDB)-formatted
log data into a Resource Description Framework (RDF) format; and

applying the translated set of rules to the OWL-format log data; and
identifying, by a processor, one or more records of the log data which indicate potential violation of the security policy
based on results of applying the translated set of rules.

US Pat. No. 9,319,375

FLOW TEMPLATING IN LOGICAL L3 ROUTING

NICIRA, INC., Palo Alto,...

1. For a managed forwarding element that processes packets in a host machine according to a set of flow entries stored in
a set of forwarding tables, a method comprising:
receiving a packet from an end machine that operates on the host machine;
when the packet matches a template flow entry with a set of data fields unpopulated, sending the template flow entry to a
flow entry generating module that operates on the host machine;

receiving a new flow entry with the set of data fields populated from the flow entry generating module; and
storing the new flow entry received from the flow entry generating module in a forwarding table, wherein the new flow entry
has a higher priority than the template flow entry such that subsequent packets are processed according to the new flow entry
rather than the template flow entry without sending the template flow entry to the flow entry generating module.

US Pat. No. 10,075,363

AUTHORIZATION FOR ADVERTISED ROUTES AMONG LOGICAL ROUTERS

NICIRA, INC., Palo Alto,...

1. A method for configuring a set of logical routers in a logical network, the method comprising:receiving (i) a configuration for a first logical router comprising an advertised route and (ii) a configuration for a second logical router comprising a set of allowable routes for the second logical router to include in its routing table, wherein the first logical router connects to the second logical router;
determining whether the set of allowable routes for the second logical router includes the advertised route as an allowed route from the first logical router;
only when the advertised route is an allowed route from the first logical router, adding the advertised route to a routing table for at least one component of the second logical router; and
distributing data regarding the routing table to a plurality of physical machines that implement the second logical router.

US Pat. No. 9,654,424

MANAGED FORWARDING ELEMENT WITH CONJUNCTIVE MATCH FLOW ENTRIES

NICIRA, INC., Palo Alto,...

1. For a managed forwarding element (MFE) that processes packets by comparing packet header field values of the packets to
flow entries arranged in a plurality of tables, a method comprising:
for a particular packet, identifying a flow entry matched by the particular packet in a first table of the plurality of tables;
when the matched flow entry in the first table belongs to one of a plurality of dimensions of a conjunctive set of flow entries,
searching at least a second additional table for a flow entry matched by the particular packet that belongs to another of
the plurality of dimensions of the conjunctive set of flow entries; and

when flow entries from each of the plurality of dimensions are matched by the particular packet, performing an action specified
by a particular additional flow entry referenced by the matched flow entries from the plurality of dimensions of the conjunctive
set of flow entries.

US Pat. No. 9,602,305

METHOD AND SYSTEM FOR VIRTUAL AND PHYSICAL NETWORK INTEGRATION

NICIRA, INC., Palo Alto,...

1. For a physical device separate from sources and destinations of packets in a network, a method for implementing a first
virtual extensible local area network gateway at a first datacenter, the method comprising:
receiving, from a physical host separate from the physical device implementing the first gateway, an Ethernet packet destined
for a machine residing in a remote layer-2 network broadcast domain at a second, geographically remote datacenter that is
different from a local layer-2 network broadcast domain in which the physical host resides at the first datacenter;

determining a virtual extensible local area network identifier for the received Ethernet packet;
encapsulating the Ethernet packet with the determined virtual extensible local area network identifier and an Internet Protocol
(IP) header; and

forwarding the encapsulated packet to an IP network to which the physical device implementing the first gateway connects,
thereby allowing the packet to be transported to a second virtual extensible local area network gateway at the second datacenter
via the IP network and allowing the remote layer-2 network broadcast domain at the second datacenter and the local layer-2
network broadcast domain at the first datacenter to be part of a common layer-2 broadcast domain.

US Pat. No. 9,948,611

PACKET TAGGING FOR IMPROVED GUEST SYSTEM SECURITY

NICIRA, INC., Palo Alto,...

1. A method for monitoring network requests from a particular machine executing on a host with a plurality of other machines, the method comprising:when a packet related to a network request reaches a first layer of a network protocol stack associated with the particular machine:
tagging the packet with a tag value;
mapping the tag value to a first set of tuples of the packet; and
sending a first set of data related to the packet to a security engine, the first set of data comprising the first set of tuples;
when the packet reaches a second layer of the network protocol stack:
determining that the packet has been modified since exiting the first layer of the network protocol stack to reflect a second set of tuples different from the first set of tuples; and
sending a second set of data to the security engine, the second set of data comprising the second set of tuples of the modified packet.

US Pat. No. 9,553,807

BATCH PROCESSING OF PACKETS

NICIRA, INC., Palo Alto,...

1. For a managed forwarding element that receives and processes a set of packets, a method comprising:
for each of a plurality of packets in the set, using entries in a cache to associate the packet with one of several groups
of other packets in the set, each group of packets sharing a set of characteristics, and each entry in the cache comprising
a set of packet header values and a reference to a flow entry,

said using the entries for a packet comprising:
comparing a set of header values of the packet against one or more sets of header values of one or more entries in the cache
to determine whether the packet matches any entry in the cache;

when the packet matches an entry in the cache, associating the packet with a group according to the referenced flow entry;
and

when the packet does not match any entry in the cache, associating the packet with a group of unmatched packets;
for each group of packets, identifying a set of actions to perform from the referenced flow entry; and
for each group of packets, executing the specified set of actions on all of the packets in the group together.

US Pat. No. 10,091,120

SECONDARY INPUT QUEUES FOR MAINTAINING A CONSISTENT NETWORK STATE

NICIRA, INC., Palo Alto,...

1. A host computer for executing a network controller for computing forwarding rules in a distributed network control system, the host computer comprising:at least one processing unit for executing instructions;
a non-transitory machine readable medium storing sets of instructions for implementing the network controller, the sets of instructions for:
defining a primary input queue and a plurality of secondary input queues for storing inputs received at the network controller;
storing inputs regarding configurations of logical forwarding elements implemented by a plurality of physical forwarding elements, said stored inputs received from a plurality of input sources in the plurality of secondary input queues, each secondary input queue for storing inputs from one of the plurality of input sources;
inserting barriers between the stored inputs in each secondary input queue of the plurality of secondary input queues, each of the barriers indicating an end to a set of the inputs to be processed together, the barriers for preventing partial changes to the forwarding rules propagating to the physical forwarding elements;
detecting the barriers on the secondary input queues and moving each of the sets of inputs as a group to the primary input queue; and
sending a set of forwarding rules to a set of the physical forwarding elements in the distributed network control system, the forwarding rules computed by processing together each set of inputs in the primary input queue.

US Pat. No. 10,050,874

MEDIA ACCESS CONTROL ADDRESS LEARNING FOR PACKETS

NICIRA, INC., Palo Alto,...

1. A method for performing media access control learning, the method comprising:receiving, at a destination VTEP (tunnel endpoint), an encapsulated packet, the encapsulated packet comprising a source address associated with an intermediate VTEP, a destination address associated with the destination VTEP, and a first label associated with a source VTEP, the encapsulated packet further comprising an inner packet, the inner packet comprising a source media access control address of a source endpoint;
receiving, at the destination VTEP, information indicative of a plurality of labels and associated addresses of VTEPs;
determining, by the destination VTEP, a first address associated with the source VTEP based on the first label and the information indicative of the plurality of labels and associated addresses of VTEPs; and
mapping the first address of the source VTEP to the source media access control address of the source endpoint.

US Pat. No. 9,363,210

DISTRIBUTED NETWORK CONTROL SYSTEM WITH ONE MASTER CONTROLLER PER LOGICAL DATAPATH SET

NICIRA, INC., Palo Alto,...

1. A non-transitory machine readable medium storing a program, which when executed by at least one processing unit provides
a first network controller instance that is part of a network control system comprising a plurality of network controller
instances, the program comprising sets of instructions for:
generating, based on logical forwarding plane data that specifies a particular logical data path set in terms of logical forwarding
behaviors of the particular logical data path set, output physical control plane data that specifies rules for at least a
first managed switching element and a second managed switching element, respectively, to follow in order to implement the
particular logical data path set, wherein the first network controller instance is a master controller instance for the particular
logical data path set and the first managed switching element; and

sending (i) the output physical control plane data that specifies rules for the first managed switching element to the first
managed switching element and (ii) the output physical control plane data that specifies rules for the second managed switching
element to a second network controller instance that manages the second managed switching element.

US Pat. No. 10,110,431

LOGICAL ROUTER PROCESSING BY NETWORK CONTROLLER

NICIRA, INC., Palo Alto,...

1. For a first module of a network controller that generates a set of output configuration data for at least one managed forwarding element, a method comprising:for a logical router, receiving a set of input configuration data comprising a first set of routes for the logical router;
offloading a route traversal process to a separate second module of the network controller by providing the first set of routes to the second module, wherein the route traversal process returns a second set of routes based on the first set of routes; and
generating the set of output configuration data for configuring the at least one managed forwarding element to implement the logical router based on the second set of routes.

US Pat. No. 10,033,579

USING TRANSACTIONS TO COMPUTE AND PROPAGATE NETWORK FORWARDING STATE

NICIRA, INC., Palo Alto,...

1. A method for a network controller that distributes configuration data to a managed forwarding element in order to configure the managed forwarding element to forward data in a network, the method comprising:receiving a set of input configuration data of a transaction comprising a plurality of sets of input configuration data;
determining whether the set of input configuration data has external dependencies that require additional data specific to the managed forwarding element;
when the set of input configuration data has external dependencies:
computing a first set of incomplete output configuration data based on the set of input configuration data;
distributing the first set of output configuration data to the managed forwarding element as a request for the additional data specific to the managed forwarding element; and
computing a second set of output configuration data based on the set of input configuration data and a response to the request for the additional data from the managed forwarding element; and
upon determining that output configuration data for all of the plurality of sets of input configuration data of the transaction has been computed, distributing the second set of output configuration data to the managed forwarding element.

US Pat. No. 9,923,811

LOGICAL ROUTERS AND SWITCHES IN A MULTI-DATACENTER ENVIRONMENT

NICIRA, INC., Palo Alto,...

1. A system comprising:
a first datacenter comprising a first set of computing devices; and
a second datacenter comprising a second set of computing devices,
wherein the first set of computing devices implement a first local logical switch for performing L2 switching among a first
set of network nodes in the first datacenter,

wherein the second set of computing devices implement a second local logical switch for performing L2 switching among a second
set of network nodes in the second datacenter,

wherein the first set of computing devices and the second set of computing devices jointly implement (i) a first global logical
switch for performing L2 switching among a third set of network nodes in the first and second datacenters, (ii) a second global
logical switch for performing L2 switching among a fourth set of network nodes in the first and second datacenters, and (iii)
a global logical router for performing L3 routing between the third set of network nodes and the fourth set of network nodes.

US Pat. No. 9,319,337

UNIVERSAL PHYSICAL CONTROL PLANE

NICIRA, INC., Palo Alto,...

1. A non-transitory machine readable medium storing a program of a controller computer which when executed by at least one
processing unit of the controller computer configures a set of managed forwarding elements that forward data in a network,
the program comprising sets of instructions for:
receiving logical forwarding plane (LFP) data for a logical network; and
converting the LFP data into universal physical control plane (UPCP) data for the set of managed forwarding elements,
wherein the UPCP data is subsequently converted into customized physical control plane (CPCP) data for each one of the managed
forwarding elements, the managed forwarding element's CPCP data for defining the managed forwarding element's forwarding of
data for the logical network.

US Pat. No. 9,172,663

METHOD AND APPARATUS FOR REPLICATING NETWORK INFORMATION BASE IN A DISTRIBUTED NETWORK CONTROL SYSTEM WITH MULTIPLE CONTROLLER INSTANCES

NICIRA, INC., Palo Alto,...

10. A network control system comprising:
a plurality of controller instances for managing a plurality of switching elements, each controller instance comprising:
a network information base (NIB) storage that comprises a first set of modules for communicating with secondary storages of
other controller instances in the plurality of controller instances and that stores a plurality of data records regarding
the switching elements in a NIB storage structure in a volatile memory; and

a secondary storage that comprises a second set of modules for communicating with the NIB storages of other controller instances
in the plurality of controller instances and that stores a copy of a set of the plurality of data records stored in the NIB
storage structures of other controller instances of the plurality of controller instances in a transactional database in a
non-volatile memory, wherein the secondary storage of a particular controller instance is a master secondary storage of a
particular data record of the set of data records, wherein the master secondary storage directs the NIB storages of a set
of controller instances to replicate the particular data record upon receiving notification of a change in the particular
data record.

US Pat. No. 10,075,470

FRAMEWORK FOR COORDINATION BETWEEN ENDPOINT SECURITY AND NETWORK SECURITY SERVICES

NICIRA, INC., Palo Alto,...

1. A computer-implemented method comprising:through a user interface, receiving data to create a security container and to associate a security service and a tag-based rule with the security container;assigning a virtual machine (VM) to the security container by:detecting a user membership group in response to a login event of the VM;
selecting the security container based on the user membership group; and
assigning the VM associated with the VM login event to the selected security container;
through the VM's association with the service container, operating the security service on the VM to identify a security threat associated with the VM and to assign a tag with the VM;
using the tag-based rule to process the tag, and in response, to re-assign the VM to a quarantine container until the security threat is resolved, wherein VMs assigned to the quarantine container have restricted network connectivity; and
after resolution of the security threat, removing the tag from the VM and transferring the VM back to the security container.

US Pat. No. 10,051,002

DISTRIBUTED VPN GATEWAY FOR PROCESSING REMOTE DEVICE MANAGEMENT ATTRIBUTE BASED RULES

NICIRA, INC., Palo Alto,...

1. A non-transitory machine readable medium storing sets of instructions for processing remote-device data messages entering a network, the sets of instructions for:receiving, at a virtual private network (VPN) gateway executing on a computer, a data message sent by a remote device through a tunnel that connects the remote device to the network; and
intercepting the data message from an egress path of the VPN gateway as the VPN gateway forwards the data message to the message's destination within the network; and
identifying a set of remote device management (RDM) attributes associated with the received data message by retrieving the RDM attribute set from a data storage on the computer that stores different RDM attribute sets for different data message flows; and
based on the RDM attribute set, performing a service operation on the data message;
the sets of instructions for execution by a set of processing units of the computer.

US Pat. No. 9,860,279

DEFINING NETWORK RULES BASED ON REMOTE DEVICE MANAGEMENT ATTRIBUTES

NICIRA, INC., Palo Alto,...

1. A method of defining policies for network elements in a datacenter to enforce, the method comprising:
receiving a plurality of remote device management (RDM) attributes from a set of one or more RDM servers; and
generating a policy configuration pane for display, said pane comprising a plurality of user interface (UI) controls for specifying
policies based on layer 2 to layer 4 data-message header attributes and based on received RDM attributes,

wherein the network elements perform at least one service on data messages received from remote devices when the remote devices
access resources of the network.

US Pat. No. 9,742,881

NETWORK VIRTUALIZATION USING JUST-IN-TIME DISTRIBUTED CAPABILITY FOR CLASSIFICATION ENCODING

NICIRA, INC., Palo Alto,...

1. For a forwarding element executed by at least one processing unit of a physical host machine, a method comprising:
at a first hop forwarding element that receives a packet from a source machine, classifying the packet based on a flow to
which the packet belongs;

storing an intermediate result of the packet classification as a context for the flow, wherein the packet classification is
performed by a logical pipeline that spans the first hop forwarding element and a destination forwarding element and the intermediate
result is produced by the logical pipeline at the first hop forwarding element;

generating a metadata packet for carrying the context of the flow;
transmitting the metadata packet to the destination forwarding element; and
transmitting the packet to the destination forwarding element after the transmission of the metadata packet.

US Pat. No. 9,692,727

CONTEXT-AWARE DISTRIBUTED FIREWALL

NICIRA, INC., Palo Alto,...

1. A computing device serving as a host machine operating a plurality of data compute nodes (DCNs), the computing device comprising:
a set of processing units; and
a non-transitory machine readable medium storing a program for execution by at least one processing unit, the program comprising
sets of instructions for:

receiving a set of firewall rules for protecting a plurality of DCNs in a datacenter, wherein the datacenter comprises the
computing device;

inserting a set of nodes that correspond to the received set of firewall rules into a search tree structure, the search tree
structure for identifying rules that are relevant to DCNs operating on the computing device;

identifying a set of firewall rules that are relevant to a particular DCN in the plurality of DCNs by using the search tree
structure, the set of relevant rules comprising rules that specify either a source or destination address that matches an
address of the particular DCN;

storing the identified relevant rules in a data structure separate from the search tree structure; and
performing firewall operations on packets to or from the particular DCN by examining the separate data structure storing the
identified relevant rules.

US Pat. No. 9,686,185

GENERATING FLOWS USING COMMON MATCH TECHNIQUES

NICIRA, INC., Palo Alto,...

18. For a forwarding element that forwards packets, a method comprising:
receiving a packet;
examining a first set of rules to find a common match which includes a set of one or more bits that the rules have in common
with one another, each bit of the common match corresponding to a bit in a header of the packet;

defining a wildcard mask comprising a plurality of bits, each bit in the wildcard mask (i) corresponding to a bit in the header
of the packet and (ii) initially set as a wildcard bit;

identifying a position of a differing bit from a first set of bits of the packet header that is different from a corresponding
bit in the common match;

from the wildcard mask, unmasking a bit that is at a same bit position as the position of the differing bit;
comparing a second set of bits in the packet header with a second set of rules to find a matching rule for the packet; and
generating a flow entry comprising a set of un-wildcarded bits based on the matching rule and said unmasked bit of the wildcard
mask, wherein the flow entry is used to process other packets that match each un-wildcarded bit of the flow entry.

US Pat. No. 9,602,312

STORING NETWORK STATE AT A NETWORK CONTROLLER

NICIRA, INC., Palo Alto,...

1. For a first network controller located at a first physical domain that manages a logical network spanning a plurality of
physical domains including the first physical domain, a method comprising:
storing state information for the logical network in at least two storages;
determining that communication is no longer available with a second network controller at a second of the physical domains
spanned by the logical network;

in response to the determination, modifying a first one of the storages to be read-only while leaving a second one of the
storages as writeable while communication with the second network controller is not available;

while communication with the second network controller is not available:
receiving input to modify the network state information in the second storage;
modifying the network state information in the second storage based on the input; and
storing the modification to the network state in a local queue of network state updates;
determining that communication with the second network controller has been restored; and
based on the determination that communication has been restored, transmitting the network state updates stored in the local
queue to the second network controller.

US Pat. No. 9,590,901

ROUTE ADVERTISEMENT BY MANAGED GATEWAYS

NICIRA, INC., Palo Alto,...

1. For a network controller that manages a plurality of logical networks, a method comprising:
receiving a specification of a logical network that comprises a logical forwarding element with at least two logical ports
that each connect the logical network to an external network and that each peer with a physical router of the external network
in order to advertise network address reachability information for at least two subnets of the logical network to the external
network, wherein a first logical port peers with a first physical router on a first subnet of the external network and a second
logical port peers with a second physical router on a second subnet of the external network, wherein the first and second
subnets are different from each other and from the at least two subnets of the logical network;

selecting host machines from a plurality of host machines to host gateways for implementing each of the ports that connect
the logical network to the external network; and

generating, for distribution to each of the gateways, data tuples defining (i) a routing table for implementing the connection
between the logical network and the external network for the port implemented by the gateway and (ii) a configuration for
a routing protocol application that enables the gateway to peer with the physical router of the external network with which
the port implemented by the gateway peers.

US Pat. No. 9,575,794

METHODS AND SYSTEMS FOR CONTROLLER-BASED DATACENTER NETWORK SHARING

NICIRA, INC., Palo Alto,...

1. A method of allocating network bandwidth in a network comprising a plurality of host machines and a plurality of virtual
machines (VMs) executing on the host machines, said VMs comprising a first VM executing on a first host machine, the first
VM sending packets to a first plurality of VMs comprising a second VM executing on a second host machine, the second VM receiving
packets from a second plurality of VMs comprising the first VM, the method comprising:
at a virtualization software of the first host machine, calculating a first bandwidth reservation for a flow from the first
VM to the second VM by multiplying a bandwidth reservation for the first VM by a bandwidth reservation for the second VM and
dividing by a sum of bandwidth reservations for the VMs in the first plurality of VMs, wherein the bandwidth reservation for
a flow is a minimum bandwidth guaranteed for the flow;

at the virtualization software of the first host machine, receiving a second bandwidth reservation for the flow calculated
by a virtualization software of the second host machine by multiplying the bandwidth reservation for the second VM by the
bandwidth reservation for the first VM and dividing by a sum of bandwidth reservations for the VMs in the second plurality
of VMs; and

setting the bandwidth reservation for the flow as a minimum of the first and second bandwidth reservations.

US Pat. No. 9,209,998

PACKET PROCESSING IN MANAGED INTERCONNECTION SWITCHING ELEMENTS

NICIRA, INC., Palo Alto,...

1. A method for forwarding a packet at a first managed interconnection switching element in a managed network of interconnection
switching elements, the method comprising:
receiving a packet from a source machine on a first network segment in a first physical segmented network having a first plurality
of network segments, the packet having a destination address that identifies a machine located on a second network segment
in a second, different physical segmented network having a second plurality of network segments, wherein the first and second
network segments are logically coupled to logical ports of a logical switching element that comprises a plurality of logical
ports to which a plurality of network segments logically connect, the plurality of network segments located at physically
disparate physical segmented networks, the logical switching element implemented by the interconnection switching elements
that operate at the edge of the physically disparate physical segmented networks and connect the physically disparate physical
segmented networks to an interconnecting network;

removing a context tag that identifies the first network segment;
using the identification of the first network segment to determine a logical switching element that connects at least the
first and second network segments;

using the destination address of the packet to logically forward the packet to a particular logical port of the logical switching
element, the particular logical port corresponding to the second network segment, wherein the destination address is one of
a plurality of addresses that map to the particular logical port;

encapsulating the packet with a logical context identifier that identifies the particular logical port; and
transmitting the encapsulated packet towards a second managed interconnection switching element at the second physical segmented
network.

US Pat. No. 9,906,560

DISTRIBUTING REMOTE DEVICE MANAGEMENT ATTRIBUTES TO SERVICE NODES FOR SERVICE RULE PROCESSING

NICIRA, INC., Palo Alto,...

1. A non-transitory machine readable medium storing a program for processing remote-device data messages entering a network,
the program comprising sets of instructions for:
receiving, at a virtual private network (VPN) gateway, a data message sent by the remote device through a first tunnel that
connects the remote device to the network;

identifying a set of remote device management (RDM) attributes associated with the received data message; and
based on the RDM attribute set, forwarding the data message to a particular network element within the network via a second
tunnel and inserting the identified RDM attribute set in a header of the second tunnel;

said inserted RDM attribute set in the second tunnel header for identifying a service operation to perform on the data message;
wherein the particular network element and the VPN gateway operate on two different physical devices.

US Pat. No. 9,602,421

NESTING TRANSACTION UPDATES TO MINIMIZE COMMUNICATION

NICIRA, INC., Palo Alto,...

1. For a controller for managing a network comprising managed forwarding elements that forward data in the network, a method
for configuring a set of managed forwarding elements, the method comprising:
generating a first set of flow entries for configuring the set of managed forwarding elements to forward packets as non-first-hop
forwarding elements for a logical datapath set, each logical datapath in the logical datapath set defined by a logical ingress
port and a logical egress port;

generating a second set of flow entries for configuring the set of managed forwarding elements to forward packets as first-hop
forwarding elements for the logical datapath set, wherein a first-hop managed forwarding element for a particular logical
datapath has a physical port to which the logical ingress port of the logical datapath is mapped; and

sending the first set of flow entries to the set of managed forwarding elements prior to sending the second set of flow entries
to the set of managed forwarding elements.

US Pat. No. 9,577,845

MULTIPLE ACTIVE L3 GATEWAYS FOR LOGICAL NETWORKS

NICIRA, INC., Palo Alto,...

1. For a network controller in a network control system that manages a plurality of logical networks, a method comprising:
receiving a specification of a logical network that comprises a logical router, the logical network comprising a plurality
of end machines that operate on a first plurality of host machines;

selecting a second plurality of host machines to host a L3 gateway that implements a connection to an external network for
the logical router, the second plurality of host machines selected from a set of host machines designated for hosting logical
routers; and

generating data tuples for provisioning a set of managed forwarding elements operating on the first plurality of host machines
that implement the logical network to send data packets, originating at the end machines of the logical network and which
require processing by the L3 gateway, to the second plurality of selected host machines in order for L3 gateway implemented
at the selected host machines to process the packets and send the packets to the external network, wherein the data tuples
specify for the managed forwarding elements to distribute the data packets across the plurality of selected host machines
in a load balanced manner.

US Pat. No. 9,525,647

NETWORK CONTROL APPARATUS AND METHOD FOR CREATING AND MODIFYING LOGICAL SWITCHING ELEMENTS

NICIRA, INC., Palo Alto,...

1. A controller comprising:
a set of processing units;
a non-transitory machine readable medium storing a program which when executed by the set of processing units manages a plurality
of managed forwarding elements that forward data between devices in a network, the program comprising sets of instructions
for:

receiving input data specifying a set of logical switch constructs for a logical switching element, the set of logical switch
constructs comprising a logical queue;

defining, based on the received input data, the logical switching element having the set of logical switch constructs; and
creating corresponding physical switch constructs to which the logical switch constructs map at the plurality of managed forwarding
elements, wherein the physical switch constructs comprise a physical queue created in at least one of the managed forwarding
elements in the plurality of managed forwarding elements, wherein the logical queue maps to the physical queue.

US Pat. No. 9,124,538

DYNAMIC GENERATION OF FLOW ENTRIES FOR LAST-HOP PROCESSING

NICIRA, INC., Palo Alto,...

1. For a first managed forwarding element that implements logical forwarding elements of a logical network, the logical network
comprising at least one middlebox, a method comprising:
receiving a first packet from a second managed forwarding element, the first packet comprising context information indicating
a logical network destination that maps to a physical destination connected to the first managed forwarding element;

at the first managed forwarding element, dynamically generating a flow entry for processing subsequent packets received by
the first managed forwarding element from the physical destination and sent to a source of the first packet; and

processing a second packet received by the first managed forwarding element from the physical destination with the dynamically
generated flow entry, wherein the dynamically generated flow entry specifies to send the second packet to the second managed
forwarding element before logically forwarding the second packet through the logical network.

US Pat. No. 9,858,100

METHOD AND SYSTEM OF PROVISIONING LOGICAL NETWORKS ON A HOST MACHINE

NICIRA, INC., Palo Alto,...

1. A physical computing device comprising:
a set of processing units; and
a set of machine readable media storing for execution by the set of processing units:
a plurality of data compute nodes (DCNs) deployed by a compute manager of a datacenter; and
a network manager agent configured to:
receive, from a network manager of the datacenter, read-only configuration information for each of a set of logical networks
configured and managed by the network manager, wherein the configuration information for each logical network comprises configuration
information for a logical forwarding element (LFE) of the logical network, the LFE configured and managed by the network manager
to perform open systems interconnection (OSI) model layer 3 (L3) packet forwarding between DCNs on one or more hosts, the
LFE comprising a plurality of logical ports configured and managed by the network manager, each logical port for connecting
the LFE to a DCN;

provision the LFE of each logical network of the set of logical networks on the physical computing device for use by the compute
manager; and

provide a copy of the received read-only configuration information to the compute manager to allow the compute manager to
connect one or more DCNs to each the logical network through one or more logical ports of the logical network's LFE, wherein
the compute manager cannot modify the logical network or the LFE.

US Pat. No. 9,697,033

ARCHITECTURE OF NETWORKS WITH MIDDLEBOXES

NICIRA, INC., Palo Alto,...

1. A system for implementing a logical network that comprises a set of end machines, a first logical middlebox, and a second
logical middlebox, the end machines and the first and second logical middleboxes connected in the logical network by a set
of logical forwarding elements, the system comprising:
a set of physical nodes, wherein each of the nodes executes:
an end machine of the logical network;
a managed forwarding element that implements the set of logical forwarding elements of the logical network; and
a middlebox element that implements the first logical middlebox of the logical network,
wherein a first middlebox element executing on a first node in the set of nodes and a second middlebox element executing on
a second node in the set of nodes implement a same configuration for the first logical middlebox;

a physical middlebox appliance that implements the second logical middlebox;
a set of network controllers for providing configuration data to the managed forwarding elements, middlebox elements, and
physical middlebox appliance, wherein the set of network controllers receive configuration data for the logical network, identify
the set of nodes to which to distribute the logical network configuration data, and distribute configuration data for the
first logical middlebox to the middlebox elements of the identified set of nodes.

US Pat. No. 9,602,385

CONNECTIVITY SEGMENT SELECTION

NICIRA, INC., Palo Alto,...

10. A controller comprising:
a set of processing units; and
a non-transitory machine readable medium storing a program for execution by the set of processing units, the program comprising
sets of instructions for:

defining a plurality of connectivity segments, each of which comprises a plurality of hosts, wherein each connectivity segment
supports multicast traffic between said plurality of hosts; and

defining, for each particular connectivity segment, a particular host as a proxy for receiving, from a host of another connectivity
segment, a request to generate multicast traffic to the plurality of hosts within the particular connectivity segment.

US Pat. No. 9,602,398

DYNAMICALLY GENERATING FLOWS WITH WILDCARD FIELDS

NICIRA, INC., Palo Alto,...

1. For a managed forwarding element that forwards packets according to flow entries, a method comprising:
receiving a packet that does not match any flow entry in a flow cache;
for a new flow entry to be stored in the flow cache for processing the packet, initializing a plurality of match fields of
the new flow entry as wildcard fields;

dynamically generating the new flow entry by un-wildcarding each match field of the new flow entry that corresponds to a match
field that is consulted in matching the packet against a set of flow entries in a set of flow tables, wherein the new flow
entry has at least one wildcard field remaining;

performing a set of actions on the packet according to the new flow entry; and
storing the new flow entry in the flow cache to process any subsequent packet that matches each non-wildcard field of the
new flow entry.

US Pat. No. 9,602,404

LAST-HOP PROCESSING FOR REVERSE DIRECTION PACKETS

NICIRA, INC., Palo Alto,...

1. For a first managed forwarding element, a method comprising:
receiving a first packet from a second managed forwarding element via a tunnel between the first and second managed forwarding
elements, the first packet comprising context information that identifies (i) that first-hop logical processing was performed
by the second managed forwarding element to process the first packet through a set of logical forwarding elements of a logical
network implemented by the first and second managed forwarding elements and (ii) that a first machine connected to the first
managed forwarding element is a destination for the first packet;

based on the context information in the first packet, generating forwarding data for processing subsequent packets received
from the first machine and having a particular destination address that corresponds to a source address of the first packet;
and

using the generated forwarding data to forward a second packet, received from the first machine and having the particular
destination address, to the second managed forwarding element via the tunnel without performing first-hop logical processing
to process the second packet through the set of logical forwarding elements of the logical network, wherein the second managed
forwarding element performs said logical processing upon receiving the second packet via the tunnel.

US Pat. No. 9,575,782

ARP FOR LOGICAL ROUTER

NICIRA, INC., Palo Alto,...

1. A computing device serving as a host machine in a logical network, the computing device comprising:
a set of processing units; and
a non-transitory machine readable medium storing a program for execution by at least one processing unit, the program comprising
sets of instructions for:

executing a plurality of virtual machines that are in a plurality of different segments of the logical network;
operating a managed physical routing element (MPRE) for routing data packets between different segments of the logical network,
the MPRE comprising a plurality of logical interfaces, each logical interface for receiving data packets from a different
segment of the logical network, wherein each of the logical interfaces is addressable by a network layer address;

intercepting an Address Resolution Protocol (ARP) broadcast message when a network layer destination address of the message
matches the network layer address of one of the logical interfaces of the MPRE; and

formulating and delivering an ARP reply based on a MAC (Media Access Control) address of the matching logical interface to
the ARP broadcast message.

US Pat. No. 9,503,321

DYNAMIC ROUTING FOR LOGICAL ROUTERS

NICIRA, INC., Palo Alto,...

1. For a network controller that manages a first logical router of a logical network that is implemented across a plurality
of managed network elements, a method comprising:
receiving input data specifying a first route for a second logical router;
based on a connection between the first logical router and the second logical router in the logical network, dynamically generating
a second route for the first logical router based on the first route; and

distributing configuration data to implement the first logical router, including the second route, to a set of the managed
network elements.

US Pat. No. 9,503,371

HIGH AVAILABILITY L3 GATEWAYS FOR LOGICAL NETWORKS

Nicira, Inc., Palo Alto,...

1. For a network controller in a network control system that manages a plurality of logical networks, a method comprising:
receiving a specification of a logical network that comprises a logical router;
selecting at least two host machines to implement a routing table for the logical router from a plurality of host machines
designated for hosting logical routers, the selected host machines comprising a designated master host machine for the routing
table; and

generating data tuples for provisioning a set of managed forwarding elements that implement the logical network to send data
packets that require processing by the routing table to the selected host machines, wherein the data tuples specify an ordered
list of tunnel encapsulations for use by the managed forwarding elements that implement the logical network in order for the
managed forwarding elements to send packets to the routing table implemented at the selected host machines with a tunnel encapsulation
for a tunnel to the designated master host machine as the first host machine in the specified ordered list.

US Pat. No. 9,455,901

MANAGING SOFTWARE AND HARDWARE FORWARDING ELEMENTS TO DEFINE VIRTUAL NETWORKS

NICIRA, INC., Palo Alto,...

1. A system for controlling forwarding elements, the system comprising:
a network controller to generate and send forwarding instructions to a plurality of forwarding elements including software
and hardware forwarding elements, said forwarding elements implementing at least one virtual network; and

a service node (i) to receive an unknown unicast packet for a particular virtual network sent from a software or hardware
forwarding element in the plurality of forwarding elements based on the forwarding instructions, (ii) to replicate the unknown
unicast packet, and (iii) to send the unknown unicast packet to each hardware forwarding element in a first set of forwarding
elements comprising at least two hardware forwarding elements from which the service node did not receive the unknown unicast
packet,

wherein a hardware forwarding element in the first set of forwarding elements outputs the unknown unicast packet to a port
of the hardware forwarding element when the hardware forwarding element identifies the port as being connected to a machine
with an address that is the same as a destination address of the unknown unicast packet.

US Pat. No. 10,095,535

STATIC ROUTE TYPES FOR LOGICAL ROUTERS

NICIRA, INC., Palo Alto,...

1. A method for implementing a first logical router of a logical network, the method comprising:receiving a configuration for the first logical router, the configuration comprising a static route for the first logical router;
defining a plurality of logical routing components with separate routing tables for the first logical router, the plurality of logical routing components comprising a distributed routing component and at least one centralized routing component, wherein the distributed routing component is implemented by a plurality of managed forwarding elements;
adding a static first route for the static route to the routing tables of at least a first subset of the routing components of the first logical router, the static first added route having a first static route type; and
based on a connection of a second logical router to the first logical router:
defining a logical switch that connects to the distributed routing component of the first logical router and a logical routing component of the second logical router, the logical switch having an assigned subnet;
adding a connected second route for the assigned subnet to the routing table of the distributed routing component; and
adding a static third route for the assigned subnet to the routing tables of the centralized routing components of the first logical router, the static third added route having a second static route type different from the first static route type; and
distributing the routing tables of the plurality of logical routing components to the plurality of managed forwarding elements, wherein the managed forwarding elements use routes in the distributed routing tables to process network traffic.

US Pat. No. 9,794,184

REDUCING NETWORK CONGESTION BY PREFERENTIALLY DROPPING PACKETS SENT BY HIGH-BANDWIDTH SOURCES

NICIRA, INC., Palo Alto,...

1. A method for reducing congestion in a network stack comprising a series of layers, the method comprising:
at a first layer of the network stack, receiving a data packet from a second layer of the network stack;
identifying a usage indicator value for a flow to which the data packet belongs;
when a congestion notification has been received from a third layer of the network stack:
determining whether to send the data packet based on a comparison of the usage indicator value to a threshold usage value
that is specific to the data packet; and

sending the data packet to a next layer of the network stack only when the usage indicator value is less than the threshold
usage value.

US Pat. No. 9,794,186

DISTRIBUTED NETWORK ADDRESS TRANSLATION FOR EFFICIENT CLOUD SERVICE ACCESS

NICIRA, INC., Palo Alto,...

1. A method for coordinating distributed network address translation (NAT) in a network within which a plurality of logical
networks are implemented, the logical networks comprising a plurality of tenant logical networks and a set of logical networks,
each logical network in the set comprising a set of service virtual machines (VMs) for access by VMs of the tenant logical
networks, the method comprising:
defining, by a controller server within said network, a plurality of replacement network address and port number pairs, each
pair for uniquely identifying a VM across the plurality of the tenant logical networks; and

sending, to at least one host that is hosting a VM of a tenant first logical network for which access is requested to the
service VMs of a second logical network in the set of logical networks, (i) a set of replacement network address and port
number pairs from the plurality of replacement network address and port number pairs, and (ii) a set of rules identifying
the VM of the tenant first logical network as a VM that requires a replacement of source network address and source port number
for accessing the service VMs of the second logical network,

wherein a replacement network address and port number pair sent to a host is for the host to replace, based on said set of
rules, a source network address and a source port number with the replacement network address and port number pair in a packet
that is destined from the VM of the tenant first logical network to a service VM of the second logical network.

US Pat. No. 9,794,222

STATEFUL PROCESSING FOR STATELESS FORWARDING ELEMENT

NICIRA, INC., Palo Alto,...

1. A method for performing stateful processing of a packet at a flow-based managed forwarding element (MFE) implementing a
software switch on a host machine, the method comprising:
receiving a packet at the MFE without stateful connection status information, a header of the packet comprising Internet Protocol
(IP) layer and transport layer addresses;

sending the packet from the MFE to a module within the host machine and separate from the MFE, the module storing stateful
connection information for a plurality of connections, the stateful connection status information identifying whether the
packet belongs to a new connection or an existing connection;

receiving, from the module within the host machine, the packet with stateful connection status information appended to the
packet; and

performing an action on the packet based on the appended stateful connection status information.

US Pat. No. 9,747,249

METHODS AND SYSTEMS TO ACHIEVE MULTI-TENANCY IN RDMA OVER CONVERGED ETHERNET

NICIRA, INC., Palo Alto,...

1. A method for providing multi-tenancy support for remote direct memory access (RDMA) in a system comprising a plurality
of physical hosts, each physical host hosting a set of data compute nodes (DCNs), the method comprising:
at an RDMA protocol stack of a first physical host, receiving a packet comprising a request from a first DCN hosted on the
first host for RDMA data transfer from a second DCN hosted on a second physical host;

sending a set of parameters of an overlay network associated with the first DCN to a physical RDMA network interface controller
(NIC) of the first host;

receiving RDMA data from the second DCN at the physical RDMA NIC; and
inserting the RDMA data from the physical RDMA NIC into a memory buffer of the first DCN to bypass an operating system of
the first host and a virtualization software of the first host,

wherein the set of parameters are for the physical RDMA NIC to encapsulate the packet with (i) an RDMA data transfer header
and (ii) an overlay network header using the set of parameters of the overlay network for transferring the encapsulated packet
to the second physical host using the overlay network.

US Pat. No. 9,692,655

PACKET PROCESSING IN A NETWORK WITH HIERARCHICAL MANAGED SWITCHING ELEMENTS

NICIRA, INC., Palo Alto,...

1. For a managed non-edge switching element (MNESE), a method of processing packets sent by a plurality of managed edge switching
elements (MESEs) that implement a plurality of logical networks, each logical network for connecting a set of devices, the
MNESEs and MESEs managed by a set of network controllers, the method comprising:
at the MNESE, receiving a multi-recipient packet from a source MESE in the plurality of MESEs;
performing a logical context lookup on a lookup table based on information contained in a set of header fields of the received
multi-recipient packet to identify a particular logical network to which the multi-recipient packet belongs;

identifying a plurality of devices of the particular logical network as recipient devices for the multi-recipient packet based
on the particular logical network;

at the MNESE, identifying a set of MESEs, from the plurality of MESEs, that are directly coupled to one or more identified
recipient devices; and

forwarding at least one copy of the multi-recipient packet to each MESE in the identified set of MESEs, wherein each MESE
in the identified set of MESEs provides the multi-recipient packet to the recipient devices that are directly coupled to the
MESE.

US Pat. No. 9,602,392

CONNECTIVITY SEGMENT COLORING

NICIRA, INC., Palo Alto,...

1. A network comprising:
a group of network nodes, each network node in the group having connectivity under a particular protocol with other network
nodes in the group, each network node having a unique node identifier, wherein the network nodes in the group query each other
for a group identifier for identifying said group, wherein each network node in the group that fails to receive a response
before a time-out condition for its query generates a candidate group identifier, wherein the generated candidate group identifier
of a particular network node is adopted as the group identifier when the particular network node responds to queries from
other network nodes in the group, wherein said query and response are conducted by using the connectivity under the particular
protocol; and

a set of network connections for allowing communication between nodes in the group with nodes not in the group, wherein the
set of network connections does not support the connectivity under the particular protocol.

US Pat. No. 9,503,427

METHOD AND APPARATUS FOR INTEGRATING A SERVICE VIRTUAL MACHINE

Nicira, Inc., Palo Alto,...

1. An apparatus for incorporating a service on a host, the apparatus comprising:
a plurality of guest virtual machines (GVMs) executing on the host;
a physical forwarding element (PFE) executing on the host, the PFE connecting to the GVMs to connect the GVMs to each other
and to other devices outside of the host;

a service virtual machine (SVM) that is a virtual machine that also executes on the host but not connected to the PFE, the
SVM for providing the service to at least a subset of the GVMs; and

an SVM interface (SVMI) through which the SVM receives data regarding GVM packets in order to perform the service for the
subset of the GVMs.

US Pat. No. 9,379,956

IDENTIFYING A NETWORK TOPOLOGY BETWEEN TWO ENDPOINTS

NICIRA, INC., Palo Alto,...

1. A non-transitory machine readable medium storing a program that when executed by at least one processing unit identifies
a network topology between two endpoints of a network, the program comprising sets of instructions for:
forwarding a plurality of probing packets through a plurality of routing paths that are between the two endpoints;
identifying a plurality of intermediate nodes between the two endpoints using the forwarded packets, each intermediate node
identified by a set of receiving interfaces and a set of forwarding interfaces associated with the intermediate node, wherein
a forwarding interface associated with a particular intermediate node is detected by receiving back a packet that was forwarded
to the particular intermediate node with an internet control message protocol (ICMP) error message; and

identifying the network topology by specifying links between different pairs of intermediate nodes using the sets of receiving
and forwarding interfaces associated with each intermediate node.

US Pat. No. 10,057,168

RECEIVE SIDE SCALING FOR OVERLAY FLOW DISPATCHING

NICIRA, INC., Palo Alto,...

1. A packet forwarding element comprising:a multi-core processor comprising a plurality of processing cores; and
a hardware dispatch unit configured to:
receive packets from a physical network and a plurality of logical networks, the physical network different than the logical networks, each packet comprising a first header with a plurality of header fields, wherein packets received from the logical networks are encapsulated with an overlay network header, and wherein packets received from the physical network are not encapsulated with an overlay network header;
select, for each packet that is not encapsulated with an overlay network header, a set of header fields from the packet's first header to identify a packet flow from the packet header;
select, for each packet that is encapsulated with an overlay network header, a set of header fields from the packet's first header to identify the packet flow; and
dispatch each packet to a core of the multi-core processor based on a hash value calculated from the set of header fields selected for the packet.

US Pat. No. 9,590,919

METHOD AND APPARATUS FOR IMPLEMENTING AND MANAGING VIRTUAL SWITCHES

NICIRA, INC., Palo Alto,...

1. A method for implementing a logical forwarding element, that connects a plurality of machines, on a physical forwarding
element that also implements other logical forwarding elements for connecting other pluralities of machines, the method comprising:
mapping an incoming packet, from a machine in the plurality of machines connected by the logical forwarding element, to a
logical context that identifies the logical forwarding element;

making a logical forwarding decision on the packet, in order to identify a logical egress port of the logical forwarding element;
mapping the logical egress port to a physical next hop address; and
forwarding the packet out of a physical egress port based on the physical next hop address.

US Pat. No. 9,369,426

DISTRIBUTED LOGICAL L3 ROUTING

NICIRA, INC., Palo Alto,...

1. A non-transitory machine readable medium for storing a program for configuring a plurality of managed forwarding elements
(MFEs) to perform logical L2 switching and L3 routing, the program comprising sets of instructions for:
generating a first set of data records for configuring a first MFE to install a first set of flow entries implementing a first
logical switching element, a logical routing element, and a second logical switching element, the first set of flow entries
applied by the first MFE to implement (i) logical L2 processing for the first logical switching element, logical L3 routing for the logical routing element, and logical L2 ingress processing for the second logical switching element on packets sent by a first machine that operates on a same first
physical host machine as the first MFE and (ii) logical L2 egress processing for the first logical switching element on packets sent to the first machine; and

generating a second set of data records for configuring a second MFE to install a second set of flow entries implementing
the first logical switching element, the logical routing element, and the second logical switching element, the second set
of flow entries applied by the second MFE to implement (i) logical L2 processing for the second logical switching element, logical L3 routing for the logical routing element, and logical L2 ingress processing for the first logical switching element on packets sent by a second machine that operates on a same second
physical host machine as the second MFE and (ii) logical L2 egress processing for the second logical switching element on packets sent to the second machine.

US Pat. No. 10,089,127

CONTROL PLANE INTERFACE FOR LOGICAL MIDDLEBOX SERVICES

NICIRA, INC., Palo Alto,...

3. A non-transitory machine readable medium of a host machine of a hosting system on which a middlebox executes, the middlebox comprising sets of instructions for:receiving configuration data for configuring the middlebox to implement, along with a set of other middleboxes executing on a set of other host machines, a logical middlebox in a logical network that logically connects a plurality of end machines residing on the set of host machines, each middlebox executing on one of the host machines on which one or more end machines of the plurality of end machines execute,
wherein a subset of the plurality of end machines that reside on the host machine receives middlebox services from the middlebox executing on the host machine,
wherein the subset of end machines is logically connected to the logical network through a set of logical forwarding elements implemented by a managed forwarding element that executes on the host machine, wherein the managed forwarding element and the middlebox exchange the packets that have the particular identifier through a software port negotiated between the managed forwarding element and the middlebox;
receiving a particular identifier associated with the logical middlebox implementation on the host machine;
generating (1) based on the received configuration data, a set of rules for the middlebox to process packets for the logical network and (2) based on the received particular identifier, an internal identifier associated with the generated set of rules; and
associating the particular identifier with the internal identifier for processing packets that have the particular identifier based on the generated set of rules.

US Pat. No. 10,033,693

DISTRIBUTED IDENTITY-BASED FIREWALLS

NICIRA, INC., Palo Alto,...

1. A computer-implemented method comprising:receiving, at a driver executing in a guest operating system of a virtual machine (VM) operating on a physical host machine, a request to open a network connection from a process associated with a user, wherein the driver performs operations comprising:
obtaining identity information for the user from the guest operating system of the VM, wherein the driver prevents transmission of any packets for the network connection until the identity information is obtained; and
providing the identity information and data identifying the network connection to an identity module external to the driver and operating within virtualization software of the physical host machine; and
at a firewall for the VM that operates within the virtualization software of the physical host machine:
receiving, from the identity module, data associating source information for an outgoing packet from the VM with an identifier associated with one or more firewall rules, the identifier based on the identity information provided to the identity module by the driver;
determining that the outgoing packet matches the associating data received from the identity module, based on a comparison between source information for the outgoing packet and source information in the associating data received from the identity module; and
based at least in part on the identifier in the associating data received from the identity module, evaluating one or more firewall rules to identify a firewall rule that is applicable to the outgoing packet, said evaluating comprising comparing a set of header values of the outgoing packet with a set of packet-matching values of an evaluated firewall rule.

US Pat. No. 9,923,760

REDUCTION OF CHURN IN A NETWORK CONTROL SYSTEM

NICIRA, INC., Palo Alto,...

1. A method for maintaining a consistent network state for a set of managed forwarding elements in a first network controller,
the method comprising:
determining that a second network controller has disconnected, wherein a first network state at the first network controller
is based on a first input state received from the second network controller;

receiving a second input state from a third network controller that takes over providing input state to the first controller
after the second network controller has disconnected, the second input state for generating a second network state;

maintaining the first network state for a predetermined amount of time after receiving the second input state to incorporate
a set of updates to the second input state received from the third network controller; and

after the predetermined amount of time, generating the second network state based on the second input state and any updates
received during the predetermined amount of time.

US Pat. No. 9,876,672

NETWORK OPERATING SYSTEM FOR MANAGING AND SECURING NETWORKS

NICIRA, INC., Palo Alto,...

1. A network controller computer comprising a memory and at least one processing unit for executing:
a network operating system for managing a plurality of network elements that forward data flows in the network, the network
operating system comprising:

a programmatic interface for allowing communication with management applications that are defined to run on top of the network
operating system; and

a set of modules for:
maintaining a network state based on information received from the plurality of network elements, wherein the network state
comprises a topology of the network elements and locations in the topology of machines connected to the network;

providing the network state to at least one management application; and
generating events based on detecting changes in the network state; and
a set of one or more management applications that run on top of the network operating system as a set of separate applications
from the network operating system, each management application in the set configured to, through the programmatic interface
of the network operating system, access the network state, receive notification of the events generated by the network operating
system based on changes in the network state, and define forwarding behaviors of the plurality of network elements,

wherein the network operating system manages the network elements to enforce the forwarding behaviors defined by the one or
more management applications.

US Pat. No. 9,774,537

DYNAMICALLY ADJUSTING LOAD BALANCING

NICIRA, INC., Palo Alto,...

1. A non-transitory machine readable medium storing sets of instructions for performing load balancing operations on a particular
host computer on which at least one particular source compute node (SCN) executes, the sets of instructions comprising instructions
for:
based on a set of load balancing criteria, distributing data messages sent by the particular SCN among the destination compute
nodes (DCNs) of a DCN group,

sending, to a set of controllers, message traffic statistics relating to data messages that are distributed among the DCNs
of the DCN group;

receiving, from the set of controllers, data that identifies at least one DCN that has been removed from the DCN group;
receiving, from the set of controllers, a set of adjusted load balancing criteria that the set of controllers calculates by
(1) collecting message traffic statistics from a plurality of host computers performing load balancing operations for data
messages sent by SCNs executing on the host computers, (2) aggregating the collected message traffic statistics, and (3) computing
the adjusted load balancing criteria from the aggregated collected message traffic statistics;

based on the received set of adjusted load balancing criteria, adjusting the distribution of the data message flows from the
particular SCN among the DCNs of the DCN group; and

directing, after receiving the updated membership data, all new data message flows to a subset of DCNs in the DCN group that
does not include the removed DCN.

US Pat. No. 9,699,070

DATABASE PROTOCOL FOR EXCHANGING FORWARDING STATE WITH HARDWARE SWITCHES

NICIRA, INC., Palo Alto,...

1. For a network controller that manages software and hardware forwarding elements that implement a logical network, a method
comprising:
sending management data to the hardware switching element using a database protocol as a single communication channel to add
the hardware switching element to the logical network managed by the network controller, wherein the logical network includes
at least one software switching element;

to manage traffic between the hardware switching element and the software switching element, exchanging state data with the
hardware switching element through the single communication channel using the database protocol's asynchronous notification,
said asynchronous exchange comprising:

sending forwarding state of the software switching element from the network controller to a database table of the hardware
switching element when the software switching element's forwarding state has changed; and

receiving forwarding state of the hardware switching element at the network controller from the hardware switching element
when the hardware switching element's forwarding state has changed,

wherein the hardware switching element uses the management data and the state data to define flow entries for a set of forwarding
tables of the hardware switching element that implement the logical network, and

said database protocol serves as the only communication channel through which the hardware switching element receives data
from the controller to define flow entries.

US Pat. No. 9,697,030

CONNECTION IDENTIFIER ASSIGNMENT AND SOURCE NETWORK ADDRESS TRANSLATION

NICIRA, INC., Palo Alto,...

1. A non-transitory machine readable medium of a controller of a network control system for configuring a logical middlebox
in a plurality of hosts, wherein the controller comprises sets of instructions for:
maintaining a set of connection identifiers to be assigned to a plurality of middlebox instances that implement the logical
middlebox in the plurality of hosts;

receiving a request for a plurality of connection identifiers from a first middlebox instance of the plurality of middlebox
instances, the first middlebox instance operating in a first host of the plurality of hosts;

based on the request, identifying a plurality of connection identifiers from the set of connection identifiers that are available
to be assigned to the middlebox instances; and

assigning the identified connection identifiers to the first middlebox instance,
wherein the first middlebox instance is configured to associate one of the connection identifiers assigned to the first middlebox
instance with a first packet originating from a virtual machine (VM) operating in the first host in order for a second host
that receives the first packet to distinguish the VM operating in the first host from other VMs operating in other hosts of
the plurality of hosts from which the second host also receives packets.

US Pat. No. 9,613,218

ENCRYPTION SYSTEM IN A VIRTUALIZED ENVIRONMENT

NICIRA, INC., Palo Alto,...

1. An encryption system comprising:
a plurality of computing devices;
a set of computers for (i) providing to the computing devices encryption configuration data that specifies how data messages
from the computing devices have to be encrypted, (ii) collecting key-usage statistics from a set of the computing devices,
(iii) determining whether the set of computing devices needs to use at least one new key based on the collected key-usage
statistics from the set of computing devices, and (iv) directing the computing devices to use new keys based on the determination
that the set of computing devices needs to use at least one new key; and

a set of key managers for the computing devices to access to retrieve encryption keys for encrypting data messages sent by
the computing devices;

wherein the set of computers does not store any encryption key used by the computing devices to encrypt data messages sent
by the computing devices.

US Pat. No. 9,602,375

TRACING HOST-ORIGINATED LOGICAL NETWORK PACKETS

NICIRA, INC., Palo Alto,...

1. For a first forwarding element to which a first machine connects, the first machine belonging to a particular logical network,
a method comprising:
receiving a command to test connectivity between the first forwarding element and a plurality of additional forwarding elements
to which a plurality of additional machines that belong to the particular logical network connect, wherein at least two of
the additional forwarding elements are located in a different multicast segment of a physical network than the first forwarding
element;

instructing a packet generator connected to the first forwarding element to generate a test packet to send to the plurality
of additional forwarding elements;

encapsulating a plurality of copies of the generated test packet with tunnel endpoint addresses, each copy of the generated
test packet encapsulated with a tunnel endpoint address for the first forwarding element and a tunnel endpoint address of
another forwarding element of the plurality of additional forwarding elements, wherein only a single generated test packet
is encapsulated with a particular tunnel endpoint address for the at least two forwarding elements located in the different
multicast segment; and

sending the encapsulated packets through a physical network, wherein the single generated test packet is received at a particular
managed forwarding element corresponding to the particular tunnel endpoint address and distributed by the particular forwarding
element to the other forwarding elements of the at least two forwarding elements located in the different multicast segment.

US Pat. No. 9,558,029

LOGICAL PROCESSING FOR CONTAINERS

NICIRA, INC., Palo Alto,...

1. For a first managed forwarding element (MFE), a method comprising:
receiving a data message comprising a logical context tag that identifies a logical port of a particular logical forwarding
element;

based on the logical context tag, adding a local tag to the data message, the local tag associated with the particular logical
forwarding element, wherein the particular logical forwarding element is one of a plurality of logical forwarding elements
to which one or more containers operating on a container virtual machine (VM) belong, wherein the container VM connects to
the first MFE; and

delivering the data message to the container VM without any logical context, wherein a second MFE operating on the container
VM uses the local tag to forward the data message to a correct container of a plurality of containers operating on the container
VM.

US Pat. No. 9,559,870

MANAGING FORWARDING OF LOGICAL NETWORK TRAFFIC BETWEEN PHYSICAL DOMAINS

NICIRA, INC., Palo Alto,...

1. For a first network controller located at a first physical domain that manages a logical network spanning a plurality of
physical domains including the first domain, a method comprising:
after a period of time in which the first network controller was unable to communicate with a second network controller located
at a second physical domain, determining a current network state for the logical network based on data received from the second
network controller and data stored at the first network controller;

distributing current network state data regarding receiving packets to (i) managed forwarding elements located at the first
domain and (ii) the second network controller for subsequent distribution by the second network controller to managed forwarding
elements located at the second domain;

after distribution of the current network state data regarding receiving packets, subsequently distributing current network
state data regarding sending packets to (i) managed forwarding elements located at the first domain and (ii) the second network
controller for subsequent distribution by the second network controller to managed forwarding elements located at the second
domain.

US Pat. No. 9,529,619

METHOD OF DISTRIBUTING NETWORK POLICIES OF VIRTUAL MACHINES IN A DATACENTER

NICIRA, INC., Palo Alto,...

1. A physical computing device operating in a network comprising a plurality of tenant virtual machines (VMs), each VM hosted
on a host machine comprising a virtualization software and at least one physical forwarding element that implements at least
one logical forwarding element with a set of physical forwarding elements executed on a set of other hosts, the physical computing
device configured to:
receive a network bandwidth allocation policy for each VM in a set of VMs, the network bandwidth allocation policy of each
VM comprising a minimum guaranteed bandwidth and a share of additional bandwidth over the minimum guaranteed bandwidth for
the VM;

for each VM in the set of VMs, identify a group of peer VMs that connect to a same logical forwarding element as the VM and
thereby are potential communication peers of the VM; and

send the network bandwidth allocation policy of each VM to the virtualization software of the host machines of each potential
communication peer of the VM, wherein the virtualization software of each host machine stores the network bandwidth allocation
policies and allocates bandwidth to each particular VM hosted on the host machine utilizing the minimum guaranteed bandwidth
and the share of additional bandwidth of ffi the particular VM and (ii) each VM in set of potential peers of the particular
VM that is actively communicating with the particular VM.

US Pat. No. 9,531,676

PROXY METHODS FOR SUPPRESSING BROADCAST TRAFFIC IN A NETWORK

NICIRA, INC., Palo Alto,...

1. For a network with a plurality of host devices executing a plurality of virtual machines (VMs), each host comprising at
least one physical forwarding element (PFE) that implements a plurality of logical forwarding elements (LFEs) with the PFEs
of other hosts, a method of suppressing broadcast messages on a particular host device, the method comprising:
at an agent operating on the particular host device, receiving data tuples needed to resolve broadcast messages from VMs executing
on the particular host device, said data tuples received from at least one controller and through a control channel communication
between the particular host device and the controller;

storing the data tuples in a storage of the particular host device;
receiving a request from a proxy operating on the particular host device, the request for a set of data tuples necessary to
formulate a reply to a broadcast message from a particular VM executing on the particular host device that is intercepted
by the proxy;

retrieving from the storage the set of data tuples necessary to formulate the reply to the broadcast message to be supplied
to the particular VM; and

sending the set of data tuples to the proxy, wherein the proxy formulates the reply to the broadcast message based on the
retrieved set of data tuples and supplies the formulated reply to the particular VM.

US Pat. No. 10,142,287

DISTRIBUTED NETWORK SECURITY CONTROLLER CLUSTER FOR PERFORMING SECURITY OPERATIONS

NICIRA, INC., Palo Alto,...

1. For a first security controller that operates on a first controller machine to perform security operations on packets transmitted within a network, a method comprising:receiving a packet from a forwarding element in the network based on a decision by a security agent that operates on a same host machine as the forwarding element;
when the first security controller stores a security rule for the packet, processing the packet according to the stored security rule; and
when the first security controller does not store a security rule for the packet:
determining a second security controller, operating on a second controller machine, that stores a security rule for the packet based on a set of header values of the packet; and
sending the packet to the second security controller for security processing according to the security rule for the packet stored on the second security controller.

US Pat. No. 9,998,369

PERIODICAL GENERATION OF NETWORK MEASUREMENT DATA

NICIRA, INC., Palo Alto,...

1. A method for measuring an estimated bandwidth between two endpoints of a network, the method comprising:identifying a plurality of routing paths between the two endpoints, wherein the routing paths comprise a set of intermediate nodes and a set of links that each connect a pair of intermediate nodes, wherein the set of links comprises (i) a plurality of direct links that each directly connects a pair of intermediate nodes and (ii) at least one multi-path link that is a link between a pair of intermediate nodes for which at least two divergent sets of direct links exist in the plurality of routing paths;
calculating an estimated bandwidth for each direct link in the identified routing paths;
normalizing the estimated bandwidths for each multi-path link by, for a particular multi-path link between a particular pair of intermediate nodes, (i) identifying a minimum bandwidth for each divergent set of direct links of the particular multi-path link and (ii) calculating a sum of the identified minimum bandwidths as an estimated bandwidth between the particular pair of intermediate nodes; and
calculating the estimated bandwidth between the two endpoints of the network by identifying a minimum bandwidth among (i) the normalized bandwidths for the multi-path links and (ii) the estimated bandwidth calculated for each direct link that is not part of a multi-path link, wherein the estimated bandwidth between the two endpoints of the network is used to determine a routing path for data traffic between the endpoints of the network.

US Pat. No. 9,838,276

DETECTING AN ELEPHANT FLOW BASED ON THE SIZE OF A PACKET

NICIRA, INC., Palo Alto,...

1. A method for detecting elephant flows at a forwarding element, the method comprising:
prior to receiving any data packets above a threshold size belonging to a particular data flow, processing the data packets
belonging to the particular data flow in a datapath of the forwarding element;

upon receiving a first data packet above the threshold size belonging to the particular data flow, sending the first data
packet to a module of the forwarding element outside the datapath that processes the particular data flow as an elephant flow;
and

processing subsequent data packets belonging to the particular data flow in the datapath of the forwarding element as elephant
flow packets irrespective of the size of the subsequent data packets.

US Pat. No. 9,832,112

USING DIFFERENT TCP/IP STACKS FOR DIFFERENT HYPERVISOR SERVICES

NICIRA, INC., Palo Alto,...

1. A method of generating IP packets for a first hypervisor process running on a first electronic computing device that implements
a generic TCP/IP stack processor and at least one dedicated TCP/IP stack processor, wherein the first hypervisor process operates
outside of any virtual machine on the first electronic computing device, the method comprising:
retrieving configuration data for the dedicated TCP/IP stack processor, wherein the configuration data comprises a designation
of a first default gateway for the dedicated TCP/IP stack processor that is different from a second default gateway for the
generic TCP/IP stack processor, wherein the generic and dedicated TCP/IP stack processors are not implemented by virtual machines;

implementing the dedicated TCP/IP stack processor with the first default gateway;
processing data using the dedicated TCP/IP stack processor to generate an IP packet with an IP address not in a routing table
of the dedicated TCP/IP stack processor; and

sending the IP packet to the IP address of the first default gateway, wherein sending the IP packet is part of a communication
between the first hypervisor process and a second peer hypervisor process running on a second electronic computing device
through the first default gateway.

US Pat. No. 9,825,913

USE OF STATELESS MARKING TO SPEED UP STATEFUL FIREWALL RULE PROCESSING

NICIRA, INC., Palo Alto,...

1. A method for performing stateful firewall operations on network packets, the method comprising:
receiving, at a computing device, a first network packet and a second, subsequent network packet;
receiving a first set of lookup results and a second set of lookup results from a hardware switch, wherein the hardware switch
generates the first set of lookup results based on a first set of connection identifying parameters of the first network packet
and generates the second set of lookup results based on a second set of connection identifying parameters of the second network
packet, wherein the first set of lookup results comprises a first connection identifier and the second set of lookup results
comprises a second connection identifier, the first set of lookup results not comprising a rule identifier;

identifying a first firewall rule for performing stateful firewall operations on the first packet by querying a rules database
based on the first set of lookup results;

using the first firewall rule to perform a stateful firewall operation on the first packet;
associating the first connection identifier with the identified first firewall rule;
when the second connection identifier of the second packet is identical to the first connection identifier of the first packet,
using the identified first firewall rule to perform a stateful firewall operation on the second packet without querying the
rules database; and

when the second connection identifier of the second packet is different than the first connection identifier of the first
packet, identifying a second firewall rule for performing stateful firewall operations on the second packet by querying the
rules database based on the second set of lookup results.

US Pat. No. 9,785,455

LOGICAL ROUTER

NICIRA, INC., Palo Alto,...

1. A system comprising:
a plurality of host machines for hosting a plurality of virtual machines, each host machine comprising:
a managed physical switching element (MPSE) comprising a plurality of ports for performing link layer forwarding of packets
to and from a set of virtual machines running on the host machine, each port associated with a unique media access control
(MAC) address; and

a managed physical routing element (MPRE) for receiving a data packet from a port of the MPSE and performing network layer
routing in order to forward the received data packet from a first virtual machine of a first network segment to a second virtual
machine of a second network segment, wherein the MPRE comprises a plurality of logical interfaces, each logical interface
for receiving data packets from a different segment of the logical network; and

a physical network for interconnecting the plurality of host machines,
wherein each of the logical interfaces on the MPREs of the plurality of host machines is addressable by an identical link
layer address, and

wherein, for each MPRE of each host machine, each logical interface for receiving data packets from the first network segment
of the logical network has a same network layer address that is different from a network layer address used by each logical
interface for receiving data packets from the second network segment of the logical network.

US Pat. No. 9,729,679

USING DIFFERENT TCP/IP STACKS FOR DIFFERENT TENANTS ON A MULTI-TENANT HOST

NICIRA, INC., Palo Alto,...

1. A method of separating tenant data on an electronic computing device that implements a plurality of virtual machines (VMs)
for a plurality of tenants, the method comprising:
implementing a plurality of TCP/IP stack processors, on the electronic computing device, outside of any VMs;
for a first set of non-tenant VM processes implemented for a first tenant, sending data from the first set of processes through
a first TCP/IP stack processor; and

for a second set of non-tenant VM processes implemented for a second tenant, sending data from the second set of processes
through a second TCP/IP stack processor,

wherein the first and second sets of processes execute outside of any tenant VM.

US Pat. No. 9,722,948

PROVIDING QUALITY OF SERVICE FOR CONTAINERS IN A VIRTUALIZED COMPUTING ENVIRONMENT

NICIRA, INC., Palo Alto,...

1. A method for a computing device to provide quality of service (QoS) for a container in a virtualized computing environment,
the method comprising:
receiving a traffic flow of packets from a virtual machine;
identifying a container from which the traffic flow originates based on content of the received traffic flow of packets, wherein
the container is supported by the virtual machine;

retrieving a QoS policy configured for the identified container, wherein the QoS policy specifies a network bandwidth allocation
for the container; and

forwarding the received traffic flow of packets according to the QoS policy.

US Pat. No. 9,667,560

FLOW SEQUENCING

NICIRA, INC., Palo Alto,...

1. A method for sequencing packets of a data flow between two endpoints of a network, the method comprising:
at a source data compute node (DCN), receiving a first packet and a second packet to transmit to a destination endpoint;
determining that the first packet is an initial packet of a first data flow received from a first application executing on
the DCN and the second packet is an initial packet of a second data flow received from a second application executing on the
DCN;

inserting a first initial value into a particular header location of the first packet before transmitting the first packet
towards the destination endpoint;

inserting a second initial value into the particular header location of the second packet before transmitting the second packet
towards the destination endpoint; and

for each subsequent packet in each data flow:
incrementing a value inserted into the particular header location of a previously-transmitted packet of the data flow; and
inserting the incremented value into the particular header location of the subsequent packet.

US Pat. No. 9,596,126

CONTROLLER SIDE METHOD OF GENERATING AND UPDATING A CONTROLLER ASSIGNMENT LIST

NICIRA, INC., Palo Alto,...

1. For a network control system that includes a plurality of host computers that execute a plurality of physical forwarding
elements (PFEs) that collectively implement a plurality of logical forwarding elements (LFEs), a method of managing the LFEs
comprising:
defining a range of index values for different types of LFEs;
identifying a plurality of controllers to manage the LFEs;
generating a controller assignment list that associates each controller with at least one index value sub-range that contains
at least one index value derivable from the identifier of at least one LFE;

distributing the controller assignment list to host computers, wherein the host computers use the list to identify which controllers
to request data necessary for effectuating a subset of the operations of the LFEs, wherein when first and second index values
derived from first and second identifiers of first and second LFEs fall within a particular sub-range of index values, a controller
associated with the particular index value sub-range manages both the first and second LFEs.

US Pat. No. 9,553,803

PERIODICAL GENERATION OF NETWORK MEASUREMENT DATA

NICIRA, INC., Palo Alto,...

1. A network comprising:
a first network host executing a first forwarding element and a first set of machines, the first forwarding element for communicating
with a second forwarding element executing on a second network host that hosts a second set of machines, wherein the first
forwarding element implements a probing agent that when enabled:

periodically probes a plurality of routing paths between the first and second forwarding elements;
generates a set of network measurements data comprising an estimated bandwidth for each routing path, said estimated bandwidth
calculated by identifying a flow signature for the routing path and generating a set of probing packets with the identified
flow signature to calculate an estimated bandwidth for each link on the routing path; and

a network manager for receiving the set of network measurements data and controlling flow of data between a machine executing
on the first network host and a second machine executing on the second network host based on the set of measurements data.

US Pat. No. 9,544,238

REDUCING NETWORK CONGESTION BY PREFERENTIALLY DROPPING PACKETS SENT BY HIGH BANDWIDTH SOURCES

NICIRA, INC., Palo Alto,...

1. A method for reducing congestion in a network stack comprising a series of components that send data packets through the
network stack to a network, the method comprising:
at a first component of the network stack, receiving a data packet from a second component of the network stack;
identifying a usage indicator value for a flow to which the data packet belongs, the usage indicator value based on a comparison
of a size of the flow to a size of a queue for a third component of the network stack;

determining whether to send the data packet based on a comparison of the usage indicator value to a threshold usage value;
and

sending the data packet to a next component of the network stack only when the usage indicator value is less than the threshold
usage value.

US Pat. No. 9,935,827

METHOD AND APPARATUS FOR DISTRIBUTING LOAD AMONG A PLURALITY OF SERVICE NODES

NICIRA, INC., Palo Alto,...

1. For a service node (SN) group comprising a plurality of service nodes for performing a service on received data message flows, wherein one service node is a primary service node (PSN) and each other service node is a secondary service node (SSN), a non-transitory machine readable medium storing a PSN program comprising sets of instructions for:analyzing data message load on each service node;
based on the analysis, identifying several ranges of hash values that are derivable from header values of potential data message flows and associating each range with a service node; and
providing a first set of load balancing parameters (LBPs) to a load balancer (LB) set that distributes the received data message flows to the service nodes of the SN group, wherein the first LBP set comprises the hash value ranges and associated service nodes
after providing the first LBP set to the LB set, continuing to analyze the data message load on the service nodes, and based on the continued analysis, providing a second LBP set to the LB set that has at least one hash range that is not in the first LBP set.

US Pat. No. 9,875,127

ENABLING UNIFORM SWITCH MANAGEMENT IN VIRTUAL INFRASTRUCTURE

NICIRA, INC., Palo Alto,...

1. For a datacenter comprising (i) a plurality of physical host computing devices, (ii) a compute manager, and (iii) a network
manager, a method of configuring a logical network, the method comprising:
configuring, by the compute manager, one or more data compute nodes (DCNs) to execute on the plurality of physical hosts,
with at least two or more DCNs executing on each of a set of physical hosts;

defining the logical network at the network manager;
providing, from the network manager, read-only configuration information for the logical network to virtualization software
of the set of physical hosts;

obtaining, at the compute manager, the read-only configuration information for the logical network from the virtualization
software of the set of physical hosts; and

configuring, by the compute manager, the DCNs to connect to the logical network using the read-only configuration information
for the logical network, without modifying the logical network, wherein said compute manager manages the DCNs while the network
manager does not manage the DCNs.

US Pat. No. 9,866,473

STATEFUL SERVICES ON STATELESS CLUSTERED EDGE

NICIRA, INC., Palo Alto,...

1. A method of performing stateful services on a first flow and a second flow different from the first flow but related to
the first flow, the method comprising:
performing a stateful service for the first flow at a first node in a plurality of nodes that each performs the stateful service,
wherein state information of the first flow is maintained by the first node;

receiving, at the first node, packets belonging to the second flow from a second node in the plurality of nodes, wherein a
consistent hash function is used to initially assign particular flows to particular nodes in the plurality of nodes to perform
the stateful service, wherein the consistent hash function assigns the first flow to the first node and the second flow to
the second node, wherein the second node receives the packets belonging to the second flow based on the initial assignment
of the consistent hash and forwards the second flow's packets to the first node because the second flow is related to the
first flow; and

performing the stateful service on the received packets of the second flow at the first node by using the state information
of the first flow, wherein the stateful service for the second flow requires the state information of the first flow.

US Pat. No. 9,847,938

CONFIGURING LOGICAL ROUTERS ON HARDWARE SWITCHES

NICIRA, INC., Palo Alto,...

1. A method for configuring a managed hardware forwarding element (MHFE) to perform packet forwarding operations for a logical
network, the method comprising:
receiving data for the logical network that defines a logical router and a set of logical switches for logically connecting
a plurality of end machines operating on a plurality of host machines to a plurality of physical machines that are connected
to the MHFE;

defining a plurality of routing components for the logical router based on the received logical network data, each routing
component comprising a separate set of logical ports with an additional logical switch logically connecting the routing components;
and

providing to the MHFE a set of entries for a forwarding table on the MHFE, the entries comprising, for each logical port of
each of the logical switches of the set of logical switches and the additional logical switch, tunnel endpoint data that identifies
a tunnel endpoint address, wherein for each of a first set of the logical ports the tunnel endpoint address specifies a destination
to which to send packets for the logical port and for each of a second set of the logical ports that logically connect to
a particular routing component in the plurality of routing components the tunnel endpoint address specifies additional processing
by the MHFE rather than a destination to which to send packets for the logical port.

US Pat. No. 9,843,476

USING TRANSACTIONS TO MINIMIZE CHURN IN A DISTRIBUTED NETWORK CONTROL SYSTEM

NICIRA, INC., Palo Alto,...

1. For a particular controller for managing a network by generating configuration data for a plurality of managed forwarding
elements that forward data to each other in the network, a method for computing sets of managed forwarding element configuration
outputs using corresponding sets of configuration inputs from first and second controllers, the method comprising:
receiving a first set of inputs that are part of a particular transaction relating to a logical forwarding element that is
implemented by the plurality of managed forwarding elements from the first controller and a second set of inputs that are
redundant of the first set of inputs and are part of the particular transaction relating to the logical forwarding element
from the second controller, wherein the inputs of the particular transaction are (i) for processing together to compute a
set of managed forwarding element configuration output changes and (ii) for processing separately from other, separate transactions
processed by the particular controller that relate to other logical forwarding elements;

storing the second set of inputs while computing a first portion of the set of managed forwarding element configuration output
changes using the first set of inputs;

after a failure of the first controller, receiving a third set of inputs from the second controller, the third set of inputs
comprising inputs that are part of the particular transaction relating to the logical forwarding element and are not in the
second set of inputs;

while maintaining the first portion of the set of managed forwarding element configuration output changes, computing a second
portion of the set of managed forwarding element configuration output changes using the second and third sets of inputs; and

after computing the complete set of managed forwarding element configuration output changes, outputting the set of managed
forwarding element configuration output changes for distribution to a set of managed forwarding elements.

US Pat. No. 9,806,948

PROVIDING FIREWALL RULES FOR WORKLOAD SPREAD ACROSS MULTIPLE DATA CENTERS

NICIRA, INC., Palo Alto,...

1. A method of replicating firewall rules for a tenant having a plurality of data compute nodes (DCNs) across a plurality
of data centers, each data center comprising a set of hosts and a network manager, each host configured to host one or more
DCNs, the method comprising:
receiving a first set of firewall rules referencing first and second sets of objects, each of the first set of objects comprising
an identifier identifiable by a first network manager in a first data center, each of the second set of objects comprising
an identifier not identifiable by the first network manager;

translating the first set of objects by searching a local inventory of objects, the local inventory of objects mapping the
identifiers of the first set of objects into a first set of globally recognized identifiers that are identifiable by the network
managers of the plurality of data centers;

translating the second set of objects by searching a global inventory of objects, the global inventory of objects mapping
the identifiers of the second set of objects into a second set of globally recognized identifiers identifiable by the network
managers of the plurality of data centers;

translating the first set of firewall rules into a second set of global firewall rules using the first and second sets of
globally recognized identifiers; and

replicating the second set of global firewall rules to the network managers across the plurality of data centers,
wherein the first and second sets of identifiers comprise at least one of a static Internet protocol (IP) address and a media
access control (MAC) address, wherein each global firewall rule includes (i) a set of n-tuples for comparing with a set of
attributes of a packet to determine whether a firewall rule is applicable to the packet, and (ii) an action identifier that
specifies the action to perform on the packet when the firewall rule is applicable to the packet.

US Pat. No. 9,792,447

METHOD AND APPARATUS FOR DIFFERENTLY ENCRYPTING DIFFERENT FLOWS

NICIRA, INC., Palo Alto,...

1. For a computer that executes a virtual machine (VM), an encryption method comprising:
detecting starts of different data message flows from the VM;
identifying, at an introspection agent on the VM, attribute values of the detected data message flows;
based on detecting a start of a first data message flow, analyzing a set of encryption policies based on the identified attribute
values of the first data message flow to generate a first encryption rule for the first data message flow that identifies
a first encryption key, and providing the first encryption rule to an encryptor that receives data messages intercepted along
an egress datapath that the VM's data messages employ to exit the computer, in order (i) to encrypt, using the first encryption
key, messages in the first data message flow that the VM sends unencrypted and (ii) to return the encrypted messages to the
egress datapath for transmission out of the computer; and

based on detecting a start of a second data message flow, analyzing a set of encryption policies based on the identified attribute
values of the second data message flow to generate a second encryption rule for the second data message flow that identifies
a second encryption key, and providing the second encryption rule to the encryptor that receives data messages intercepted
along the VM's egress datapath in order (i) to encrypt, using the second encryption key, messages in the second data message
flow that the VM sends unencrypted and (ii) to return the encrypted messages to the egress datapath for transmission out of
the computer.

US Pat. No. 9,787,641

FIREWALL RULE MANAGEMENT

NICIRA, INC., Palo Alto,...

1. A method of managing firewall rules, the method comprising:
displaying a plurality of firewall rules enforced by a plurality of firewall devices in a datacenter, wherein the firewall
devices comprise (i) firewall engines executing on host computing devices, (ii) network perimeter firewall devices, and (iii)
firewall appliances;

after receiving a set of filtering criteria, displaying a subset of the plurality of firewall rules that satisfy the set of
filtering criteria; and

after receiving a modification to a particular firewall rule in the displayed subset, modifying the particular firewall rule,
wherein at least one firewall appliance is an application firewall gateway that performs deep packet inspection.

US Pat. No. 9,762,619

MULTI-LAYER POLICY DEFINITION AND ENFORCEMENT FRAMEWORK FOR NETWORK VIRTUALIZATION

NICIRA, INC., Palo Alto,...

1. A method of monitoring and enforcing of policy for a network virtualization platform of a data center by using a multi-layer
policy enforcement framework, the method comprising:
at a top layer of the multi-layer policy enforcement framework, receiving a definition of a policy template for a set of data
center resources as a desired state of the policy;

at the top layer of the multi-layer policy enforcement framework, instantiating a set of policy instances from the policy
template as desired states of the policy at the top layer;

sending the policy instances from the top layer to a set of intermediate layers of the multi-layer policy enforcement framework
as desired states at the intermediate layers;

at each particular intermediate layer of the policy enforcement framework, (i) receiving, from a higher layer, a policy instance
as a desired state of the policy at the intermediate layer, (ii) receiving a realized state of the policy at the particular
intermediate state from a set of policy enforcement controllers, the realized state generated by the set of controllers based
on said desired state received at the intermediate layer, the realized state at the particular intermediate state comprising
a set of rules generated at the particular intermediate layer by the set of controllers, and (iii) sending at least a portion
of the generated realized state to a next lower state as a desired state; and

at a lowest layer of the multi-layer policy enforcement framework, (i) receiving, from a higher layer, a policy instance as
a desired state of the policy at the lowest layer, (ii) receiving a realized state of the policy at the lowest layer from
a set of policy enforcement agents, the realized state generated at the lowest layer by the set of agents based on the desired
state at the lowest layer, the realized state at the lowest layer comprising a set of rules used to enforce the policy, and
(iii) enforcing the set of rules of the realized state at the lowest layer.

US Pat. No. 9,686,200

FLOW CACHE HIERARCHY

NICIRA, INC., Palo Alto,...

1. An apparatus comprising:
a set of processors; and
a non-transitory machine readable medium storing a program for execution by at least one of the processors, the program implementing
a managed forwarding element comprising:

a set of at least one flow table comprising a first set of flow entries for processing packets received by the managed forwarding
element, wherein a plurality of packets processed by the managed forwarding element are processed according to a plurality
of the flow entries of the first set, wherein the first set of flow entries are received from a network controller that manages
the managed forwarding element;

an aggregate cache comprising a second set of flow entries for processing packets received by the managed forwarding element,
wherein each of the flow entries of the second set is for processing packets of multiple data flows, wherein at least a subset
of packet header fields of the packets of the multiple data flows have a same set of packet header field values, and wherein
a same set of operations is applied to the packets of the multiple data flows, wherein when a first packet is processed by
the managed forwarding element according to the first set of flow entries, the managed forwarding element generates a first
new flow entry for the second set of flow entries for processing subsequent packets of additional data flows, wherein at least
a subset of packet header fields of the packets of the additional data flows have a same set of packet header field values
as the first packet; and

an exact-match cache comprising a third set of flow entries for processing packets received by the managed forwarding element,
wherein each of the flow entries of the third set is for processing packets for a single data flow having a unique set of
packet header field values.

US Pat. No. 9,602,422

IMPLEMENTING FIXED POINTS IN NETWORK STATE UPDATES USING GENERATION NUMBERS

NICIRA, INC., Palo Alto,...

9. For a subscriber controller of a network control system that manages a plurality of forwarding elements in order to implement
a plurality of logical datapath sets, a method comprising:
receiving a first publication comprising network state data, the first publication having a first generation number from a
first publisher controller;

receiving a second publication comprising network state data, the second publication having a second generation number from
a second publisher controller;

when the first generation number is more current than the second generation number, storing the first publication;
when the second generation number is more current than the first generation number, storing the second publication; and
computing a set of outputs using the stored publication for implementing the plurality of logical datapath sets.

US Pat. No. 9,577,927

ENCODING CONTROL PLANE INFORMATION IN TRANSPORT PROTOCOL SOURCE PORT FIELD AND APPLICATIONS THEREOF IN NETWORK VIRTUALIZATION

NICIRA, INC., Palo Alto,...

1. A method for forwarding packets in an overlay logical network, each packet comprising a L4 source port field, a L4 destination
port field, a L3 source address field, and a L3 destination address field, the method comprising:
receiving a mapping table for encoding L3 IP addresses into identifiers to be stored in the L4 source port fields of the packets;
receiving, at a first tunnel endpoint, a first packet from a second tunnel endpoint in an overlay logical network, the first
packet storing an IP address of the second tunnel endpoint in the L3 source address field of the first packet and an identifier
of an original sender in the L4 source port field of the first packet, the original sender being different than the second
tunnel endpoint;

identifying the original sender of the first packet by using the received mapping table to extract the IP address of the original
sender from the identifier stored in the L4 source port field of the first packet; and

transmitting a second packet to the identified original sender of the first packet by using the decoded IP address of the
original sender.

US Pat. No. 9,569,368

INSTALLING AND MANAGING FLOWS IN A FLOW TABLE CACHE

NICIRA, INC., Palo Alto,...

1. A non-transitory machine readable medium storing a program that when executed by at least one processing unit processes
packets, the program comprising sets of instructions for:
generating and installing flows in a cache, wherein each flow is generated using at least one rule, from a flow table, which
specifies performing a set of actions on incoming packets;

validating one or more of the flows that are installed in the cache by determining whether a set of actions in each flow matches
a corresponding rule in the flow table, wherein each flow is assigned to a separate execution thread to be validated; and

removing or modifying each flow that has a different set of actions than a corresponding rule in the flow table in order to
improve a performance of packet processing, wherein said generating and installing flows are executed in a first set of execution
threads and said validating, removing, and modifying are executed in a second, different set of execution threads.

US Pat. No. 9,531,590

LOAD BALANCING ACROSS A GROUP OF LOAD BALANCERS

NICIRA, INC., Palo Alto,...

1. A load balancing system for load balancing data messages sent to a group of destination compute nodes (DCNs), the system
comprising:
a load balancer (LB) group comprising a primary load balancer (PLB) and at least one secondary load balancer (SLB),
the PLB for (i) receiving new data message flows for the DCN group, (ii) using layer 2 (L2) header parameters of the data
message flows to identify at least one load balancing rule including a first set of load balancing parameters to evaluate
in a first-type load balancing operation to identify an LB in the LB group for each data message flow, and, (iii) using data
message header parameters that are for layers higher than layer 2 to identify at least one load balancing rule including a
second set of load balancing parameters evaluated in a second-type load balancing operation to identify a DCN in the DCN group
for each data message flow for which the PLB identifies the PLB as the identified load balancer, and

the SLB for distributing to the DCNs the data messages of each flow for which the PLB identifies the SLB as the identified
load balancer.

US Pat. No. 10,142,127

METHODS AND SYSTEMS TO OFFLOAD OVERLAY NETWORK PACKET ENCAPSULATION TO HARDWARE

NICIRA, INC., Palo Alto,...

1. A non-transitory machine readable medium storing a forwarding element program for offloading packet encapsulation for an overlay network, the program for execution by at least one processing unit of a host machine, the program comprising sets of instructions for:sending a mapping table for the overlay network to a physical network interface controller (PNIC) of the host machine from the forwarding element program, the mapping table associating at least one tunnel endpoint of the overlay network with each virtual machine (VM) of a set of VMs executing on the host machine;
determining that overlay network encapsulation of a packet received from a VM on the host machine should be offloaded to the PNIC; and
associating the packet with (i) a tag to specify that the PNIC has to perform the overlay-network packet encapsulation and (ii) an overlay network identifier; and
providing the tagged packet and the overlay network identifier to the PNIC without any overlay-network encapsulation header, wherein the PNIC receives the packet from the forwarding element, encapsulates the packet with an overlay-network encapsulation header by using the mapping table to identify a set of tunnel endpoint addresses based on the overlay network identifier and including the identified set of tunnel endpoint addresses in the overlay-network encapsulation header, and transmits the packet.

US Pat. No. 10,097,465

DATA TRANSFER BETWEEN ENDPOINTS USING A MULTIPATH CONNECTION

NICIRA INC., Palo Alto, ...

1. A method for a first endpoint to perform data transfer between the first endpoint and a second endpoint using a multipath connection, the method comprising:detecting an elephant flow of data from an application executing on the first endpoint for transfer to the second endpoint;
splitting the elephant flow to obtain first packets and second packets, wherein the first endpoint has cognizance of a first path and a second path between a first network interface of the first endpoint and a second network interface of the second endpoint;
establishing, over the first network interface, a first subflow of a multipath connection with the second endpoint to send the first packets, wherein the first subflow is identified by a first set of tuples that includes a network address of the first network interface and a first port number;
establishing, over the first network interface, a second subflow of the multipath connection to send the second packets, wherein the second subflow is identified by a second set of tuples that includes the network address and a second port number; and
sending, over the first network interface, the first packets on the first subflow and the second packets on the second subflow to the second network interface, wherein the first packets travel on the first path based on the first set of tuples and the second packets on the second path based on the second set of tuples.

US Pat. No. 10,033,640

HYBRID PACKET PROCESSING

NICIRA, INC., Palo Alto,...

1. A method of processing packets for a managed forwarding element that executes in a single computing device to forward packets in a network, the method comprising:at the single computing device, performing a lookup operation that searches entries in a forwarding table to identify an entry that matches a packet of a data flow, the identified entry specifying a high-level action that comprises outputting the packet to a logical egress port of a logical forwarding element;
providing the logical egress port to a module that executes separately from the managed forwarding element on the same single computing device as the managed forwarding element, wherein the module performs a set of processes in order to identify a set of low-level actions for the managed forwarding element to perform on the packet without additional lookups into the forwarding table;
receiving data from the separate module that specifies the set of low-level actions, the data comprising instructions to encapsulate the packet in a particular tunnel to which the logical egress port corresponds; and
performing the set of low-level actions on the packet in order to further process the packet at the single computing device.

US Pat. No. 9,952,892

AUTOMATED NETWORK CONFIGURATION OF VIRTUAL MACHINES IN A VIRTUAL LAB ENVIRONMENT

NICIRA, INC., Palo Alto,...

1. A method comprising:deploying a first virtual system configuration on a physical network, the first virtual system configuration including a first virtual machine (VM) assigned a first internet protocol (IP) address; and
deploying a second virtual system configuration on the physical network that includes a second VM assigned the first IP address to communicate within the second virtual system,
wherein the second VM in the second system is also assigned a second IP address for communication on the physical network with machines outside of the second virtual system.

US Pat. No. 9,921,991

SYSTEMS AND METHODS FOR FLIPPING NIC TEAMING CONFIGURATION WITHOUT INTERFERING LIVE TRAFFIC

NICIRA, INC., Palo Alto,...

1. A host to support network interface controller (NIC) configuration flipping without interfering live traffic, the host
comprising:
a processing unit configured to:
create a primary NIC teaming device on the host based on a first NIC teaming configuration, wherein the primary NIC teaming
device maps to a plurality of physical I/O devices that are coupled to a plurality of external physical NICs, wherein the
primary NIC teaming device is configured to

present the plurality of physical I/O devices as one virtual I/O device to a plurality of I/O threads of applications running
on the host;

receive, process, and transmit packets from the I/O threads via the primary NIC teaming device through a plurality of iterations;
create a shadow NIC teaming device on the host based on a second NIC teaming configuration that is different from the first
NIC teaming configuration while allowing the primary NIC teaming device to continue to handle the packets from the I/O threads;

direct future iterations of one of the I/O threads to the shadow NIC teaming device when the I/O thread is done with its current
iteration with the primary NIC teaming device, wherein the shadow NIC teaming device is configured to handle the packets of
the I/O threads in the future iterations;

delete the primary NIC teaming device and designate the shadow NIC teaming device as the new primary NIC teaming device when
all of the I/O threads are done with their current iteration with the primary NIC teaming device.

US Pat. No. 9,825,851

DISTRIBUTING ROUTING INFORMATION IN A MULTI-DATACENTER ENVIRONMENT

NICIRA, INC., Palo Alto,...

1. A method comprising:
receiving a first set of routing information from a first datacenter and a second set of routing information from a second
datacenter, wherein the first and second datacenters are located at two different physical sites, each datacenter comprising
a plurality of computing devices that execute a plurality of machines and implement a global logical network that spans the
first and second datacenters to connect a subset of the machines executing on the computing devices at the first and second
datacenters, said global logical network including a global logical router that spans the first and second datacenters, wherein
the first set of routing information is tagged by a first locale identifier that identifies the first datacenter and the second
set of routing information is tagged by a second locale identifier that identifies the second datacenter;

generating a set of routing instructions based on the first set of routing information and the second set of routing information,
wherein the set of routing instructions uses the first locale identifier to identify network resources in the first datacenter
and the second locale identifier to identify network resources in the second datacenter; and

providing the set of routing instructions to a first set of computing devices in the first datacenter and a second set of
computing devices in the second datacenter for jointly implementing the global logical router for performing L3 routing among
the subset of machines, the subset of machines comprising a first set of machines of the first datacenter and a second set
of machines of the second datacenter.

US Pat. No. 9,825,854

HOST ARCHITECTURE FOR EFFICIENT CLOUD SERVICE ACCESS

NICIRA, INC., Palo Alto,...

1. A physical computing device operating in a network within which (i) a first set of logical networks comprising a plurality
of tenant virtual machines (VMs) and (ii) a second set of logical networks comprising a set of service VMs are implemented,
the computing device comprising:
a set of processing units; and
a set of machine readable media storing, for execution by the set of processing units:
a physical forwarding element; and
a network address translation (NAT) agent for:
intercepting a packet sent by a tenant VM to one of the service VMs prior to the packet leaving the physical forwarding element,
the packet comprising a source network address and a source port number of the tenant VM;

prior to the packet leaving the physical forwarding element, replacing the source network address and source port number with
a replacement address and port number from a set of replacement network address and port number pairs allocated to the physical
forwarding element for accessing service VMs, each replacement network address and port number pair for uniquely identifying
a tenant VM across the first and second sets of logical networks; and

providing the modified packet to the physical forwarding element for forwarding the modified packet to the service VM.

US Pat. No. 9,794,079

REPLICATING BROADCAST, UNKNOWN-UNICAST, AND MULTICAST TRAFFIC IN OVERLAY LOGICAL NETWORKS BRIDGED WITH PHYSICAL NETWORKS

NICIRA, INC., Palo Alto,...

1. A system comprising:
a plurality of host machines, wherein each host machine implements a tunnel endpoint in a particular overlay logical network,
the tunnel endpoint being a member of a multicast group; and

at least one physical gateway that connects a set of physical machines coupled to the physical gateway to the particular overlay
logical network, wherein when the physical gateway receives a message from one of the physical machines that has to be forwarded
to all members of the multicast group, the physical gateway sends the received message as an encapsulated packet of the overlay
logical network to a designated host machine in the plurality of host machines, wherein the designated host machine replicates
the message to all members of the multicast group for the physical gateway.

US Pat. No. 9,774,707

EFFICIENT PACKET CLASSIFICATION FOR DYNAMIC CONTAINERS

NICIRA, INC., Palo Alto,...

1. A non-transitory computer readable medium storing a program for execution by at least one processing unit, the program
for classifying an incoming packet based on a set of rules, wherein one or more rules in the set of rules recite containers
that each contain a set of addresses, the program comprising sets of instructions for:
identifying a matching rule for the incoming packet by using a search structure, the search structure comprising a plurality
of address nodes and a plurality of container nodes, wherein each address contained by one of the containers is represented
by a corresponding address node in the plurality of address nodes and the corresponding address node has a link to the container
node that corresponds to the container that contains the address, wherein each container node corresponds to a container recited
by at least one of the rules in the set of rules and has a link to the rule that recites the container; and

using the identified matching rule to make a forwarding decision regarding the incoming packet.

US Pat. No. 9,667,556

ADJUSTING CONNECTION VALIDATING CONTROL SIGNALS IN RESPONSE TO CHANGES IN NETWORK TRAFFIC

NICIRA, INC., Palo Alto,...

1. A method for regulating transmission of control signals in a network, the network comprising a link connecting first and
second network entities, the method comprising:
at the first network entity, establishing a control signal session on the link with the second network entity, wherein the
first network entity receives control signals at an initial rate from the second network entity;

monitoring a rate of data signal transmission over the link, wherein the data signals are separate signals from the control
signals; and

when the monitored rate of data signal transmission is above a threshold for a period of time, sending a message over the
link to the second network entity that instructs the second network entity to cease transmission of control signals to the
first network entity so that the control signals do not occupy bandwidth on the link that is required for data transmission
over the link.

US Pat. No. 9,571,386

HYBRID PACKET PROCESSING

NICIRA, INC., Palo Alto,...

1. A method of processing packets for a managed forwarding element that executes in a host to forward packets in a network,
the method comprising:
performing a lookup operation that searches flow entries in a forwarding table to identify a flow entry that matches a first
incoming packet of a transport-layer connection, the flow entry specifying a high-level action to perform on the first incoming
packet;

providing packet data to a module executing separately from the managed forwarding element on the host, wherein the module
performs a set of processes in order to identify a set of low-level actions for the managed forwarding element to perform
on the first incoming packet without additional lookups into the forwarding table;

receiving data from the separate module specifying the set of low-level actions;
performing the set of low-level actions on the first incoming packet in order to further process the packet;
caching the set of low-level actions for use in processing subsequent packets in the transport-layer connection;
receiving a subsequent second packet for the transport-layer connection; and
processing the second packet using the cached set of low-level actions without providing any packet data to the separate module.

US Pat. No. 9,558,027

NETWORK CONTROL SYSTEM FOR CONFIGURING MIDDLEBOXES

NICIRA, INC., Palo Alto,...

1. A network control system for configuring a logical network, the network control system comprising:
a first controller instance, executing on a controller computer for receiving (i) configuration data for configuring a logical
middlebox and (ii) logical network data that define a logical network topology comprising the logical middlebox and a set
of logical forwarding elements; and

a second controller instance executing on a host machine of a plurality of host machines managed by the network control system,
the second controller instance for:

receiving, from the first controller instance, (i) data records defining the logical middlebox configuration and (ii) forwarding
data for the logical network;

customizing the forwarding data for a managed forwarding element that executes on the host machine; and
distributing (i) the customized forwarding data to the managed forwarding element for implementing the set of logical forwarding
elements and (ii) the configuration data to a middlebox instance operating on the host machine for implementing the logical
middlebox.

US Pat. No. 9,552,219

MIGRATING MIDDLEBOX STATE FOR DISTRIBUTED MIDDLEBOXES

NICIRA, INC., Palo Alto,...

1. For a first middlebox element executing on a first host, a method comprising:
providing a middlebox service for a logical middlebox to a virtual machine (VM) operating in the first host, wherein the first
middlebox element is one of a plurality of middlebox elements executing on a plurality of hosts that implement the logical
middlebox to provide the middlebox service to a plurality of VMs operating in the plurality of hosts, the plurality of VMs
logically connected through a logical network comprising the logical middlebox;

receiving a notification from a migration module before the VM migrates from the first host to a second host; and
supplying middlebox state information relating to the VM to the migration module, wherein the migration module subsequently
sends the middlebox state information to the second host when the VM migrates to the second host, in order for a second middlebox
element executing on the second host to continue providing the middlebox service to the VM operating in the second host.

US Pat. No. 10,009,371

METHOD AND SYSTEM FOR MANAGING NETWORK STORM

NICIRA INC., Palo Alto, ...

1. A method for managing a network storm associated with a physical port of a physical switch, the method comprising:receiving a notification of the network storm associated with the physical port;
identifying a server host with a physical network adapter that is coupled to the physical port;
identifying a software-implemented virtual switch that is supported by the server host and communicates with the physical switch via the physical network adapter, wherein the virtual switch includes a first virtual port and a second virtual port;
identifying a virtual machine causing the network storm, wherein the identified virtual machine includes a virtual network adapter coupled to the first virtual port of the virtual switch; and
in response to identifying the virtual machine causing the network storm, isolating the identified virtual machine by placing a firewall around the identified virtual machine or by disconnecting the identified virtual machine from the first virtual port of the virtual switch, while the physical port of the physical switch coupled to the physical network adapter of the server host remains enabled, and the second virtual port of the virtual switch also remains enabled.

US Pat. No. 9,930,066

INFRASTRUCTURE LEVEL LAN SECURITY

NICIRA, INC., Palo Alto,...

1. A method for securing traffic in a multi-tenant virtualized infrastructure, comprising:receiving from a key manager a first encryption key associated with a set of virtual network interface cards (vNICs), including a first vNIC, that are connected by a logical L2 network and a second encryption key associated with a second vNIC not connected to the logical L2 network;
intercepting first and second Layer 2 (L2) frames sent via the first and second vNICs respectively en route to a first physical network interface card (pNIC);
determining (1) that the first encryption key is to be used for encrypting payload data of the first L2 frame sent via the first vNIC based on the first vNIC's membership in the set of vNICs connected by the logical L2 network and an analysis of a first policy defined for the logical L2 network, and (2) that the second encryption key is to be used for encrypting payload data of the second L2 frame sent via the second vNIC by analyzing a second policy defined for the second vNIC;
encrypting (1) the payload data of the first L2 frame using the first encryption key and (2) the payload data of the second L2 frame using the second encryption key, wherein the encryption of the second L2 frame differs from the encryption of the first L2 frame as a different portion of the second L2 frame is encrypted than the portion encrypted for the first L2 frame; and
encapsulating the first L2 frame with a logical L2 network header for the first L2 frame to be transmitted to a destination vNIC in the set of vNICs in the logical L2 network.

US Pat. No. 9,819,581

CONFIGURING A HARDWARE SWITCH AS AN EDGE NODE FOR A LOGICAL ROUTER

NICIRA, INC., Palo Alto,...

1. A method for configuring a managed hardware forwarding element (MHFE) as an edge node of a logical network to communicate
with other networks, the method comprising:
receiving data for the logical network that defines a logical router and a set of logical switches for logically connecting
a plurality of end machines operating on a plurality of host machines, the logical router for connecting the logical network
to at least one external physical network;

based on the received logical network data, identifying a physical port of the MHFE to bind a logical uplink port of the logical
router to the identified physical port, the logical uplink port for connecting the logical router to the external physical
network; and

binding the logical uplink port to the identified physical port of the MHFE in order to configure the MHFE as the edge node
of the logical network by implementing on the MHFE an uplink logical switch with a logical port that is associated with the
identified physical port and assigning network and data link addresses of the logical uplink port to the logical port of the
uplink logical switch.