An IEEE 802.1BR-based network topology (referred to herein as an extended bridge) is a logical network entity that comprises two different types of units: controlling bridge (CB) units and port extender (PE) units. The CB (of which there may be one or multiple) serves as the controller of the extended bridge and is responsible for performing control plane functions (e.g., Layer 2 switching, Layer 3 routing, etc.) with respect to network traffic passing through the bridge. In contrast the PEs, which connect to the CB and to devices/hosts external to the extended bridge, act as non-intelligent devices and thus generally do not perform any local switching or routing; instead, their primary function is to provide additional data port terminations for the CB (thereby extending the port capacity of the CB). For example, each PE may be a switch/router with X number of physical data ports, which appear as virtual data ports on the CB. Upon receiving a data packet from an external device/host on an ingress data port, the PE forwards the data packet to the CB, which processes the data packet in hardware or software to determine an appropriate egress port through which the packet should be sent out. The CB then forwards the data packet to the PE housing the egress port for transmission through that port towards the next hop destination.
PEs can connect to the CB according to a tree or chain topology, with the CB being the root of the tree/chain. The leaf-level PE nodes in the topology are known as edge PEs, and the PE nodes at intermediate connection (e.g., tree branch) points are known as transit PEs. The edge PEs provide network services to various end hosts, which may include physical machines and/or virtual machines (VMs). In some embodiments, an extended bridge may include multiple CBs that connect to each other to form a linear or ring-based core stack. In these cases, the extended bridge may include multiple PE trees/chains, each rooted under a separate CB; such a configuration is sometimes referred to as a PE forest. One CB in the core stack may be designated as the master CB of the extended bridge and act as the central point of management for the entire bridge. Other CBs in the core stack may operate in a standby or member mode.
As mentioned previously, under the IEEE 802.1BR standard, the PEs in an extended bridge generally do not perform any local switching or routing; instead, they forward all data traffic to the master CB, which processes the data traffic in hardware (via packet classification rules programmed into the CB's ternary content addressable memories (TCAMs)) and/or software in order to determine how the traffic should be handled. In some implementations which go beyond the 802.1BR standard, the master CB may distribute packet classification rules to the PEs in the extended bridge for local programming and enforcement of those rules via the TCAMs of the PEs (rather than the TCAMs of the master CB). This scheme (disclosed in U.S. patent application Ser. No. 15/331,067, filed Oct. 21, 2016, now U.S. Pat. No. 10,193,706, issued Jan. 29, 2019, entitled “DISTRIBUTED RULE PROVISIONING IN AN EXTENDED BRIDGE”) allows the CB to effectively offload the handling of certain network services (e.g., security, QoS, etc.) from the CB level to the PE level.
However, one significant challenge with the distributed rule provisioning described above is ensuring that the packet classification rules at the PEs (and other non-master units, such as standby CBs) are quickly and seamlessly maintained/updated in scenarios where the status of the extended bridge topology changes (e.g., a PE is rebooted or removed, a new PE is added, a new master CB is elected, a standby CB becomes the new master CB due to a failure of the old master CB, etc.). If the rules are not properly maintained/updated in these scenarios, the clients connected to the extended bridge may experience service downtime or security gaps due to inconsistent or incomplete rule programming at the PE devices.