Fortinet black logo

Administration Guide

Dynamic MAC address learning

Copy Link
Copy Doc ID 0f66c6af-cee6-11eb-97f7-00505692583a:287002
Download PDF

Dynamic MAC address learning

You can enable or disable dynamic MAC address learning on a port. The existing dynamic MAC entries are deleted when you change this setting. If you disable MAC address learning, you can set the behavior for an incoming packet with an unknown MAC address (to drop or forward the packet).

You can limit the number of learned MAC addresses on an interface or VLAN. The limit ranges from 1 to 128. If the learning limit is set to zero (the default), no limit exists. When the limit is exceeded, the FortiSwitch unit adds a warning to the system log.

Configuring dynamic MAC address learning

Use the following CLI commands to configure dynamic MAC address learning:

config switch physical-port

edit <port>

set l2-learning (enable | disable)

set l2-sa-unknown (drop | forward)

end

config switch interface

edit <port>

set learning-limit <0-128>

end

config switch vlan

edit <VLAN_ID>

set learning {enable | disable}

set learning-limit <0-128>

end

NOTE: If you enable 802.1x MAC-based authorization on a port, you cannot change the l2-learning setting.

Changing when MAC addresses are deleted

By default, each learned MAC address is deleted after 300 seconds. The value ranges from 10 to 1000,000 seconds. Set the value to zero to not delete learned MAC addresses.

Use the following command to change this value:

config switch global

set mac-aging-interval 200

end

Logging dynamic MAC address events

By default, dynamic MAC address events are not logged. When you enable logging for an interface, the following events are logged:

  • When a dynamic MAC address is learned
  • When a dynamic MAC address is moved
  • When a dynamic MAC address is deleted

NOTE: Some dynamic MAC address events might take a long time to be logged. If too many events happen within a short period of time, some events might not be logged.

To enable the logging of dynamic MAC address events:

config switch interface

edit <interface_name>

set log-mac-event enable

end

To view the log entries:

execute log display

Using the learning-limit violation log

If you want to see the first MAC address that exceeded a learning limit for an interface or VLAN, you can enable the learning-limit violation log for a FortiSwitch unit. Only one violation is recorded per interface or VLAN.

To enable or disable the learning-limit violation log, use the following commands. By default, the learning-limit violation log is disabled. The most recent violation that occurred on each interface or VLAN is logged. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are displayed in the console.

NOTE: The set log-mac-limit-violations command is only displayed if your FortiSwitch model supports it.

config switch global

set log-mac-limit-violations {enable | disable}

end

To view the content of the learning-limit violation log, use one of the following commands:

  • get switch mac-limit-violations all—to see the first MAC address that exceeded the learning limit on any interface or VLAN. An asterisk by the interface name indicates that the interface-based learning limit was exceeded. An asterisk by the VLAN identifier indicates the VLAN-based learning limit was exceeded.
  • get switch mac-limit-violations interface <interface_name>—to see the first MAC address that exceeded the learning limit on a specific interface
  • get switch mac-limit-violations vlan <VLAN_ID>—to see the first MAC address that exceeded the learning limit on a specific VLAN. This command is only displayed if your FortiSwitch model supports it.

To reset the learning-limit violation log, use one of the following commands:

  • execute mac-limit-violation reset all—to clear all learning-limit violation logs
  • execute mac-limit-violation reset interface <interface_name>—to clear the learning-limit violation log for a specific interface
  • execute mac-limit-violation reset vlan <VLAN_ID>—to clear the learning-limit violation log for a specific VLAN

You can also specify how often the learning-limit violation log is reset, use the following commands:

config switch global

set log-mac-limit-violations enable

set mac-violation-timer <0-1500>

end

For example:

config switch global

set log-mac-limit-violations enable

set mac-violation-timer 60

end

Dynamic MAC address learning

You can enable or disable dynamic MAC address learning on a port. The existing dynamic MAC entries are deleted when you change this setting. If you disable MAC address learning, you can set the behavior for an incoming packet with an unknown MAC address (to drop or forward the packet).

You can limit the number of learned MAC addresses on an interface or VLAN. The limit ranges from 1 to 128. If the learning limit is set to zero (the default), no limit exists. When the limit is exceeded, the FortiSwitch unit adds a warning to the system log.

Configuring dynamic MAC address learning

Use the following CLI commands to configure dynamic MAC address learning:

config switch physical-port

edit <port>

set l2-learning (enable | disable)

set l2-sa-unknown (drop | forward)

end

config switch interface

edit <port>

set learning-limit <0-128>

end

config switch vlan

edit <VLAN_ID>

set learning {enable | disable}

set learning-limit <0-128>

end

NOTE: If you enable 802.1x MAC-based authorization on a port, you cannot change the l2-learning setting.

Changing when MAC addresses are deleted

By default, each learned MAC address is deleted after 300 seconds. The value ranges from 10 to 1000,000 seconds. Set the value to zero to not delete learned MAC addresses.

Use the following command to change this value:

config switch global

set mac-aging-interval 200

end

Logging dynamic MAC address events

By default, dynamic MAC address events are not logged. When you enable logging for an interface, the following events are logged:

  • When a dynamic MAC address is learned
  • When a dynamic MAC address is moved
  • When a dynamic MAC address is deleted

NOTE: Some dynamic MAC address events might take a long time to be logged. If too many events happen within a short period of time, some events might not be logged.

To enable the logging of dynamic MAC address events:

config switch interface

edit <interface_name>

set log-mac-event enable

end

To view the log entries:

execute log display

Using the learning-limit violation log

If you want to see the first MAC address that exceeded a learning limit for an interface or VLAN, you can enable the learning-limit violation log for a FortiSwitch unit. Only one violation is recorded per interface or VLAN.

To enable or disable the learning-limit violation log, use the following commands. By default, the learning-limit violation log is disabled. The most recent violation that occurred on each interface or VLAN is logged. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are displayed in the console.

NOTE: The set log-mac-limit-violations command is only displayed if your FortiSwitch model supports it.

config switch global

set log-mac-limit-violations {enable | disable}

end

To view the content of the learning-limit violation log, use one of the following commands:

  • get switch mac-limit-violations all—to see the first MAC address that exceeded the learning limit on any interface or VLAN. An asterisk by the interface name indicates that the interface-based learning limit was exceeded. An asterisk by the VLAN identifier indicates the VLAN-based learning limit was exceeded.
  • get switch mac-limit-violations interface <interface_name>—to see the first MAC address that exceeded the learning limit on a specific interface
  • get switch mac-limit-violations vlan <VLAN_ID>—to see the first MAC address that exceeded the learning limit on a specific VLAN. This command is only displayed if your FortiSwitch model supports it.

To reset the learning-limit violation log, use one of the following commands:

  • execute mac-limit-violation reset all—to clear all learning-limit violation logs
  • execute mac-limit-violation reset interface <interface_name>—to clear the learning-limit violation log for a specific interface
  • execute mac-limit-violation reset vlan <VLAN_ID>—to clear the learning-limit violation log for a specific VLAN

You can also specify how often the learning-limit violation log is reset, use the following commands:

config switch global

set log-mac-limit-violations enable

set mac-violation-timer <0-1500>

end

For example:

config switch global

set log-mac-limit-violations enable

set mac-violation-timer 60

end