Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Devices Managed by FortiOS

Dynamic MAC address learning

You can enable or disable dynamic MAC address learning on a port or VLAN. The existing dynamic MAC entries are flushed when you change this setting. If you disable MAC address learning, you can set the behavior for an incoming packet with an unknown MAC address (to drop or forward the packet).

This section covers the following topics:

Limiting the number of learned MAC addresses on a FortiSwitch interface

You can limit the number of MAC addresses learned on a FortiSwitch interface (port or VLAN). The limit ranges from 1 to 128. If the limit is set to the default value zero, there is no learning limit.

NOTE: Static MAC addresses are not counted in the limit. The limit refers only to learned MAC addresses.

Use the following CLI commands to limit MAC address learning on a VLAN:

config switch vlan

edit <integer>

set switch-controller-learning-limit <limit>

end

end

For example:

config switch vlan

edit 100

set switch-controller-learning-limit 20

end

end

Use the following CLI commands to limit MAC address learning on a port:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set learning-limit <limit>

next

end

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port3

set learning-limit 50

next

end

end

end

Controlling how long learned MAC addresses are saved

You can change how long learned MAC addresses are stored. By default, each learned MAC address is aged out after 300 seconds. After this amount of time, the inactive MAC address is deleted from the FortiSwitch hardware. The value ranges from 10 to 1000,000 seconds. Set the value to 0 to disable MAC address aging.

config switch-controller global

set mac-aging-interval <10 to 1000000>

end

For example:

config switch-controller global

set mac-aging-interval 500

end

If the mac-aging-interval is disabled by being set to 0, you can still control when inactive MAC addresses are removed from the FortiSwitch hardware. By default, inactive MAC addresses are removed after 24 hours. The value ranges from 0 to 168 hours. Set the value to 0 to use the mac-aging-interval setting to control when inactive MAC addresses are deleted.

config switch-controller global

set mac-retention-period <0 to 168>

end

For example:

config switch-controller global

set mac-retention-period 36

end

Logging violations of the MAC address learning limit

If you want to see the first MAC address that exceeded the learning limit for an interface or VLAN, you can enable the learning-limit violation log for a managed FortiSwitch unit. Only one violation is recorded per interface or VLAN.

By default, logging is disabled. The most recent violation that occurred on each interface or VLAN is recorded in the system log. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are displayed in the console.

Use the following commands to control the learning-limit violation log and to control how long learned MAC addresses are saved:

config switch-controller global

set mac-violation-timer <0-1500>

set log-mac-limit-violations {enable | disable}

end

For example:

config switch-controller global

set mac-violation-timer 1000

set log-mac-limit-violations enable

end

To view the content of the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:

  • diagnose switch-controller switch-info mac-limit-violations all <FortiSwitch_serial_number>
  • diagnose switch-controller switch-info mac-limit-violations interface <FortiSwitch_serial_number> <port_name>
  • diagnose switch-controller switch-info mac-limit-violations vlan <FortiSwitch_serial_number> <VLAN_ID>

For example, to set the learning-limit violation log for VLAN 5 on a managed FortiSwitch unit:

diagnose switch-controller switch-info mac-limit-violations vlan S124DP3XS12345678 5

To reset the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:

  • execute switch-controller mac-limit-violation reset all <FortiSwitch_serial_number>
  • execute switch-controller mac-limit-violation reset vlan <FortiSwitch_serial_number> <VLAN_ID>
  • execute switch-controller mac-limit-violation reset interface <FortiSwitch_serial_number> <port_name>

For example, to clear the learning-limit violation log for port 5 of a managed FortiSwitch unit:

execute switch-controller mac-limit-violation reset interface S124DP3XS12345678 port5

Persistent (sticky) MAC addresses

You can make dynamically learned MAC addresses persistent when the status of a FortiSwitch port changes (goes down or up). By default, MAC addresses are not persistent.

Use the following commands to configure the persistence of MAC addresses on an interface:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set sticky-mac {enable | disable}

next

end

You can also save persistent MAC addresses to the FortiSwitch configuration file so that they are automatically loaded when the FortiSwitch unit is rebooted. By default, persistent entries are lost when a FortiSwitch unit is rebooted. Use the following commands to save persistent MAC addresses for a specific interface or all interfaces:

execute switch-controller switch-action sticky-mac save interface <FortiSwitch_serial_number> <port_name>

execute switch-controller switch-action sticky-mac save all <FortiSwitch_serial_number>

Use one of the following commands to delete the persistent MAC addresses instead of saving them in the FortiSwitch configuration file:

execute switch-controller switch-action delete sticky-mac delete-unsaved all <FortiSwitch_serial_number>

execute switch-controller switch-action delete sticky-mac delete-unsaved interface <FortiSwitch_serial_number> <port_name>

Logging changes to MAC addresses

Use the following commands to create syslog entries for when MAC addresses are learned, aged out, and removed:

config switch-controller global

set mac-event-logging enable

end

Dynamic MAC address learning

You can enable or disable dynamic MAC address learning on a port or VLAN. The existing dynamic MAC entries are flushed when you change this setting. If you disable MAC address learning, you can set the behavior for an incoming packet with an unknown MAC address (to drop or forward the packet).

This section covers the following topics:

Limiting the number of learned MAC addresses on a FortiSwitch interface

You can limit the number of MAC addresses learned on a FortiSwitch interface (port or VLAN). The limit ranges from 1 to 128. If the limit is set to the default value zero, there is no learning limit.

NOTE: Static MAC addresses are not counted in the limit. The limit refers only to learned MAC addresses.

Use the following CLI commands to limit MAC address learning on a VLAN:

config switch vlan

edit <integer>

set switch-controller-learning-limit <limit>

end

end

For example:

config switch vlan

edit 100

set switch-controller-learning-limit 20

end

end

Use the following CLI commands to limit MAC address learning on a port:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set learning-limit <limit>

next

end

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port3

set learning-limit 50

next

end

end

end

Controlling how long learned MAC addresses are saved

You can change how long learned MAC addresses are stored. By default, each learned MAC address is aged out after 300 seconds. After this amount of time, the inactive MAC address is deleted from the FortiSwitch hardware. The value ranges from 10 to 1000,000 seconds. Set the value to 0 to disable MAC address aging.

config switch-controller global

set mac-aging-interval <10 to 1000000>

end

For example:

config switch-controller global

set mac-aging-interval 500

end

If the mac-aging-interval is disabled by being set to 0, you can still control when inactive MAC addresses are removed from the FortiSwitch hardware. By default, inactive MAC addresses are removed after 24 hours. The value ranges from 0 to 168 hours. Set the value to 0 to use the mac-aging-interval setting to control when inactive MAC addresses are deleted.

config switch-controller global

set mac-retention-period <0 to 168>

end

For example:

config switch-controller global

set mac-retention-period 36

end

Logging violations of the MAC address learning limit

If you want to see the first MAC address that exceeded the learning limit for an interface or VLAN, you can enable the learning-limit violation log for a managed FortiSwitch unit. Only one violation is recorded per interface or VLAN.

By default, logging is disabled. The most recent violation that occurred on each interface or VLAN is recorded in the system log. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are displayed in the console.

Use the following commands to control the learning-limit violation log and to control how long learned MAC addresses are saved:

config switch-controller global

set mac-violation-timer <0-1500>

set log-mac-limit-violations {enable | disable}

end

For example:

config switch-controller global

set mac-violation-timer 1000

set log-mac-limit-violations enable

end

To view the content of the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:

  • diagnose switch-controller switch-info mac-limit-violations all <FortiSwitch_serial_number>
  • diagnose switch-controller switch-info mac-limit-violations interface <FortiSwitch_serial_number> <port_name>
  • diagnose switch-controller switch-info mac-limit-violations vlan <FortiSwitch_serial_number> <VLAN_ID>

For example, to set the learning-limit violation log for VLAN 5 on a managed FortiSwitch unit:

diagnose switch-controller switch-info mac-limit-violations vlan S124DP3XS12345678 5

To reset the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:

  • execute switch-controller mac-limit-violation reset all <FortiSwitch_serial_number>
  • execute switch-controller mac-limit-violation reset vlan <FortiSwitch_serial_number> <VLAN_ID>
  • execute switch-controller mac-limit-violation reset interface <FortiSwitch_serial_number> <port_name>

For example, to clear the learning-limit violation log for port 5 of a managed FortiSwitch unit:

execute switch-controller mac-limit-violation reset interface S124DP3XS12345678 port5

Persistent (sticky) MAC addresses

You can make dynamically learned MAC addresses persistent when the status of a FortiSwitch port changes (goes down or up). By default, MAC addresses are not persistent.

Use the following commands to configure the persistence of MAC addresses on an interface:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set sticky-mac {enable | disable}

next

end

You can also save persistent MAC addresses to the FortiSwitch configuration file so that they are automatically loaded when the FortiSwitch unit is rebooted. By default, persistent entries are lost when a FortiSwitch unit is rebooted. Use the following commands to save persistent MAC addresses for a specific interface or all interfaces:

execute switch-controller switch-action sticky-mac save interface <FortiSwitch_serial_number> <port_name>

execute switch-controller switch-action sticky-mac save all <FortiSwitch_serial_number>

Use one of the following commands to delete the persistent MAC addresses instead of saving them in the FortiSwitch configuration file:

execute switch-controller switch-action delete sticky-mac delete-unsaved all <FortiSwitch_serial_number>

execute switch-controller switch-action delete sticky-mac delete-unsaved interface <FortiSwitch_serial_number> <port_name>

Logging changes to MAC addresses

Use the following commands to create syslog entries for when MAC addresses are learned, aged out, and removed:

config switch-controller global

set mac-event-logging enable

end