Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Dynamic MAC address learning

You can enable or disable dynamic MAC address learning on a port. The existing dynamic MAC entries are deleted when you change this setting. If you disable MAC address learning, you can set the behavior for an incoming packet with an unknown MAC address (to drop or forward the packet).

You can limit the number of learned MAC addresses on an interface or VLAN. The limit ranges from 1 to 128. If the learning limit is set to zero (the default), no limit exists. When the limit is exceeded, the FortiSwitch unit adds a warning to the system log.

Configuring dynamic MAC address learning

Use the following CLI commands to configure dynamic MAC address learning:

config switch physical-port

edit <port>

set l2-learning (enable | disable)

set l2-unknown (drop | forward)

end

config switch interface

edit <port>

set learning-limit <0-128>

end

config switch vlan

edit <VLAN_ID>

set learning {enable | disable}

set learning-limit <0-128>

end

 

NOTE: If you enable 802.1x MAC-based authorization on a port, you cannot change the l2-learning setting.

Changing when MAC addresses are deleted

By default, each learned MAC address is deleted after 300 seconds. The value ranges from 10 to 1000,000 seconds. Set the value to zero to not delete learned MAC addresses.

Use the following command to change this value:

config switch global

set mac-aging-interval 200

end

Logging dynamic MAC address events

By default, dynamic MAC address events are not logged. When you enable logging for an interface, the following events are logged:

  • When a dynamic MAC address is learned
  • When a dynamic MAC address is moved
  • When a dynamic MAC address is deleted

NOTE: Some dynamic MAC address events might take a long time to be logged. If too many events happen within a short period of time, some events might not be logged.

To enable the logging of dynamic MAC address events:

config switch interface

edit <interface_name>

set log-mac-event enable

end

To view the log entries:

execute log display

Using the learning-limit violation log

If you want to see the first MAC address that exceeded a learning limit for an interface or VLAN, you can enable the learning-limit violation log for a FortiSwitch unit. Only one violation is recorded per interface or VLAN.

By default, the learning-limit violation log is disabled. The most recent violation that occurred on each interface or VLAN is logged. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are displayed in the console.

Using the GUI:
  1. Go to Switch > MAC Limit.
  2. Enable or disable Enable Learning Limit Violation recording globally.
Using the CLI:

config switch global

set log-mac-limit-violations {enable | disable}

end

 

NOTE: The set log-mac-limit-violations command is only displayed if your FortiSwitch model supports it.

To view the content of the learning-limit violation log, use one of the following commands:

  • get switch mac-limit-violations all—to see the first MAC address that exceeded the learning limit on any interface or VLAN. An asterisk by the interface name indicates that the interface-based learning limit was exceeded. An asterisk by the VLAN identifier indicates the VLAN-based learning limit was exceeded.
  • get switch mac-limit-violations interface <interface_name>—to see the first MAC address that exceeded the learning limit on a specific interface
  • get switch mac-limit-violations vlan <VLAN_ID>—to see the first MAC address that exceeded the learning limit on a specific VLAN. This command is only displayed if your FortiSwitch model supports it.

To reset the learning-limit violation log, use one of the following commands:

  • execute mac-limit-violation reset all—Use this command to clear all learning-limit violation logs or to clear the shutdown state of a port caused by the set learning-limit-action shutdown command.
  • execute mac-limit-violation reset interface <interface_name>—Use this command to clear the learning-limit violation log for a specific interface or to clear the shutdown state of a port caused by the set learning-limit-action shutdown command.
  • execute mac-limit-violation reset vlan <VLAN_ID>—Use this command to clear the learning-limit violation log for a specific VLAN.

You can also specify how often the learning-limit violation log is reset. When the mac-violation-timer expires, it will also clear the shutdown state of a port caused by the set learning-limit-action shutdown command.

To specify how often the learning-limit violation log is rest:

config switch global

set log-mac-limit-violations enable

set mac-violation-timer <0-1500>

end

 

For example:

config switch global

set log-mac-limit-violations enable

set mac-violation-timer 60

end

Configuring learning-limit violation actions

Starting in FortiSwitchOS 7.0.2, when the MAC learning limit is exceeded, you can specify that the interface that it is configured on is disabled (set learning-limit action shutdown) or that no action is taken (set learning-limit action none). The learning-limit-action applies only to physical switch port interfaces, not to trunks or VLANs.

To configure the action for learning-limit violations:

config switch interface

edit <port_name>

set learning-limit <1-128>

set learning-limit-action {none | shutdown}

next

end

After shutting down the port with the set learning-limit-action shutdown command, you can bring it back up in two ways:

  • With the execute mac-limit-violation reset {interface <port_name> | all} command.
  • With the set mac-violation-timer <integer> command (under config switch global).

Starting in FortiSwitchOS 7.0.2, you can configure an SNMP trap so that you receive a message when the MAC learning limit is exceeded.

To configure the SNMP trap for learning-limit violations:

config switch global

set log-mac-limit-violations enable

end

 

config system snmp community

edit <index_number>

set events llv

next

end

Dynamic MAC address learning

You can enable or disable dynamic MAC address learning on a port. The existing dynamic MAC entries are deleted when you change this setting. If you disable MAC address learning, you can set the behavior for an incoming packet with an unknown MAC address (to drop or forward the packet).

You can limit the number of learned MAC addresses on an interface or VLAN. The limit ranges from 1 to 128. If the learning limit is set to zero (the default), no limit exists. When the limit is exceeded, the FortiSwitch unit adds a warning to the system log.

Configuring dynamic MAC address learning

Use the following CLI commands to configure dynamic MAC address learning:

config switch physical-port

edit <port>

set l2-learning (enable | disable)

set l2-unknown (drop | forward)

end

config switch interface

edit <port>

set learning-limit <0-128>

end

config switch vlan

edit <VLAN_ID>

set learning {enable | disable}

set learning-limit <0-128>

end

 

NOTE: If you enable 802.1x MAC-based authorization on a port, you cannot change the l2-learning setting.

Changing when MAC addresses are deleted

By default, each learned MAC address is deleted after 300 seconds. The value ranges from 10 to 1000,000 seconds. Set the value to zero to not delete learned MAC addresses.

Use the following command to change this value:

config switch global

set mac-aging-interval 200

end

Logging dynamic MAC address events

By default, dynamic MAC address events are not logged. When you enable logging for an interface, the following events are logged:

  • When a dynamic MAC address is learned
  • When a dynamic MAC address is moved
  • When a dynamic MAC address is deleted

NOTE: Some dynamic MAC address events might take a long time to be logged. If too many events happen within a short period of time, some events might not be logged.

To enable the logging of dynamic MAC address events:

config switch interface

edit <interface_name>

set log-mac-event enable

end

To view the log entries:

execute log display

Using the learning-limit violation log

If you want to see the first MAC address that exceeded a learning limit for an interface or VLAN, you can enable the learning-limit violation log for a FortiSwitch unit. Only one violation is recorded per interface or VLAN.

By default, the learning-limit violation log is disabled. The most recent violation that occurred on each interface or VLAN is logged. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are displayed in the console.

Using the GUI:
  1. Go to Switch > MAC Limit.
  2. Enable or disable Enable Learning Limit Violation recording globally.
Using the CLI:

config switch global

set log-mac-limit-violations {enable | disable}

end

 

NOTE: The set log-mac-limit-violations command is only displayed if your FortiSwitch model supports it.

To view the content of the learning-limit violation log, use one of the following commands:

  • get switch mac-limit-violations all—to see the first MAC address that exceeded the learning limit on any interface or VLAN. An asterisk by the interface name indicates that the interface-based learning limit was exceeded. An asterisk by the VLAN identifier indicates the VLAN-based learning limit was exceeded.
  • get switch mac-limit-violations interface <interface_name>—to see the first MAC address that exceeded the learning limit on a specific interface
  • get switch mac-limit-violations vlan <VLAN_ID>—to see the first MAC address that exceeded the learning limit on a specific VLAN. This command is only displayed if your FortiSwitch model supports it.

To reset the learning-limit violation log, use one of the following commands:

  • execute mac-limit-violation reset all—Use this command to clear all learning-limit violation logs or to clear the shutdown state of a port caused by the set learning-limit-action shutdown command.
  • execute mac-limit-violation reset interface <interface_name>—Use this command to clear the learning-limit violation log for a specific interface or to clear the shutdown state of a port caused by the set learning-limit-action shutdown command.
  • execute mac-limit-violation reset vlan <VLAN_ID>—Use this command to clear the learning-limit violation log for a specific VLAN.

You can also specify how often the learning-limit violation log is reset. When the mac-violation-timer expires, it will also clear the shutdown state of a port caused by the set learning-limit-action shutdown command.

To specify how often the learning-limit violation log is rest:

config switch global

set log-mac-limit-violations enable

set mac-violation-timer <0-1500>

end

 

For example:

config switch global

set log-mac-limit-violations enable

set mac-violation-timer 60

end

Configuring learning-limit violation actions

Starting in FortiSwitchOS 7.0.2, when the MAC learning limit is exceeded, you can specify that the interface that it is configured on is disabled (set learning-limit action shutdown) or that no action is taken (set learning-limit action none). The learning-limit-action applies only to physical switch port interfaces, not to trunks or VLANs.

To configure the action for learning-limit violations:

config switch interface

edit <port_name>

set learning-limit <1-128>

set learning-limit-action {none | shutdown}

next

end

After shutting down the port with the set learning-limit-action shutdown command, you can bring it back up in two ways:

  • With the execute mac-limit-violation reset {interface <port_name> | all} command.
  • With the set mac-violation-timer <integer> command (under config switch global).

Starting in FortiSwitchOS 7.0.2, you can configure an SNMP trap so that you receive a message when the MAC learning limit is exceeded.

To configure the SNMP trap for learning-limit violations:

config switch global

set log-mac-limit-violations enable

end

 

config system snmp community

edit <index_number>

set events llv

next

end