Dynamic MAC address learning
You can enable or disable dynamic MAC address learning on a port. The existing dynamic MAC entries are deleted when you change this setting. If you disable MAC address learning, you can set the behavior for an incoming packet with an unknown MAC address (to drop or forward the packet).
You can limit the number of learned MAC addresses on an interface or VLAN. The limit ranges from 1 to 128. If the learning limit is set to zero (the default), no limit exists. When the limit is exceeded, the FortiSwitch unit adds a warning to the system log.
Configuring dynamic MAC address learning
Use the following CLI commands to configure dynamic MAC address learning:
config switch physical-port
edit <port>
set l2-learning (enable | disable)
set l2-sa-unknown (drop | forward)
end
config switch interface
edit <port>
set learning-limit <0-128>
end
config switch vlan
edit <VLAN_ID>
set learning {enable | disable}
set learning-limit <0-128>
end
NOTE: If you enable 802.1x MAC-based authorization on a port, you cannot change the l2-learning
setting.
Changing when MAC addresses are deleted
By default, each learned MAC address is deleted after 300 seconds. The value ranges from 10 to 1000,000 seconds. Set the value to zero to not delete learned MAC addresses.
Use the following command to change this value:
config switch global
set mac-aging-interval 200
end
Logging dynamic MAC address events
By default, dynamic MAC address events are not logged. When you enable logging for an interface, the following events are logged:
- When a dynamic MAC address is learned
- When a dynamic MAC address is moved
- When a dynamic MAC address is deleted
NOTE: Some dynamic MAC address events might take a long time to be logged. If too many events happen within a short period of time, some events might not be logged.
To enable the logging of dynamic MAC address events:
config switch interface
edit <interface_name>
set log-mac-event enable
end
To view the log entries:
execute log display
Using the learning-limit violation log
If you want to see the first MAC address that exceeded a learning limit for an interface or VLAN, you can enable the learning-limit violation log for a FortiSwitch unit. Only one violation is recorded per interface or VLAN.
By default, the learning-limit violation log is disabled. The most recent violation that occurred on each interface or VLAN is logged. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are displayed in the console.
Using the GUI:
- Go to Switch > MAC Limit.
- Enable or disable Enable Learning Limit Violation recording globally.
Using the CLI:
config switch global
set log-mac-limit-violations {enable | disable}
end
NOTE: The set log-mac-limit-violations
command is only displayed if your FortiSwitch model supports it.
To view the content of the learning-limit violation log, use one of the following commands:
get switch mac-limit-violations all
—to see the first MAC address that exceeded the learning limit on any interface or VLAN. An asterisk by the interface name indicates that the interface-based learning limit was exceeded. An asterisk by the VLAN identifier indicates the VLAN-based learning limit was exceeded.get switch mac-limit-violations interface <interface_name>
—to see the first MAC address that exceeded the learning limit on a specific interfaceget switch mac-limit-violations vlan <VLAN_ID>
—to see the first MAC address that exceeded the learning limit on a specific VLAN. This command is only displayed if your FortiSwitch model supports it.
To reset the learning-limit violation log, use one of the following commands:
execute mac-limit-violation reset all
—Use this command to clear all learning-limit violation logs or to clear the shutdown state of a port caused by theset learning-limit-action shutdown
command.execute mac-limit-violation reset interface <interface_name>
—Use this command to clear the learning-limit violation log for a specific interface or to clear the shutdown state of a port caused by theset learning-limit-action shutdown
command.execute mac-limit-violation reset vlan <VLAN_ID>
—Use this command to clear the learning-limit violation log for a specific VLAN.
You can also specify how often the learning-limit violation log is reset. When the mac-violation-timer expires, it will also clear the shutdown state of a port caused by the set learning-limit-action shutdown
command.
To specify how often the learning-limit violation log is rest:
config switch global
set log-mac-limit-violations enable
set mac-violation-timer <0-1500>
end
For example:
config switch global
set log-mac-limit-violations enable
set mac-violation-timer 60
end
Configuring learning-limit violation actions
Starting in FortiSwitchOS 7.0.2, when the MAC learning limit is exceeded, you can specify that the interface that it is configured on is disabled (set learning-limit action shutdown
) or that no action is taken (set learning-limit action none
). The learning-limit-action
applies only to physical switch port interfaces, not to trunks or VLANs.
To configure the action for learning-limit violations:
config switch interface
edit <port_name>
set learning-limit <1-128>
set learning-limit-action {none | shutdown}
next
end
After shutting down the port with the set learning-limit-action shutdown
command, you can bring it back up in two ways:
- With the
execute mac-limit-violation reset {interface <port_name> | all}
command. - With the
set mac-violation-timer <integer>
command (underconfig switch global
).
Starting in FortiSwitchOS 7.0.2, you can configure an SNMP trap so that you receive a message when the MAC learning limit is exceeded.
To configure the SNMP trap for learning-limit violations:
config switch global
set log-mac-limit-violations enable
end
config system snmp community
edit <index_number>
set events llv
next
end