Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiLink Guide

    Home FortiSwitch 7.4.1 FortiLink Guide
    7.4.1
    7.6.0
    7.4.5
    7.4.4
    7.4.2
    7.4.1
    7.4.0
    7.2.9
    7.2.6
    7.2.4
    7.2.1
    7.2.0

    Dynamic MAC address learning

    Dynamic MAC address learning

    You can enable or disable dynamic MAC address learning on a port or VLAN. The existing dynamic MAC entries are flushed when you change this setting. If you disable MAC address learning, you can set the behavior for an incoming packet with an unknown MAC address (to drop or forward the packet).

    This section covers the following topics:

    Limiting the number of learned MAC addresses on a FortiSwitch interface

    You can limit the number of MAC addresses learned on a FortiSwitch interface (port or VLAN). The limit ranges from 1 to 128. If the limit is set to the default value zero, there is no learning limit.

    NOTE: Static MAC addresses are not counted in the limit. The limit refers only to learned MAC addresses.

    Use the following CLI commands to limit MAC address learning on a VLAN:

    config switch vlan

    edit <integer>

    set switch-controller-learning-limit <limit>

    end

    end

    For example:

    config switch vlan

    edit 100

    set switch-controller-learning-limit 20

    end

    end

    Use the following CLI commands to limit MAC address learning on a port:

    config switch-controller managed-switch

    edit <FortiSwitch_serial_number>

    config ports

    edit <port_name>

    set learning-limit <limit>

    next

    end

    end

    end

    For example:

    config switch-controller managed-switch

    edit S524DF4K15000024

    config ports

    edit port3

    set learning-limit 50

    next

    end

    end

    end

    Controlling how long learned MAC addresses are saved

    You can change how long learned MAC addresses are stored. By default, each learned MAC address is aged out after 300 seconds. After this amount of time, the inactive MAC address is deleted from the FortiSwitch hardware. The value ranges from 10 to 1000,000 seconds. Set the value to 0 to disable MAC address aging.

    config switch-controller global

    set mac-aging-interval <10 to 1000000>

    end

    For example:

    config switch-controller global

    set mac-aging-interval 500

    end

    If the mac-aging-interval is disabled by being set to 0, you can still control when inactive MAC addresses are removed from the FortiSwitch hardware. By default, inactive MAC addresses are removed after 24 hours. The value ranges from 0 to 168 hours. Set the value to 0 to use the mac-aging-interval setting to control when inactive MAC addresses are deleted.

    config switch-controller global

    set mac-retention-period <0 to 168>

    end

    For example:

    config switch-controller global

    set mac-retention-period 36

    end

    Logging violations of the MAC address learning limit

    If you want to see the first MAC address that exceeded the learning limit for an interface or VLAN, you can enable the learning-limit violation log for a managed FortiSwitch unit. Only one violation is recorded per interface or VLAN.

    By default, logging is disabled. The most recent violation that occurred on each interface or VLAN is recorded in the system log. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are displayed in the console.

    Use the following commands to control the learning-limit violation log and to control how long learned MAC addresses are saved:

    config switch-controller global

    set mac-violation-timer <0-1500>

    set log-mac-limit-violations {enable | disable}

    end

    For example:

    config switch-controller global

    set mac-violation-timer 1000

    set log-mac-limit-violations enable

    end

    To view the content of the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:

    • diagnose switch-controller switch-info mac-limit-violations all <FortiSwitch_serial_number>
    • diagnose switch-controller switch-info mac-limit-violations interface <FortiSwitch_serial_number> <port_name>
    • diagnose switch-controller switch-info mac-limit-violations vlan <FortiSwitch_serial_number> <VLAN_ID>

    For example, to set the learning-limit violation log for VLAN 5 on a managed FortiSwitch unit:

    diagnose switch-controller switch-info mac-limit-violations vlan S124DP3XS12345678 5

    To reset the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:

    • execute switch-controller mac-limit-violation reset all <FortiSwitch_serial_number>
    • execute switch-controller mac-limit-violation reset vlan <FortiSwitch_serial_number> <VLAN_ID>
    • execute switch-controller mac-limit-violation reset interface <FortiSwitch_serial_number> <port_name>

    For example, to clear the learning-limit violation log for port 5 of a managed FortiSwitch unit:

    execute switch-controller mac-limit-violation reset interface S124DP3XS12345678 port5

    Persistent (sticky) MAC addresses

    You can make dynamically learned MAC addresses persistent when the status of a FortiSwitch port changes (goes down or up). By default, MAC addresses are not persistent.

    Use the following commands to configure the persistence of MAC addresses on an interface:

    config switch-controller managed-switch

    edit <FortiSwitch_serial_number>

    config ports

    edit <port_name>

    set sticky-mac {enable | disable}

    next

    end

    You can also save persistent MAC addresses to the FortiSwitch configuration file so that they are automatically loaded when the FortiSwitch unit is rebooted. By default, persistent entries are lost when a FortiSwitch unit is rebooted. Use the following commands to save persistent MAC addresses for a specific interface or all interfaces:

    execute switch-controller switch-action sticky-mac save interface <FortiSwitch_serial_number> <port_name>

    execute switch-controller switch-action sticky-mac save all <FortiSwitch_serial_number>

    Use one of the following commands to delete the persistent MAC addresses instead of saving them in the FortiSwitch configuration file:

    execute switch-controller switch-action sticky-mac delete-unsaved all <FortiSwitch_serial_number>

    execute switch-controller switch-action sticky-mac delete-unsaved interface <FortiSwitch_serial_number> <port_name>

    Logging changes to MAC addresses

    Use the following commands to create syslog entries for when MAC addresses are learned, aged out, and removed:

    config switch-controller global

    set mac-event-logging enable

    end

    Previous
    Next

    Dynamic MAC address learning

    Dynamic MAC address learning

    You can enable or disable dynamic MAC address learning on a port or VLAN. The existing dynamic MAC entries are flushed when you change this setting. If you disable MAC address learning, you can set the behavior for an incoming packet with an unknown MAC address (to drop or forward the packet).

    This section covers the following topics:

    Limiting the number of learned MAC addresses on a FortiSwitch interface

    You can limit the number of MAC addresses learned on a FortiSwitch interface (port or VLAN). The limit ranges from 1 to 128. If the limit is set to the default value zero, there is no learning limit.

    NOTE: Static MAC addresses are not counted in the limit. The limit refers only to learned MAC addresses.

    Use the following CLI commands to limit MAC address learning on a VLAN:

    config switch vlan

    edit <integer>

    set switch-controller-learning-limit <limit>

    end

    end

    For example:

    config switch vlan

    edit 100

    set switch-controller-learning-limit 20

    end

    end

    Use the following CLI commands to limit MAC address learning on a port:

    config switch-controller managed-switch

    edit <FortiSwitch_serial_number>

    config ports

    edit <port_name>

    set learning-limit <limit>

    next

    end

    end

    end

    For example:

    config switch-controller managed-switch

    edit S524DF4K15000024

    config ports

    edit port3

    set learning-limit 50

    next

    end

    end

    end

    Controlling how long learned MAC addresses are saved

    You can change how long learned MAC addresses are stored. By default, each learned MAC address is aged out after 300 seconds. After this amount of time, the inactive MAC address is deleted from the FortiSwitch hardware. The value ranges from 10 to 1000,000 seconds. Set the value to 0 to disable MAC address aging.

    config switch-controller global

    set mac-aging-interval <10 to 1000000>

    end

    For example:

    config switch-controller global

    set mac-aging-interval 500

    end

    If the mac-aging-interval is disabled by being set to 0, you can still control when inactive MAC addresses are removed from the FortiSwitch hardware. By default, inactive MAC addresses are removed after 24 hours. The value ranges from 0 to 168 hours. Set the value to 0 to use the mac-aging-interval setting to control when inactive MAC addresses are deleted.

    config switch-controller global

    set mac-retention-period <0 to 168>

    end

    For example:

    config switch-controller global

    set mac-retention-period 36

    end

    Logging violations of the MAC address learning limit

    If you want to see the first MAC address that exceeded the learning limit for an interface or VLAN, you can enable the learning-limit violation log for a managed FortiSwitch unit. Only one violation is recorded per interface or VLAN.

    By default, logging is disabled. The most recent violation that occurred on each interface or VLAN is recorded in the system log. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are displayed in the console.

    Use the following commands to control the learning-limit violation log and to control how long learned MAC addresses are saved:

    config switch-controller global

    set mac-violation-timer <0-1500>

    set log-mac-limit-violations {enable | disable}

    end

    For example:

    config switch-controller global

    set mac-violation-timer 1000

    set log-mac-limit-violations enable

    end

    To view the content of the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:

    • diagnose switch-controller switch-info mac-limit-violations all <FortiSwitch_serial_number>
    • diagnose switch-controller switch-info mac-limit-violations interface <FortiSwitch_serial_number> <port_name>
    • diagnose switch-controller switch-info mac-limit-violations vlan <FortiSwitch_serial_number> <VLAN_ID>

    For example, to set the learning-limit violation log for VLAN 5 on a managed FortiSwitch unit:

    diagnose switch-controller switch-info mac-limit-violations vlan S124DP3XS12345678 5

    To reset the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:

    • execute switch-controller mac-limit-violation reset all <FortiSwitch_serial_number>
    • execute switch-controller mac-limit-violation reset vlan <FortiSwitch_serial_number> <VLAN_ID>
    • execute switch-controller mac-limit-violation reset interface <FortiSwitch_serial_number> <port_name>

    For example, to clear the learning-limit violation log for port 5 of a managed FortiSwitch unit:

    execute switch-controller mac-limit-violation reset interface S124DP3XS12345678 port5

    Persistent (sticky) MAC addresses

    You can make dynamically learned MAC addresses persistent when the status of a FortiSwitch port changes (goes down or up). By default, MAC addresses are not persistent.

    Use the following commands to configure the persistence of MAC addresses on an interface:

    config switch-controller managed-switch

    edit <FortiSwitch_serial_number>

    config ports

    edit <port_name>

    set sticky-mac {enable | disable}

    next

    end

    You can also save persistent MAC addresses to the FortiSwitch configuration file so that they are automatically loaded when the FortiSwitch unit is rebooted. By default, persistent entries are lost when a FortiSwitch unit is rebooted. Use the following commands to save persistent MAC addresses for a specific interface or all interfaces:

    execute switch-controller switch-action sticky-mac save interface <FortiSwitch_serial_number> <port_name>

    execute switch-controller switch-action sticky-mac save all <FortiSwitch_serial_number>

    Use one of the following commands to delete the persistent MAC addresses instead of saving them in the FortiSwitch configuration file:

    execute switch-controller switch-action sticky-mac delete-unsaved all <FortiSwitch_serial_number>

    execute switch-controller switch-action sticky-mac delete-unsaved interface <FortiSwitch_serial_number> <port_name>

    Logging changes to MAC addresses

    Use the following commands to create syslog entries for when MAC addresses are learned, aged out, and removed:

    config switch-controller global

    set mac-event-logging enable

    end

    Previous
    Next