Fortinet white logo
Fortinet white logo

Cookbook

Checking the bridging information in transparent mode

Checking the bridging information in transparent mode

Checking the bridging information is useful when you are experiencing connectivity problems. When FortiGate is set to transparent mode, it acts like a bridge and sends all incoming traffic out on the other interfaces. Each bridge is a link between interfaces.

When traffic is flowing between the interfaces, you can see the bridges listed in the CLI. If no bridges are listed, this is the likely cause of the connectivity issue. When investigating bridging information, check for the MAC address of the interface or device in question.

How to check the bridging information

To view the list of bridge instances in the CLI:

diagnose netlink brctl list

Sample output:

#diagnose netlink brctl list

list bridge information

1. root.b fdb: size=256 used=6 num=7 depth=2 simple=no

Total 1 bridges

How to display forwarding domain information

You can use forwarding domains, or collision domains, in routing to limit where packets are forwarded on the network. Layer 2 broadcasts are limited to the same group. By default, all interfaces are in group 0. For example, if the FortiGate has 12 interfaces, only two may be in the same forwarding domain, which limits packets that are broadcast to those two interfaces. This reduces traffic on the rest of the network.

Collision domains prevent the forwarding of ARP packets to all VLANs on an interface. Without collision domains, duplicate MAC addresses on VLANs may cause ARP packets to be duplicated. Duplicate ARP packets can cause some switches to reset. It's important to know what interfaces are part of which forwarding domains because this determines which interfaces can communicate with each other.

To manually configure forwarding domains in transparent mode in the CLI:

config system interface

edit <interface_name>

set forward-domain <integer>

end

To display the forward domains information in the CLI:

diagnose netlink brctl domain <name> <id>

Where <name> is the name of the forwarding domain to display and <id> is the domain ID.

Sample output:

diagnose netlink brctl domain ione 101

show bridge root.b ione forward domain.

id=101 dev=trunk_1 6

To list the existing bridge MAC table in the CLI:

diagnose netlink brctl name host <name>

Sample output:

show bridge control interface root.b host.

fdb: size=256, used=6, num=7, depth=2, simple=no

Bridge root.b host table

port no

device

devname

mac addr

ttl

attributes

2

7

wan2

02:09:0f:78:69:00

0

Local Static

5

6

vlan_1

02:09:0f:78:69:01

0

Local Static

3

8

dmz

02:09:0f:78:69:01

0

Local Static

4

9

internal

02:09:0f:78:69:02

0

Local Static

3

8

dmz

00:80:c8:39:87:5a

194

4

9

internal

02:09:0f:78:67:68

8

1

3

wan1

00:09:0f:78:69:fe

0

Local Static

To list the existing bridge port list in the CLI:

diagnose netlink brctl name port <name>

Sample output:

show bridge root.b data port.

trunk_1 peer_dev=0

internal peer_dev=0

dmz peer_dev=0

wan2 peer_dev=0

wan1 peer_dev=0

Checking the bridging information in transparent mode

Checking the bridging information in transparent mode

Checking the bridging information is useful when you are experiencing connectivity problems. When FortiGate is set to transparent mode, it acts like a bridge and sends all incoming traffic out on the other interfaces. Each bridge is a link between interfaces.

When traffic is flowing between the interfaces, you can see the bridges listed in the CLI. If no bridges are listed, this is the likely cause of the connectivity issue. When investigating bridging information, check for the MAC address of the interface or device in question.

How to check the bridging information

To view the list of bridge instances in the CLI:

diagnose netlink brctl list

Sample output:

#diagnose netlink brctl list

list bridge information

1. root.b fdb: size=256 used=6 num=7 depth=2 simple=no

Total 1 bridges

How to display forwarding domain information

You can use forwarding domains, or collision domains, in routing to limit where packets are forwarded on the network. Layer 2 broadcasts are limited to the same group. By default, all interfaces are in group 0. For example, if the FortiGate has 12 interfaces, only two may be in the same forwarding domain, which limits packets that are broadcast to those two interfaces. This reduces traffic on the rest of the network.

Collision domains prevent the forwarding of ARP packets to all VLANs on an interface. Without collision domains, duplicate MAC addresses on VLANs may cause ARP packets to be duplicated. Duplicate ARP packets can cause some switches to reset. It's important to know what interfaces are part of which forwarding domains because this determines which interfaces can communicate with each other.

To manually configure forwarding domains in transparent mode in the CLI:

config system interface

edit <interface_name>

set forward-domain <integer>

end

To display the forward domains information in the CLI:

diagnose netlink brctl domain <name> <id>

Where <name> is the name of the forwarding domain to display and <id> is the domain ID.

Sample output:

diagnose netlink brctl domain ione 101

show bridge root.b ione forward domain.

id=101 dev=trunk_1 6

To list the existing bridge MAC table in the CLI:

diagnose netlink brctl name host <name>

Sample output:

show bridge control interface root.b host.

fdb: size=256, used=6, num=7, depth=2, simple=no

Bridge root.b host table

port no

device

devname

mac addr

ttl

attributes

2

7

wan2

02:09:0f:78:69:00

0

Local Static

5

6

vlan_1

02:09:0f:78:69:01

0

Local Static

3

8

dmz

02:09:0f:78:69:01

0

Local Static

4

9

internal

02:09:0f:78:69:02

0

Local Static

3

8

dmz

00:80:c8:39:87:5a

194

4

9

internal

02:09:0f:78:67:68

8

1

3

wan1

00:09:0f:78:69:fe

0

Local Static

To list the existing bridge port list in the CLI:

diagnose netlink brctl name port <name>

Sample output:

show bridge root.b data port.

trunk_1 peer_dev=0

internal peer_dev=0

dmz peer_dev=0

wan2 peer_dev=0

wan1 peer_dev=0