Fortinet black logo

Handbook

MAC learning and L2 forwarding table

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:543329
Download PDF

MAC learning and L2 forwarding table

When operating in transparent mode, a FortiGate behaves like an L2 switch in accordance with 802.1d principles:

  • The forwarding database (FDB) is populated with the network devices MAC addresses during a MAC learning process, based on the source addresses seen in the Ethernet frames ingressing a FortiGate port. Static MAC entries can also be configured using the following CLI command:

config system mac-address-table

edit 00:01:02:03:04:05

set interface "port3"

next

end

The FDB table can be verified with the following command: diagnose netlink brctl name host TP.b

  • Ethernet IP frames forwarding is based on known MAC address on each port.
  • As Spanning Tree in not running on the FortiGate, a port that comes up goes immediately into forwarding or flooding state. This last state will not occur once unicast MAC addresses are present in the FDB.

If the FortiGate in transparent mode bridges traffic to a router or host using a virtual MAC for one direction and a different physical MAC for the other direction (for example, when VRRP or HSRP protocols are used), it is highly recommended to create a static MAC entry for the virtual MAC. This is to make sure that the virtual MAC address is present in the FDB.

MAC learning and L2 forwarding table

When operating in transparent mode, a FortiGate behaves like an L2 switch in accordance with 802.1d principles:

  • The forwarding database (FDB) is populated with the network devices MAC addresses during a MAC learning process, based on the source addresses seen in the Ethernet frames ingressing a FortiGate port. Static MAC entries can also be configured using the following CLI command:

config system mac-address-table

edit 00:01:02:03:04:05

set interface "port3"

next

end

The FDB table can be verified with the following command: diagnose netlink brctl name host TP.b

  • Ethernet IP frames forwarding is based on known MAC address on each port.
  • As Spanning Tree in not running on the FortiGate, a port that comes up goes immediately into forwarding or flooding state. This last state will not occur once unicast MAC addresses are present in the FDB.

If the FortiGate in transparent mode bridges traffic to a router or host using a virtual MAC for one direction and a different physical MAC for the other direction (for example, when VRRP or HSRP protocols are used), it is highly recommended to create a static MAC entry for the virtual MAC. This is to make sure that the virtual MAC address is present in the FDB.