Dynamic MAC address learning
You can enable or disable dynamic MAC address learning on a port. The existing dynamic MAC entries are deleted when you change this setting. If you disable MAC address learning, you can set the behavior for an incoming packet with an unknown MAC address (to drop or forward the packet).
You can limit the number of learned MAC addresses on an interface or VLAN. The limit ranges from 1 to 128. If the learning limit is set to zero (the default), no limit exists. When the limit is exceeded, the FortiSwitch unit adds a warning to the system log.
Configuring dynamic MAC address learning
Use the following CLI commands to configure dynamic MAC address learning:
config switch physical-port
edit <port>
set l2-learning (enable | disable)
set l2-sa-unknown (drop | forward)
end
config switch interface
edit <port>
set learning-limit <0-128>
end
config switch vlan
edit <VLAN_ID>
set learning {enable | disable}
set learning-limit <0-128>
end
NOTE: If you enable 802.1x MAC-based authorization on a port, you cannot change the l2-learning
setting.
Changing when MAC addresses are deleted
By default, each learned MAC address is deleted after 300 seconds. The value ranges from 10 to 1000,000 seconds. Set the value to zero to not delete learned MAC addresses.
Use the following command to change this value:
config switch global
set mac-aging-interval 200
end
Logging dynamic MAC address events
By default, dynamic MAC address events are not logged. When you enable logging for an interface, the following events are logged:
- When a dynamic MAC address is learned
- When a dynamic MAC address is moved
- When a dynamic MAC address is deleted
NOTE: Some dynamic MAC address events might take a long time to be logged. If too many events happen within a short period of time, some events might not be logged.
To enable the logging of dynamic MAC address events:
config switch interface
edit <interface_name>
set log-mac-event enable
end
To view the log entries:
execute log display
Using the learning-limit violation log
If you want to see the first MAC address that exceeded a learning limit for an interface or VLAN, you can enable the learning-limit violation log for a FortiSwitch unit. Only one violation is recorded per interface or VLAN.
To enable or disable the learning-limit violation log, use the following commands. By default, the learning-limit violation log is disabled. The most recent violation that occurred on each interface or VLAN is logged. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are displayed in the console.
NOTE: The set log-mac-limit-violations
command is only displayed if your FortiSwitch model supports it.
config switch global
set log-mac-limit-violations {enable | disable}
end
To view the content of the learning-limit violation log, use one of the following commands:
-
get switch mac-limit-violations all
—to see the first MAC address that exceeded the learning limit on any interface or VLAN. An asterisk by the interface name indicates that the interface-based learning limit was exceeded. An asterisk by the VLAN identifier indicates the VLAN-based learning limit was exceeded. -
get switch mac-limit-violations interface <interface_name>
—to see the first MAC address that exceeded the learning limit on a specific interface -
get switch mac-limit-violations vlan <VLAN_ID>
—to see the first MAC address that exceeded the learning limit on a specific VLAN. This command is only displayed if your FortiSwitch model supports it.
To reset the learning-limit violation log, use one of the following commands:
-
execute mac-limit-violation reset all
—to clear all learning-limit violation logs -
execute mac-limit-violation reset interface <interface_name>
—to clear the learning-limit violation log for a specific interface -
execute mac-limit-violation reset vlan <VLAN_ID>
—to clear the learning-limit violation log for a specific VLAN
You can also specify how often the learning-limit violation log is reset, use the following commands:
config switch global
set log-mac-limit-violations enable
set mac-violation-timer <0-1500>
end
For example:
config switch global
set log-mac-limit-violations enable
set mac-violation-timer 60
end