Skip to main content
gmonte
Staff
gmonte
Staff
May 15, 2026

Technical Tip: MAC address ageing setting and behavior on FortiGate

  • May 15, 2026
  • 0 replies
  • 124 views

Description

This article describes the behavior of the mac addresses connected to the FortiSwitch shown on the FortiGate when the command diagnose switch-controller mac-cache show is run.

Scope

FortiGate.

Solution

When the command diagnose switch-controller mac-cache show is run on FortiOS 7.4.11, all of the MAC addresses connected up to 24 hours prior will be displayed.


This is because the default aging time in this FortiOS version is 24 hours.


To avoid this behavior and have the FortiGate to have the mac address DB aging timer matching the mac-aging on the switch, it is enough to set the mac-retention-period to 0.

config switch-controller global
    set mac-aging-interval 300
    set mac-retention-period 0
end


In the following examples, a device with the mac-address 00:00:00:00:00:ff has been connected to the FortiSwitch on port10, and after about 1 minute, it has been plugged-out and another device with mac-address 00:00:00:00:00:a6 has been plugged in to port10.


FortiOS 7.4.11 and FortiSwitchOS 7.4.9 have the default value (24 hour) output.

Two MAC addresses are shown as connected on port1 from the FortiGate output.


FortiSwitch # diagnose switch mac-address list | grep port1
MAC: 00:00:00:00:00:a6  VLAN: 1 Port: port1(port-id 1)
FortiSwitch # diagnose switch mac-address list | grep port1
FortiSwitch # diagnose switch mac-address list | grep port1
FortiSwitch # diagnose switch mac-address list | grep port1
MAC: 00:00:00:00:00:ff  VLAN: 1 Port: port1(port-id 1)

FortiGate # diagnose switch-controller mac-cache show
managed-switch: S124EF5XXXXXXXXX vfid: 0
running-clients:
VLANID PORTID MAC LAST SEEN(secs ago) INTF-NAME
1 1 00:00:00:00:00:a6 5 port1
1 1 00:00:00:00:00:ff 112 port1


FortiOS 7.4.11 and FortiSwitchOS 7.4.9 have the adjusted value (0) output.

Only one MAC address is shown as connected on port1 from the FortiGate output.

FortiSwitch # diagnose switch mac-address list | grep port1
MAC: 00:00:00:00:00:a6  VLAN: 1 Port: port1(port-id 1)
FortiSwitch # diagnose switch mac-address list | grep port1
FortiSwitch # diagnose switch mac-address list | grep port1
FortiSwitch # diagnose switch mac-address list | grep port1
MAC: 00:00:00:00:00:ff  VLAN: 1 Port: port1(port-id 1)

FortiGate # diagnose switch-controller mac-cache show
managed-switch: S124EF5XXXXXXXXX vfid: 0
running-clients:
VLANID PORTID MAC LAST SEEN(secs ago) INTF-NAME
1 1 00:00:00:00:00:a6 5 port1

FortiGate # diagnose switch-controller mac-cache show
managed-switch: S124EF5XXXXXXXXX vfid: 0
running-clients:
VLANID PORTID MAC LAST SEEN(secs ago) INTF-NAME
1 1 00:00:00:00:00:ff  5 port1

 

    Terms & ConditionsAccessibility statement