Troubleshooting Tip: Automatically added entry in IP/MAC binding table

mle2802 · ‎11-17-2024

Description

This article describes how to troubleshoot an issue where entries are automatically added in an IP/MAC binding table.

Scope

Fortigate

Solution

Checking the IP/MAC table config, only one entry is configured

FGT_1 # config firewall ipmacbinding table

FGT_1 (table) # show
config firewall ipmacbinding table

edit 1

set ip 192.168.6.10

set mac 00:0c:29:ba:6f:c6

set status enable

next
end

However, there are extra entries when listing the firewall IP/MAC address pairs:

FGT_1 # diagnose firewall ipmac list
List firewall IP/MAC address pairs:
ip=192.168.6.2 mac=00:0c:29:db:0a:bc act=01 flag=00
ip=192.168.6.10 mac=00:0c:29:ba:6f:c6 act=01 flag=00

This is the behavior when the command 'set ipmac enable' is configured on the interface which has DHCP server enabled. All DHCP leases will be added in the IP/MAC database automatically. To avoid this behavior, 'IP Address Assignment Rules' can be used to block the DHCP request and assign an IP only for the trusted host.

'IP Address Assignment Rules' can be found under System -> Interfaces: double-click on the interface to edit and expand the advanced option under DHCP settings.

ip assignment.png

Verify the DHCP lease and the IP/MAC table again:

ip verify.png

Troubleshooting Tip: Automatically added entry in IP/MAC binding table

You are leaving our website