Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
magarwal
Staff
Staff

Created on ‎07-15-2025 09:52 PM Edited on ‎07-15-2025 09:53 PM By Community Manager

Article Id 399706

Technical Tip: Understanding MAC Learning Limit Violation Behavior on FortiSwitch (Managed by FortiGate)

Description This article discusses MAC Learning Limit Violation Behavior on FortiSwitch.
Scope FortiSwitch (Managed).
Solution

This article explains the behavior of MAC limit violations when the same MAC address appears on different switch ports within the same and different VLANs. 

Port 1:

config switch interface
    edit "port1"
        set description ''
        set native-vlan 111
        set learning-limit 1
        set learning-limit-action shutdown
        set sticky-mac enable

Port2:
  

edit "port2"
        set description ''
        set native-vlan 111
        set learning-limit 1
        set learning-limit-action shutdown
        set sticky-mac enable


Case1: Violation Occurs (Same Port):

  • Connect PC1 (MAC1) to port1.
  • MAC1 is learned and becomes sticky.
  • Remove PC1.
  • Connect PC2 (MAC2) to port1 → MAC violation is triggered as expected.

S448ENTF2400xxxx # diagnose switch mac-address list | grep port1
MAC: c4:c6:e6:96:80:dd VLAN: 111 Port: port1(port-id 1)

S448ENTF2400xxxx # get switch mac-limit-violations all
      Port VLAN ID MAC Address Timestamp Action
---------------------------------------------------------------------------------------------------------

port1* 111 a4:bb:6d:db:d2:ae 2025-06-20 11:11:40 disable

 

Note:

Since MAC-2 is the second address on port 1, a MAC violation is triggered, and MAC-2 will not be learned on port 1. So, it is good

 

Case2: Violation Not Triggered (When MAC 1 is already learnt on port 1):

If PC2 is connected on port 2, MAC2 gets learnt on the port. If PC1 is connected to port2, no new violation is visible:

S448ENTF2400xxxx # diagnose switch mac-address list | grep port2
MAC: a4:bb:6d:db:d2:ae VLAN: 111 Port: port2(port-id 2)

S448ENTF2400xxxx # get switch mac-limit-violations all
      Port VLAN ID MAC Address Timestamp Action
---------------------------------------------------------------------------------------------------------
     port1* 111 a4:bb:6d:db:d2:ae 2025-06-20 11:11:40 disable

 

Note:

Since MAC-1 is a static MAC on port 1, port 2 will not add MAC-1 when the PC is connected to port 2. So, violation will not happen. It is expected.


Case3: Violation Occurs (Different VLAN):
If the same steps are repeated but with PCs in different VLANs are violations are seen as expected.

S448ENTF24000xxx # get switch mac-limit-violations all
      Port VLAN ID MAC Address Timestamp Action
---------------------------------------------------------------------------------------------------------
     port1* 111 a4:bb:6d:db:d2:ae 2025-06-20 10:59:52 disable
     port2* 1 c4:c6:e6:96:80:dd 2025-06-20 11:02:39 disable

 

Note:

The same MAC can be in different VLANs, so the MAC number will exceed 2, and a violation will occur. It is expected.
186
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.