Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
SuperUser
SuperUser

Created on ‎04-04-2024 09:52 AM

FortiGate sees the same MAC through two ports

Hello FG admins

Could there be any kind of problem if FortiGate in NAT mode sees the same MAC addresses through two independent interfaces?

This is not common at all but can happen when you have for some reason one host with one NIC connected to a L2 switch connected to 2 different interfaces on FG.

AEK
AEK
Labels:
1446
0 Kudos
1 Solution
Toshi_Esumi
SuperUser
SuperUser
In response to AEK

Created on ‎04-05-2024 01:34 PM

If those two ports are independent, they can not have the same subnet. If the IP of the device/MAC matches on p1 side, the p2 side would ignore L2 frames with the MAC arrived at the port. Because it's bound to p1 on the ARP table.

 

Toshi

View solution in original post

1303
11 REPLIES 11
adambomb1219
SuperUser
SuperUser

Created on ‎04-04-2024 11:10 AM

Not with a properly designed access network.  Layer2 technologies such as spanning-tree should prevent this. 

1203
AEK
SuperUser
SuperUser
In response to adambomb1219

Created on ‎04-04-2024 12:17 PM

Thanks for your feedback Adam.

Actually as explained above there is one single switch and firewall is in NAT mode so there is not STP concern.

So with omitting the fact that it is a good or bad design, the question is: could there be any kind of problem from FortiGate side it it sees the same MAC through two distinct and independent interfaces?

AEK
AEK
1189
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to AEK

Created on ‎04-04-2024 02:53 PM Edited on ‎04-04-2024 03:05 PM

Probably before anything happens at the FGT, one of L2 switchs inbetween would detect that and start spewing error messages like below:

Apr 26 12:27:55 <> %SW_MATM-4-MACFLAP_NOTIF: Host mac address in vlan X is flapping between port PoX and port Po

Then one of ports might end up with a port shutdown.

The FGT would be just filling up log when traffic happens from/to that MAC address. Just my guess though.

 

Toshi

1168
AEK
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎04-05-2024 01:03 PM

But the host is connected to only one port, so the switch will see the MAC address only once from portX only. It is the FG that will see the MAC address from 2 ports (suppose the switch is unmanageable), simply like shown on the below schema.

So the question is still: could there be any kind of problem from FortiGate side it it sees the same MAC through two distinct and independent interfaces?

 

diag1.png

 

AEK
AEK
1109
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to AEK

Created on ‎04-05-2024 01:16 PM

If those two ports from the FGT connect to the same switch, the spanning-tree protocol would shut down one of them on the switch side. Otherwise an L2 loop is formed if they are on the same broadcast domain.

 

Toshi

1102
0 Kudos
AEK
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎04-05-2024 01:21 PM

Even if the two FG ports don't form a HW/SW switch? If so then I think I really need to review my old basic network knowledge.

AEK
AEK
1100
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to AEK

Created on ‎04-05-2024 01:34 PM

If those two ports are independent, they can not have the same subnet. If the IP of the device/MAC matches on p1 side, the p2 side would ignore L2 frames with the MAC arrived at the port. Because it's bound to p1 on the ARP table.

 

Toshi

1304
AEK
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎04-05-2024 01:58 PM

I confirm they don't have the same subnet.

Thanks for the info, it reassures me.

AEK
AEK
1091
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to AEK

Created on ‎04-05-2024 02:07 PM

Also, the switch side wouldn't send to the frames to port2 as long as the IP/FGT's MAC belong to port1.

 

Toshi

1063
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.