Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
District_IT
New Contributor

FortiNAC and FortiFone

We are currently in the process of testing / deploying wired enforcement at our organization.  One issue we are running into is receiving MAC Traps from FortiFones when a device is plugged into the passthrough port of the phone.

 

MAC-Trap notifications have been configured on all switch ports throughout our deployment. The parameters of those MAC-Traps are set to send notifications directly to the FortiNAC servers when a MAC address changes on a switch port (device is plugged in / unplugged). This functionality works as intended when plugging and unplugging directly from the switch port. This is to notify the FortiNAC of the device change on the port so that the FortiNAC can reset the port to a default configured VLAN and/or evaluate the new device against network policy.

This functionality works fine when a device is first plugged into the phones passthrough port - the FortiNAC recognizes that the MAC address on the switch port changes and evaluates the host behind the phone and makes the necessary port changes bases on device type (rogue - registration, registered device - proper VLAN, etc). The problem exists when that device is removed from the passthrough port on the phone. The MAC Address table on the switch does not update - when viewing the table even after the device is removed, the switch CLI is still reporting that there are TWO devices on the port where the phone is plugged in - the FortiFone and the passthrough device.

 

We are running ArubaOS switches, but as far as I can tell, this is an issue with the phone not sending a trap when the device disconnects.  Thoughts?  Thanks in advance.

1 REPLY 1
gfleming
Staff
Staff

This is expected behviour. The issue is the switchport does not go down when the device behind the phone is unplugged. Therefore you are waiting for the MAC address to age out of the switch's table. This is outlined in the Congiuring MAC Traps documentation: https://docs.fortinet.com/document/fortinac/9.4.0/configuring-traps-for-mac-notification

 

Are there issues with having the devices in the database even after they are physically disconnected?

Cheers,
Graham
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors