Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
laf
New Contributor II

show mac address table on Fortigate

Hi guys,

 

I have configured a virtual-switch aka hardware-switch and binded 4 interfaces that belong to a VDOM.

 

config system interface edit "SW_Firewall" set vdom "Firewall" set ip 8x.4y.8z.254 255.255.255.0 set allowaccess ping https ssh set type hard-switch set snmp-index 18 set secondary-IP enable config secondaryip edit 1 set ip 10.22.33.1 255.255.255.0 set allowaccess ping next end next end

 

How can I find out learnt MAC addresses aka "show mac address table" on each physical interface?

 

Thanks!

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
7 REPLIES 7
neonbit
Valued Contributor

The command is 'get sys arp'. It will show you all learnt arps on the FortiGate with the interface that learnt them.

 

If you'd like to quickly filter the results by portX then you can pipe a grep after the command (ie: get sys arp | grep portX)

laf
New Contributor II

A hardware/virtual switch doesn't care about any ARP entries. I want to know the L2 mac addresses that were/are learnt per switch port.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
saneeshpv_FTNT

Hi,

 

Hardware Switch will give you an option to bind multiple Hardware Interfaces to form a Single Logical Interface. This Logical Interface is a Layer 3 interface with an IP assigned to it. It doesn't have a CAM/MAC table. You can view the ARP table to see the MAC address of the devices connected to these individual interfaces which are part of the Hardware Switch using command # get system arp.

 

Hope this will answer your question.

 

Regards,

San

DerekWSmall

Lets say hypothetically that you create a software or hardware switch on the Fortigate.  Then it DEFINITELY HAS a mac address table.  If you don't understand the difference between a MAC table and an ARP table, then you probably aren't going to be able to help.  Why is it so hard to basic information like this out of a FortiGate?  Is it a "get...." command, is it a "show...." command, is it a "diag....." command.  THEY ALL DO THE SAME THING!  Quit making it harder than it needs to be.  Showing the MAC table doesn't need to be any harder than "show system mac"  or "show switch mac".....

Derek Small
Derek Small
DPS_IT

FR...... Give me the mac address table!

ahwang
Staff
Staff

In TP mode, we can check L2 forwarding table on FGT. 

The forwarding database (FDB) is populated with the network devices MAC addresses during a MAC learning process, based on the source addresses seen in the Ethernet frames ingressing a FortiGate port.


FGT # diagnose netlink brctl list  -> List Bridge information
list bridge information
1. root.b fdb: size=256 used=6 num=7 depth=2 simple=no
2. mgmt.b fdb: size=256 used=5 num=4 depth=2 simple=no
Total 2 bridges
Here above we can see two bridge instances for 2 VDOMs in Transparent mode: root and mgmt.

 

This command will dump the L2 forwarding table for each VDOM bridge instance:
diagnose netlink brctl name host <VDOM_name>.b

 

Example for the root VDOM:
FGT# diag netlink brctl name host root.b

show bridge control interface root.b host.
fdb: size=256, used=6, num=7, depth=2, simple=no
Bridge root.b host table
port no device devname mac addr ttl atributes
2 7 wan2 02:09:0f:78:69:00 0 Local Static
5 6 trunk_1 02:09:0f:78:69:01 0 Local Static
3 8 dmz 02:09:0f:78:69:01 0 Local Static
4 9 internal 02:09:0f:78:69:02 0 Local Static
3 8 dmz 00:80:c8:39:87:5a 194
4 9 internal 02:09:0f:78:67:68 8
1 3 wan1 00:09:0f:78:69:fe 0 Local Static

delgrundy
New Contributor

While the above may work for some, I couldn't get any useful information from it on an 8-port Fortiswitch. The bigger issue for me is that this seems to be treated like a fringe topic rather than a mainstream thing. Checking the mac table in a Cisco switch is a routine thing to do when you have a cause where a connected device that should be pulling dhcp will not. 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors