FortiGate sees the same MAC through two ports

AEK · ‎04-04-2024

Hello FG admins

Could there be any kind of problem if FortiGate in NAT mode sees the same MAC addresses through two independent interfaces?

This is not common at all but can happen when you have for some reason one host with one NIC connected to a L2 switch connected to 2 different interfaces on FG.

AEK

Toshi_Esumi · ‎04-05-2024

If those two ports are independent, they can not have the same subnet. If the IP of the device/MAC matches on p1 side, the p2 side would ignore L2 frames with the MAC arrived at the port. Because it's bound to p1 on the ARP table.

Toshi

View solution in original post

adambomb1219 · ‎04-04-2024

Not with a properly designed access network. Layer2 technologies such as spanning-tree should prevent this.

AEK · ‎04-04-2024

Thanks for your feedback Adam.

Actually as explained above there is one single switch and firewall is in NAT mode so there is not STP concern.

So with omitting the fact that it is a good or bad design, the question is: could there be any kind of problem from FortiGate side it it sees the same MAC through two distinct and independent interfaces?

AEK

Toshi_Esumi · ‎04-04-2024

Probably before anything happens at the FGT, one of L2 switchs inbetween would detect that and start spewing error messages like below:

Apr 26 12:27:55 <> %SW_MATM-4-MACFLAP_NOTIF: Host mac address in vlan X is flapping between port PoX and port Po

Then one of ports might end up with a port shutdown.

The FGT would be just filling up log when traffic happens from/to that MAC address. Just my guess though.

Toshi

AEK · ‎04-05-2024

But the host is connected to only one port, so the switch will see the MAC address only once from portX only. It is the FG that will see the MAC address from 2 ports (suppose the switch is unmanageable), simply like shown on the below schema.

So the question is still: could there be any kind of problem from FortiGate side it it sees the same MAC through two distinct and independent interfaces?

AEK

Toshi_Esumi · ‎04-05-2024

If those two ports from the FGT connect to the same switch, the spanning-tree protocol would shut down one of them on the switch side. Otherwise an L2 loop is formed if they are on the same broadcast domain.

Toshi

AEK · ‎04-05-2024

Even if the two FG ports don't form a HW/SW switch? If so then I think I really need to review my old basic network knowledge.

AEK

Toshi_Esumi · ‎04-05-2024

If those two ports are independent, they can not have the same subnet. If the IP of the device/MAC matches on p1 side, the p2 side would ignore L2 frames with the MAC arrived at the port. Because it's bound to p1 on the ARP table.

Toshi

AEK · ‎04-05-2024

I confirm they don't have the same subnet.

Thanks for the info, it reassures me.

AEK

Toshi_Esumi · ‎04-05-2024

Also, the switch side wouldn't send to the frames to port2 as long as the IP/FGT's MAC belong to port1.

Toshi