How to find Ethernet loops (storm) source

Hi all! Last night we had some broadcast storm at the office network, which was caused by the loop or broadcast storm. Loopdetect is configured on almost any switch and two of them were blocked many times through the night, but I can’t find the source of that loop. I think it was done by connecting one cable into two ports that are connected to the different switches maybe. Also, it may be some laptop or PC with broken ethernet flooding the network with wrong packets. Maybe someone can help me to understand how to use LibreNMS and data collected to find the port(s) caused this loop. Thanks!

Not sure how to that with an NMS. But you really should have STP configured on your network switches.

It’s true, but sometimes even STP can’t help to block loops. And now I have the data, but can’t figure out how to find who did that loop to prevent it next time.

try configuring syslog on LibreNMS and you switches.

An NMS is really not the tool to troubleshoot a storm. You may get an idea of the source of it by looking at the graphs of interfaces (if a loop was made, you will likely have a lot of traffic on an interface that should not have much … ). Any traffic high on a port that is not supposed to connect 2 switches will be suspect.
But that’s probably the maximum you’ll get…
Speaking about STP, when correctly configured, it will protect you from that kind of issue. That’s the all concept of STP :slight_smile: If you can still have a loop, then your STP is probably not configured correctly, or your topology is probably not optimal (like links between switches not carrying all VLANs …).

1 Like

Maybe enabling storm control on the access ports and then listening for the traps when they get tripped?

Send syslog to LibreNMS for detection/alerts , make alerts based on the syslog message.
Prevention even mitigation is done by configuring STP and bpdu-protection / loop-protection.
We run many looped networks, looped by design, for redundancy and because in some cases, I have, not so modern equipment where I would have other options.

That’s exactly where a NMS will help, easiness of finding the non-unicast traffic. STP by itself will not help you… bpdu-protection and loop-guard with action yes.

Does the STP log not tell you what port is triggering? If you know the port, you can track down the device based on the MAC address.