Skip to main content

 

Cisco Meraki Documentation

How to Detect Loops and MAC Flaps on Meraki MS Switches

  1. Last updated
  2. Save as PDF

Click 日本語 for Japanese 

Learn more with this free online training course on the Meraki Learning Hub:

Sign in with your Cisco SSO or create a free account to start training.

Overview

This article explains how loop detection and MAC flap detection features work and how you can use them for monitoring and troubleshooting purposes. 

Redundancy reduces downtime when a link or network device fails, but it can also lead to complex network designs. This makes maintaining a network harder as it grows to accommodate more users and applications. 

One challenge with redundancy is that it can introduce loops, which can cause a broadcast storm. Enabling STP protects against Layer 2 loops, and most of the time it works well. However, if BPDU loss occurs, a Layer 2 loop becomes inevitable. BPDU loss can happen due to: 

  • Duplex mismatch 

  • Packet corruption: a high rate of packet corruption may cause BPDU loss 

  • Resource error: high CPU utilization may cause inadequate BPDU transmission 

  • Shorted wire and STP misconfiguration 

To detect these issues, loop and MAC flap detection is available on Meraki switches.

Prerequisites

  • Loop detection and MAC flap detection are available on MS12.8 and higher for supported models. 

  • Supported models: MS130 / MS120 / MS210 / 225 / 250 / 350 / 355 / 390 / 410 / 420 / 425 / 450

  • MAC flap detection is supported on MS390 switches starting with MS15.14+

Step-by-step instructions

Loop detection and MAC flap detection are enabled by default on Meraki switches, so no configuration is required to turn them on. Use the steps below to understand how each feature operates and how to confirm its status. 

How loop detection works

  1. Loop detection is enabled by default on Meraki switches. It sends a loop-detection control packet and monitors those packets to detect loops, then generates an event log/SNMP trap on the Meraki dashboard. 

  1. All switches in the topology periodically generate broadcast probe packets, sent out on every active logical port. This period defaults to 10 seconds. 

  1. These probe packets are uniquely identified by a broadcast address (ff:ff:ff:ff:ff:ff), the Cisco SNAP Organization Code (00:00:0c), and the SNAP PID 0x013c as shown in the 60 seconds packet capture below:
     Broadcast probe packets - packet capture

  2. If a switch receives this packet and sees its own MAC address, it reports a loop to the dashboard and generates an event log.
    Event log - "loop detected" event type

An event log is generated right away the first time a loop is detected. After that, logs are generated every 30 seconds to avoid populating event logs with the same information.

How MAC flap detection works 

  1. MAC flap detection monitors the MAC forwarding table. If a MAC address is learned 3 times or more on 2 or more different ports within 10 seconds, MAC flap detection reports it to the dashboard.

  2. In the example shown in image below, a MAC flap event can occur when a client appears on port 31, then port 32, then back to port 31. This means there is a loop in the topology, or a misbehaving wireless client roaming back and forth between access points. 

    Event log - "MAC address flapping" event type

Troubleshooting

  • Loop detection does not log ports blocked by STP. 

  • These features are for detection purposes only. They do not protect the network from broadcast storms. 

  • Event log reporting depends on the available CPU cycles of the switch. If the broadcast storm is severe, event logs will not be reported to the dashboard until more CPU cycles become available. 

  • If access points are in bridge mode, a MAC flap event log may appear when a wireless client roams between access points faster than the switch MAC address table expiration.