Network loops and loop avoidance
Priyanka Shyam
CCDE (Written) | CWNA | Cisco SCOR | CISCO SD-WAN | Technical Writer | Influencer | Multitasker | Considerate | Empathic | Excellent Communicator | Helpful
Do you know what a network loop is? Have you ever had a network loop in your LAN? So what happens when there is a loop in your network?
First, let’s look at what a network loop means?
A network loop occurs when a network has more than one active path carrying information from the same source to the same destination. The information loops and amplifies itself using the additional path instead of stopping when it reaches its destination. Network loops might cause a slow, irregular Internet connection or network failure.
OR
A network loop is a network configuration where there is more than one path between two computers or devices, which causes packets to be constantly repeated. This is due to the fact that a hub will blindly transmit everything it receives to all connections — other devices, such as switches and routers, might be able to reduce or eliminate this problem.
When working with medium to large scale networks, IT departments are often faced dealing with network loops and broadcast storms that are caused by user error, faulty network devices or incorrect configuration of network equipment. Network loops and broadcast storms are capable of causing major network disruptions and therefore must be dealt with very quickly.
There are two kinds of network loops and these are routing loops and physical loops.
A routing loop is a situation where a packet keeps getting routed between two or more routers because of problems in the routing table. In case of distance vector protocols, the fact that these protocols route by rumor and have a slow convergence time can cause routing loops.A routing loop is a common problem with various types of networks, particularly computer networks. They are formed when an error occurs in the operation of the routing algorithm, and as a result, in a group of nodes, the path to a particular destination forms a loop.
A Physical loop is caused by a loop link between devices. A common example is two switches with two active Ethernet links between them. Broadcast packets exiting the links on one switch are replicated and sent back from the other switch. This is also known as a broadcast storm. A switching loop or bridge loop occurs in computer networks when there is more than one Layer 2 (OSI model) path between two endpoints (e.g. multiple connections between two network switches or two ports on the same switch connected to each other).
Both type of loops are capable of causing major network outages, waste of valuable bandwidth and can disrupt network communications.
In this article we will discuss switching loop/L2 loop in depth.
In practical Local Area Networking, it is common that the switches are interconnected for redundancy (we can see the same from above diagram as well, where switches are interconnected for redundancy). When switches are interconnected, the network will not fail completely even one if the connected link fails.
When switches are interconnected for redundancy as shown in above diagram , another serious network problem can occur, which is known as Layer 2 Switching loop.
The Layer 2 traffic can be classified as unicast (one to one),multicast (one to many), multicast (one to many) and broadcast (one to all). Unicast, Multicast and Broadcasts are different types of network communication and are required for the normal operation of the network. MAC address for broadcast and multicast are given below.(
? Broadcast Destination MAC address - FF:FF:FF:FF:FF:FFF
? Multicast Destination MAC address- 01:00:5E:00:00:00 to 01:00:5E:7F:FF:FF
In case of a broadcast and multicast switch need to forward the Ethernet Frame out all its ports.
For unknown destination MAC address also, the switch need to forward the packet to all ports (known as flooding) except the source port, to make sure that the Ethernet frame reach the destination.
In the above figure the loop creates broadcast storms as broadcasts and multicasts are forwarded by switches out every port, the switch or switches will repeatedly rebroadcast the broadcast messages flooding the network. Since the Layer 2 header does not support a time to live (TTL) value, if a frame is sent into a looped topology, it can loop forever.
The server in the figure sends a unicast frame to Router C. Since it’s a unicast frame, Switch A forwards the frame, and Switch B provides the same service — it forwards the unicast. This is bad because it means that Router C receives that unicast frame twice, causing additional overhead on the network.one: The MAC address filter table will be totally confused about the device’s location because the switch can receive the frame from more than one link.
Some common network loop examples are illustrated below, including resolutions.
Network switch connected to itself with an Ethernet cable
Problem: Both ends of an Ethernet cable are plugged into the same network switch.
Solution: Unplug the Ethernet cable.
Router connected to itself with an Ethernet cable
Problem: Both ends of an Ethernet cable are plugged into the same router.
Solution: Unplug the Ethernet cable.
Wireless device connected to a range extender using both WiFi and Ethernet
Problem: A wireless device is connected to a wireless extender using an Ethernet cable, but the device’s WiFi is not turned off. The wireless device could be an IP camera, a computer, a printer, a smart home hub, or any other device that supports both wired and wireless connections.
Solution: Disconnect the Ethernet cable from your device or turn off your device’s WiFi.
What Is the Effect of a Switching Loop on Network Performance?
When there is a switching loop on your network, the destination will be unreachable until the switching loop disappears because to join the next network hop you have to pass by the previous one.
This can take several minutes depending on the routing protocol that is used (i.e., OSPF, RIPv2, etc.).
Switching loops also generate broadcast storms, since the broadcast packets are forwarded to every port on the switch; the switch will repeatedly rebroadcast the broadcast messages, thus flooding the network.When a network loop overwhelms broadcast traffic and degrades network performance, it is called a “broadcast storm”. When the broadcast arrives, it will not know that it has seen it before, so it will forward it to all other ports. This process will be repeated thousands of times per second, causing a huge volume of traffic from a single broadcasted Ethernet frame.
When this happens on your network, everyone will lose the ability to communicate on the network, and the activity lights on your switches will be solid (on) rather than blinking (on and off). If you break the loop, your network will return to normal in a few minutes.Switches use Spanning Tree Protocol (STP) to identify and remove network loops and prevent broadcast storms.
All recent network devices provide loop detection and remove them automatically to avoid creating any issues on your network. However, it doesn’t mean that your users are not impacted, it is just that it is not visible to you.
LOOP AVOIDANCE
Redundant links between switches is a good idea because they help prevent complete network failures in the event one link stops working. However, they often cause more problems because frames can be flooded down all redundant links simultaneously, this creates network loops.
A looped topology is often desired to provide redundancy, but looped traffic is undesirable. The Spanning-Tree protocol was originally designed for bridges. Today, it is also applied to LAN switches and routers operating as a bridge. Spanning-Tree protocol ensures that all bridged segments are reachable but any points where loops occur will be blocked.
Redundancy in a network is extremely important because redundancy allows networks to be fault tolerant. Redundant topologies based on switches and bridges are subject to broadcast storms, multiple frame transmissions, and MAC address database instability. Therefore, network redundancy requires careful planning and monitoring to function properly. The Spanning-Tree Protocol is used in switched networks to create a loop free network.
Some of the terms used in Spanning-Tree Protocol (we will discuss Spanning Tree Protocol in more depth in the next article)
BPDU Bridge Protocol Data Unit (BPDU) — All the switches exchange information to use in the selection of the root switch
Bridge ID — The bridge ID is how STP keeps track of all the switches in the network. It is determined by a combination of the bridge priority (32,768 by default on all Cisco switches) and the base MAC address.
Root Bridge -The bridge with the lowest bridge ID becomes the root bridge in the network.
Nonroot bridge — These are all bridges that are not the root bridge.
Root port — The root port is always the link directly connected to the root bridge or the shortest path to the root bridge. If more than one link connects to the root bridge, then a port cost is determined by checking the bandwidth of each link.
Designated port — A designated port is one that has been determined as having the best (lowest) cost. A designated port will be marked as a forwarding port
Nondesignated Port — A nondesignated port is one with a higher cost than the designated port. Nondesignated ports are put in blocking mode
Forwarding Port — A forwarding port forwards frames
Blocked Port — A blocked port is the port that will not forward frames, in order to prevent loops
Method for detecting loops
Assume you have a topology like:
For some reason there is a bridging loop, STP is disabled or someone applied a filter in the wrong place or such.
PC A wants to communicate with PC B. It first ARPs for the MAC of PC B, the destination is a broadcast with MAC ffff.ffff.ffff. So the frame goes to both SW1 and SW3. The SRC MAC is PC A. SW1 then floods the frame towards SW3 and SW3 will flood the frame coming from SW2 to SW1.
SW1 and SW3 learned the MAC of PC A when the first frame came in. When the second one comes in from the opposite direction it has to relearn it. Because these events occur so fast and repeatedly you will see log messages complaining about MAC flapping. Something like "MAC FLAP 0000.0000.0001 is flapping between Gi0/24 and Gi0/23". This is a good sign that you have a loop.
What you could do then is to try to trace this MAC. Try looking in the ARP cache of a device in the same subnet and see what IP this device has. So with the MAC you could try to trace it with sh mac-address-table or with the IP maybe you have a list with all IPs and where they are connected.
If the host gets a IP address from a DHCP server you could also try there to find where the host is coming from. If you have option 82 enabled that would be a great help.
Other signs are that the CLI will be very sluggish. CPU load will be very high. Switches do almost everything in ASICs so if a switch has a CPU load over 50% it's probably not good. You should implement SNMP monitoring and watch for high CPU load. Also look for the MAC flap messages. If the switches have a loop the LEDs will probably be blinking like crazy.
Things you could do to protect against loops:
- Enable STP
- SNMP monitoring of CPU load
- Enable SNMP traps for certain events like STP topology changes
- Enable storm control on the ports to limit broadcast
- Don't span your VLANs too much in your L2 topology
- Enable port security and limit number of MAC addresses per port
- Enable Option82 if you run DHCP
Physically you can look at the switch LED's. They'll typically be flashing at the same time.On the CLI you'll likely see higher than normal CPU utilization.
The same mac addresses showing up on the different switch ports would also be an indicator.More than one mac address per access port would be another clue.
Also , A packet sniffer, such as WireShark can also help you to identify the loop. Look for duplicate packets, with increased TTL, same identifier field in case of routing loop
For physical loop/L2 loop the method used to analyze is almost identical, but the TTL values of all looped packets remain the same, instead of decreasing as we previously discussed. Because the packet is trapped in our local network, it doesn't traverse a router, therefore the TTL does not change.So instead check for the same mac address for all the packets, sending the request again n again.
Look in several places around the network. If possible get a 10/100Mbps hub, and put it in-line with the network, and connect the PC with WireShark to the hub (only 3 connections to the hub), which allows you to easily see the traffic, with no config changes to the network. There is no 'magic bullet' to fix a loop. It needs some investigation, and a good knowledge of the network topology.
Cybersecurity Focused Cisco Certified Network Engineer
1 年Great article! Well explained in a very clear and accurate way.
CompTIA Security+ | ITIL V4 | IT Infrastructure | ERP | Virtualization | Team Leader | Quick Learner
3 年It's very informative & I need to check my network for loops,? I am struggling to finding out slowness in my network.? With this article I get idea & I will try troubleshoot. Thanks for very informative in short explanation.?
Technical Consulting Engineer at Cisco
3 年god!!! this is Awesome, thanks for the brief explanation.
Support Engineer II at Yubico
3 年Good examples, and resource, I've used this article as a reference for clients who have issues with network loops.
Network Administrator at MoD, Military Geographic Institute, Tirana, Albania
5 年Well, use STP, and you are on again.