Switch loop / Spanning Tree storm
A loop has been introduced — broadcast traffic is saturating the LAN. Find and break the loop, then add prevention.
Indicators
- Switch CPU pinned at 100%
- MAC address flapping between ports in switch logs
- Broadcast traffic dominating port stats
- Network slow / unusable site-wide
- Recent cable run or device added before failure
Likely causes
- User plugged a wall cable into a desk switch / cheap switch (no STP)
- Misconfigured EtherChannel / LACP without proper config on both sides
- Faulty cable causing port flapping
- STP disabled on a port that should have it
- Looped patch cable in a cabinet
Diagnostic steps
-
Console into core switch — show spanning-tree (Cisco), show stp (Aruba), Meraki dashboard topology view
-
Identify the port blocking due to STP — and the port that's flapping. The flapper is the loop source
-
show mac address-table | include <flapping MAC> — find where it's appearing
-
Shut the suspect port to break the loop, then physically investigate
-
Confirm STP convergence and CPU normalisation
Resolution path
- Break the loop (disable port)
- Identify and remove the offending device / cable
- Enable BPDU guard on access ports
- Document and re-enable port
Prevention
- BPDU guard + portfast on all access ports
- Storm control thresholds on access switches
- Patch panel labelling discipline
- Lock cabinets — no unauthorised additions
Tools
- Switch CLI (Cisco IOS, Aruba/HPE, Mikrotik, Meraki dashboard)
- show spanning-tree, show interface counters errors
- Cable tester for physical layer
- Topology view in Meraki / UniFi controller
References
- Cisco — Spanning Tree Protocol portfast / BPDU guard
- IEEE 802.1D / 802.1w — STP / RSTP