Community discussions

MikroTik App
just joined
Topic Author
Posts: 13
Joined: Mon Sep 25, 2006 4:12 am

Single port network loop/storm protection

Tue Mar 25, 2008 6:43 am

Has anyone come up with a way to protect a single network port from Loops/Storms?

AP ----wireless------ Radio CPE ----cabled---- Consumer Grade Router

AP is a PPC333, XR5, ROS3.2, WDS Dynamic Bridging of connected radios to Lan
CPE is an RB133, R52, ROS2.9.51, wLan bridged to Lan
Router can be anything, Linksys etc, Running PPPOE.

If you now replace the Router with an unmanaged switch and loop two of the switches network ports to get a storm going (you might need to kick start the storm with a windows pc by connecting it to the looped switch for a few seconds), you will overwhelm the network and cause a DOS to all the other Radio CPEs on the AP

From my experience, STP/RSTP is no good for protecting a single port, two seperate interfaces in an STP enabled bridge need to be looped for it to kick in and block one of the ports.

I have heard of something new by Nortel called SLPP - but this is not supported in MT/yet

Any Ideas?

Posts: 30
Joined: Tue Jan 09, 2007 12:07 pm

Re: Single port network loop/storm protection

Thu May 29, 2008 12:55 am

I'm having same problem. Customer's stupid switch time to time loop my whole network.

Have anyone some idea howto detect it or better block this one radio station?

Posts: 43
Joined: Wed May 23, 2007 9:04 am
Location: Germany

Re: Single port network loop/storm protection

Thu May 29, 2008 1:25 pm

Use only clients with NAT enabled, so broadcast domain for network loops will only be behind NAT-Router, causing only this one user trouble. I would not want (l)users to have access to my backbone bridged. You could use routed clients if you prefer, but that's a bit more work to configure properly, broadcast domain will still be only subnet of the user himself, not the whole network.

Set CPE to PPPOE - client, your users could then use their own routers behind without PPPOE if they like to or just could add a switch


just joined
Topic Author
Posts: 13
Joined: Mon Sep 25, 2006 4:12 am

Re: Single port network loop/storm protection

Fri Jun 12, 2009 1:28 am

Found a solution I can script. It would be great if MT could refine it to just be a "Loop Detection" checkbox on an interface page

This is monitored on a per interface basis, ether1 in this case:

1. Add a bridge firewall rule that detects packets in-interface=ether1 where the source MAC address is the same as ether1.
2. Ping a bogus address, using the interface=ether1 parameter (you do not need to add an IP to the ether1 interface) This forces a packet from the interface you are monitoring out onto the network you want to test.
3. Script running in the background that checks the value of the Firewall packet counter above every 5 seconds.
4. If counter does not equal 0 then you have a loop.
5. A second Bridge firewall rule then gets enabled which drops all traffic on the bridge to protect your bridged network/s.
6. Keep checking the counter and when it stops counting up, disable the drop rule and let the network operate correctly again.
Posts: 34
Joined: Mon Feb 25, 2008 7:02 pm

Re: Single port network loop/storm protection

Thu Jan 27, 2011 2:23 pm

Someone figured out how to solve this problem?


Who is online

Users browsing this forum: No registered users and 44 guests