10-22-2014 01:58 PM - edited 03-11-2019 09:58 PM
Can someone explain the Switch Ingres Policy Drops in the show interface command?
sho interface e0/0
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 5087.899f.e6ac, MTU not set
IP address unassigned
1360550 packets input, 1086603489 bytes, 0 no buffer
Received 309 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
84 switch ingress policy drops
1059504 packets output, 186211777 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
10-22-2014 07:52 PM
Hi,
These are the documented possible reasons for this drop:-
switch ingress policy drops
This drop is usually seen when a port is not configured correctly. This drop is incremented when a packet cannot be successfully forwarded within switch ports as a result of the default or user configured switch port settings. The following configurations are the likely reasons for this drop:
Note For interfaces in the same VLAN, even if the nameif command was not configured, switching within the VLAN is successful, and this counter does not increment.
Can you share the "show run interface" from the ASA device ?
Thanks and Regards,
Vibhor Amrodia
10-23-2014 06:25 AM
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
!
interface Ethernet0/7
description **Connection for FioS**
switchport access vlan 3
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Vlan3
description ***FIOS***
nameif FiOS
security-level 0
ip address x.x.x.x 255.255.255.0
10-23-2014 06:17 PM
Hi,
This seems to be okay. Would you be able to check the connected Trunk port on the Switch and see if that is forwarding any unused VLANS on the ASA device.
You can apply the ASP captures and see if the ASA device is receiving any malformed or unwanted VLANS on the ASA device.
capture asp type asp-drop all buffer 3333333
Check the content using show capture asp
Thanks and Regards,
Vibhor Amrodia
10-24-2014 12:20 PM
there are no trunk on the asa or the switch
10-25-2014 12:32 AM
Hi,
Did you check the captures on the ASA device.
Also , share the output of "show asp drop"
Thanks and Regards,
Vibhor Amrodia
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide