Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7536
Views
4
Helpful
1
Replies

Can ingress policy drops cause performance degradation?

Zahan Al-Rashid
Level 1
Level 1

‎11-03-2011 08:26 AM - edited ‎03-09-2019 11:43 PM

Good Day All,

I have a high number of ingress policy drops and not sure whether they can contribute to perfromance degradation:

BW 100 Mbps, DLY 100 usec

       Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

       Description: Outside Interface

       Available but not configured via nameif

       IP address unassigned

       17856933 packets input, 14286646879 bytes, 0 no buffer

       Received 131 broadcasts, 0 runts, 0 giants

       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

       0 L2 decode drops

       34359784406 switch ingress policy drops

       15563263 packets output, 3690709001 bytes, 0 underruns

       0 output errors, 0 collisions, 0 interface resets

       0 late collisions, 0 deferred

       0 input reset drops, 0 output reset drops

       0 rate limit drops

       0 switch egress policy drops

Labels:
0 Helpful
1 Reply 1

varrao
Level 10
Level 10

‎11-03-2011 12:08 PM

Hi Zahan,

This drop is usually seen when a port is not configured correctly. This  drop is incremented when a packet cannot be successfully forwarded  within switch ports as a result of the default or user configured switch  port settings. The following configurations are the likely reasons for  this drop:

The nameif command was not configured on the VLAN interface.

Note For interfaces in the same VLAN, even if the nameif command was not configured, switching within the VLAN is successful, and this counter does not increment.

The VLAN is shut down.

An access port received an 802.1Q-tagged packet.

A trunk port received a tag that is not allowed or an untagged packet.

The  security appliance is connected to another Cisco device that has  Ethernet keepalives. For example, Cisco IOS software uses Ethernet  loopback packets to ensure interface health. This packet is not intended  to be received by any other device; the health is ensured just by being  able to send the packet. These types of packets are dropped at the  switch port, and the counter increments.

The  VLAN only has one physical interface, but the DEST of the packet does  not match the MAC address of the VLAN, and it is not the broadcast  address.

You can refer to this:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s3_72.html#wp1283877

Hope that helps,

Thanks,

Varun

Thanks,
Varun Rao
Customers Also Viewed These Support Documents