Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

5505 switch ingress policy drops

Hello experts,

Iam running some tests for ext vendor connectivity and when connecting my test 3560G g0/1 (access port) to ASA5505 (9.x) Eth0/5 (or any port), noticed increase in "switch ingress policy drops" (via show in eth0/5 o/p). Checked in the forums and it appears that its an issue asked multiple times. So after issuing 'no keepalive' on 3560G port (per Cisco docs), the drops stopped totally. Wanted to check whether it is recomended to use 'no keepalive' directly connected segment (ASA Eth0/5 -> Gi0/1). Gi0/5  access port and is in vlan x. Names, hard of duplex/speed etc.. none worked to resolve the drops.

Thanks in advance

MS

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

5505 switch ingress policy drops

Please read the next link, at the bottom it explains keepalives and what they do for the switch, for further detail please contact swiching queue:

https://learningnetwork.cisco.com/thread/35077

Value our effort and rate the assistance!
5 REPLIES
Cisco Employee

5505 switch ingress policy drops

Field

Description

switch ingress policy drops

This drop is usually seen when a port is not configured correctly. This drop is incremented when a packet cannot be successfully forwarded within switch ports as a result of the default or user configured switch port settings. The following configurations are the likely reasons for this drop:

The nameif command was not configured on the VLAN interface.

Note For interfaces in the same VLAN, even if the nameif command was not configured, switching within the VLAN is successful, and this counter does not increment.

The VLAN is shut down.

An access port received an 802.1Q-tagged packet.

A trunk port received a tag that is not allowed or an untagged packet.

The security appliance is connected to another Cisco device that has Ethernet keepalives. For example, Cisco IOS software uses Ethernet loopback packets to ensure interface health. This packet is not intended to be received by any other device; the health is ensured just by being able to send the packet. These types of packets are dropped at the switch port, and the counter increments.

The VLAN only has one physical interface, but the DEST of the packet does not match the MAC address of the VLAN, and it is not the broadcast address.

switch egress policy drops

Not currently in use.

Value our effort and rate the assistance!
Cisco Employee

5505 switch ingress policy drops

Let me know if you have a doubt

Value our effort and rate the assistance!

5505 switch ingress policy drops

Hi Jumora,

Thank you for your reply. But I came across this information already on cisco website and then I issued 'no keepalives. My question- is it recomended to disable keepalives? What is the negative impact?

Thx

MS

Cisco Employee

5505 switch ingress policy drops

Please read the next link, at the bottom it explains keepalives and what they do for the switch, for further detail please contact swiching queue:

https://learningnetwork.cisco.com/thread/35077

Value our effort and rate the assistance!

5505 switch ingress policy drops

Hi Jumora,

I came across this discussin as well during my search, but the strange thing is- when I move ASA connection to prod switch (4507), no drops observed. No need to make any changes to switch port. All works fine. Thank you for your time.

Thx

MS

644
Views
0
Helpful
5
Replies
This widget could not be displayed.