Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can ingress policy drops cause performance degradation?

Good Day All,

I have a high number of ingress policy drops and not sure whether they can contribute to perfromance degradation:

BW 100 Mbps, DLY 100 usec

       Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

       Description: Outside Interface

       Available but not configured via nameif

       IP address unassigned

       17856933 packets input, 14286646879 bytes, 0 no buffer

       Received 131 broadcasts, 0 runts, 0 giants

       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

       0 L2 decode drops

       34359784406 switch ingress policy drops

       15563263 packets output, 3690709001 bytes, 0 underruns

       0 output errors, 0 collisions, 0 interface resets

       0 late collisions, 0 deferred

       0 input reset drops, 0 output reset drops

       0 rate limit drops

       0 switch egress policy drops


Can ingress policy drops cause performance degradation?

Hi Zahan,

This drop is usually seen when a port is not configured correctly. This  drop is incremented when a packet cannot be successfully forwarded  within switch ports as a result of the default or user configured switch  port settings. The following configurations are the likely reasons for  this drop:

The nameif command was not configured on the VLAN interface.

Note For interfaces in the same VLAN, even if the nameif command was not configured, switching within the VLAN is successful, and this counter does not increment.

The VLAN is shut down.

An access port received an 802.1Q-tagged packet.

A trunk port received a tag that is not allowed or an untagged packet.

The  security appliance is connected to another Cisco device that has  Ethernet keepalives. For example, Cisco IOS software uses Ethernet  loopback packets to ensure interface health. This packet is not intended  to be received by any other device; the health is ensured just by being  able to send the packet. These types of packets are dropped at the  switch port, and the counter increments.

The  VLAN only has one physical interface, but the DEST of the packet does  not match the MAC address of the VLAN, and it is not the broadcast  address.

You can refer to this:

Hope that helps,



Thanks, Varun Rao Security Team, Cisco TAC
CreatePlease login to create content