cisco5540防火墙口丢包

sunseeder

口g1/1属于dmz区域，口g1/0属于inside区域，先发现每个口上均出现一定数量的丢包（packets dropped），不知这是否属于正常现象：

Interface GigabitEthernet1/1 "dmz", is up, line protocol is up
  Hardware is VCS7380 rev01, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Media-type configured as RJ45 connector
        MAC address 001f.9e2a.6325, MTU 1500
        IP address 10.20.55.1, subnet mask 255.255.255.0
        449927919 packets input, 433306840584 bytes, 0 no buffer
        Received 243055 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        393359925 packets output, 144643196301 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops
        1036 rate limit drops
        input queue (curr/max packets): hardware (0/0) software (0/0)
        output queue (curr/max packets): hardware (0/0) software (0/0)
  Traffic Statistics for "dmz":
        449747509 packets input, 424862444052 bytes
        393381731 packets output, 136453937466 bytes
        999858 packets dropped
      1 minute input rate 128 pkts/sec,  111081 bytes/sec
      1 minute output rate 130 pkts/sec,  63106 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 260 pkts/sec,  272215 bytes/sec
      5 minute output rate 197 pkts/sec,  53272 bytes/sec
      5 minute drop rate, 0 pkts/sec


Interface GigabitEthernet1/0 "inside", is up, line protocol is up
  Hardware is VCS7380 rev01, BW 1000 Mbps, DLY 10 usec
        (Full-duplex), Auto-Speed(1000 Mbps)
        Media-type configured as SFP connector

CISCO-FINISAR SFP, p/n FTLF8519P2BCL-CS installed
        MAC address 001f.9e2a.6324, MTU 1500
        IP address 10.20.100.4, subnet mask 255.255.255.0
        410116308 packets input, 145902427447 bytes, 0 no buffer
        Received 8728 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        523345585 packets output, 444335759663 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops
        0 rate limit drops
        input queue (curr/max packets): hardware (0/0) software (0/0)
        output queue (curr/max packets): hardware (0/0) software (0/0)
  Traffic Statistics for "inside":
        410126188 packets input, 137412753511 bytes
        523373824 packets output, 434561624174 bytes
        2588355 packets dropped
      1 minute input rate 185 pkts/sec,  31316 bytes/sec
      1 minute output rate 294 pkts/sec,  284858 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 215 pkts/sec,  53888 bytes/sec
      5 minute output rate 340 pkts/sec,  314646 bytes/sec
      5 minute drop rate, 0 pkts/sec

yzkarchive

防火墙的作用就是要drop包的嘛

lyf3560

嗯，会把一些检查没通过的包扔掉的。你那个丢包的数也算正常的。也如果客户没有说业务有影响，那肯定是正常的。