Promiscous VLAN Tag Drops: Cause, Symptoms, and Solution
Article ID: CTX464029
Updated On:
Description
The counter nic_err_vlan_promisc_tag_drops is incrementing. This may also cause performance issues and/or exceed the limits of a bandwidth license, triggering packet loss.
Resolution
Modify switch configuration so that only VLANs specified in the Netscaler under "add vlan" commands are delivered to the Netscaler. On a Cisco switch, this is done via the "allowed vlan" command, specifying individual VLAN IDs instead of a range of VLANs, as not all VLANs in the specified range may be configured on the Netscaler. Other switch manufacturers will have similar commands available.
Problem Cause
This is a switch misconfiguration issue. With a Netscaler ADC, the associated network switch ports should be configured to never deliver packets tagged on VLANs that the ADC does not require. Only VLANs specifically defined in the Netscaler configuration via "add vlan" should be delivered to the Netscaler. As the ADC processes all packets in software (vs hardware like on a network switch), there is a performance impact caused by having to examine inbound packets that the ADC does not require, in order to drop them. It is common practice to configure a network switch with a range of VLANs to deliver to a specific port (ie, "allowed vlan 1-100"). This can cause significant traffic to be delivered to the ADC that it does not require. Instead, specify a specific set of vlans at the switch to avoid this (ie, "allowed vlan 1,2,5,10,20").Additional Information
CTX214033 - Citrix ADC Networking and VLAN Best Practices: https://support.citrix.com/article/CTX214033/citrix-adc-networking-and-vlan-best-practices
Was this article helpful?
Yes
No
Powered by
