Catalyst 6500 block http incomplete request?

Unanswered Question
Aug 8th, 2007
User Badges:

Hello everyone,

I have Catalyst 6500 in my nework, topology like this:

Users (many VLANs) ---> Catalyst6500 ---> SquidProxy ---> Internet

Many users have suffered from virus, there are many request to some sites not real in the internet (ex:,..); that causes SquidProxy out of service (down).

I want to block these requests on the Cat6500 so I use IP INSPECT feature, in the following link:

But it seems not to work as I expected: the users go to the Internet very slow, sometime Squid-Proxy is again down.

My question is :

Is there any feature in Catalyst 6500 that solve the problem?

If not, Which module or line card can I upgrade to the Catalyst 6500 to solve thoroughly?

Catayst 6500 use:

- IOS: s72033-ipservicesk9-mz.122-18.SXF6.bin

- CEF720 24 port 1000mb SFP WS-X6724-SFP

- 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-TX

- Supervisor Engine 720 WS-SUP720-3B

My config is:


ip inspect max-incomplete high 1200

ip inspect max-incomplete low 1000

ip inspect one-minute low 300

ip inspect one-minute high 400

ip inspect tcp max-incomplete host 50 block-time 10

ip inspect name DDOS http

ip inspect name DDOS tcp


interface Vlan100

description ### To Squid Proxy ###

ip inspect DDOS out


Many Thanks,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
wochanda Thu, 08/09/2007 - 05:33
User Badges:
  • Silver, 250 points or more

Since CBAC is not supported in the hardware forwarding path of the 6500, it is likely the slowness you're seeing is a result of all of these packets being sent to software.

If you're looking for a faster way of doing URL filtering and firewall on the 6500, you probably want to look at the FWSM module. Here is the documentation:

nvanphuong Thu, 08/09/2007 - 20:48
User Badges:

Thanks for reply,

"Since CBAC is not supported in the hardware forwarding path of the 6500"

->I really need some links or documents talking about this.


This Discussion