Please view the attachment first.
Basically we have a Cisco 6500 chassis with about 25 VLANS and around 25 -30 Access layer switches are serving as distribution layer switches in each VLAN.
We now have a Web Proxy for each segment serving the users for internet access. the proxy server has only 1 ethernet interface.
I used to police traffic for each segment at the interface connected to the Cisco ASA using Policy MAP's, This could also be done on the ASA Anyway.
Now my problem is , we are planning to have one single high-end web proxy to serve all the VLANS. And this will be connected in say the Vlan 1 of the Cisco 6500. I have no problem here as we have GIG ETH ports on the 6500. So traffic entering and leaving the same vlan would not cause any problem.
But the problem is i can't police traffic based on the vlan as only the IP of the Proxy will be seen on the interface connected to the ASA for all Http traffic.
I cannot apply the policing on the vlan interfaces as, i do not want to police internal traffic.( yes there is one option where i can deny traffic with internal destination's from the policing. But in this case i'll have police configured on all vlan interface, a bit ugly and hectic.
Another alternative is to put the web proxy in the DMZ, but my ASA has only fast Ethernet interfaces and we have got high internet Bandwidth, this would cause congestion.
Any Ideas with respect to how i can proceed ????
Thanks in Advance