QOS when using a WEB PROXY

victor_87 · ‎12-25-2008

Hi

Please view the attachment first.

Basically we have a Cisco 6500 chassis with about 25 VLANS and around 25 -30 Access layer switches are serving as distribution layer switches in each VLAN.

We now have a Web Proxy for each segment serving the users for internet access. the proxy server has only 1 ethernet interface.

I used to police traffic for each segment at the interface connected to the Cisco ASA using Policy MAP's, This could also be done on the ASA Anyway.

Now my problem is , we are planning to have one single high-end web proxy to serve all the VLANS. And this will be connected in say the Vlan 1 of the Cisco 6500. I have no problem here as we have GIG ETH ports on the 6500. So traffic entering and leaving the same vlan would not cause any problem.

But the problem is i can't police traffic based on the vlan as only the IP of the Proxy will be seen on the interface connected to the ASA for all Http traffic.

I cannot apply the policing on the vlan interfaces as, i do not want to police internal traffic.( yes there is one option where i can deny traffic with internal destination's from the policing. But in this case i'll have police configured on all vlan interface, a bit ugly and hectic.

Another alternative is to put the web proxy in the DMZ, but my ASA has only fast Ethernet interfaces and we have got high internet Bandwidth, this would cause congestion.

Any Ideas with respect to how i can proceed ????

Thanks in Advance

carenas123 · ‎01-01-2009

Follow the URL for the Configuring Web-Based Proxy for 6500 it may help you

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/8.x/configuration/guide/web_auth.html

mhellman · ‎01-02-2009

"Another alternative is to put the web proxy in the DMZ, but my ASA has only fast Ethernet interfaces and we have got high internet Bandwidth, this would cause congestion. "

It's likely I just don't understand your network. If you put the proxy in the DMZ, why wouldn't your previous policy configuration work the same as it does today?

victor_87 · ‎01-02-2009

If i put my proxy in the DMZ then my present configuration would work like a charm, no issues.

But i was talking about how much traffic can a 100 Mbps interface on my cisco ASA 5510 handle.

the interface will have,

1.Incoming traffic to the DMZ from the Inside.

2.Outgoing traffic from DMZ to Outside(Internet)

3. Incoming traffic from Outside(Internet) to DMZ.

4. Outgoing traffic from DMZ to Inside.

We definitely have a total traffic of more than 200 Mbps that will flow.

Hope u got me.

mhellman · ‎01-05-2009

No, I still don't get it;-) What interface are you talking about? Wouldn't the DMZ be hanging off a real physical interface? If that's the case, there should not be any increase in traffic utilization across the internal and external interfaces from today. The DMZ interface would be the only one you need to worry about. The picture doesn't mention show anything special going on with the internal or external interfaces. If they're just fast Ethernet, then the theoretical maximum of Internet traffic today is 100Mbps, but in reality it is almost certainly lower even if you are pegging the internal interface.

I agree that the DMZ interface, because it will see some traffic twice, may still need to be >100Mbit. Your internal interface utilization should help determine that. If it does, I believe there is a gig interface you can purchase for the 5510. This assumes you have a gig interface on the proxy (or multiple fast Ethernet interfaces)

victor_87 · ‎01-06-2009

i can sure manage a gig interface on my proxy but the 5510 already has a CSC module, so i'll have to throw that in the trash first to accomodate a gig SSM. Moreover i have the ASA in Active/standby so, i'll throw two CSC modules and buy to gig modules.

gotta look for other options,