Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

QOS when using a WEB PROXY


Please view the attachment first.

Basically we have a Cisco 6500 chassis with about 25 VLANS and around 25 -30 Access layer switches are serving as distribution layer switches in each VLAN.

We now have a Web Proxy for each segment serving the users for internet access. the proxy server has only 1 ethernet interface.

I used to police traffic for each segment at the interface connected to the Cisco ASA using Policy MAP's, This could also be done on the ASA Anyway.

Now my problem is , we are planning to have one single high-end web proxy to serve all the VLANS. And this will be connected in say the Vlan 1 of the Cisco 6500. I have no problem here as we have GIG ETH ports on the 6500. So traffic entering and leaving the same vlan would not cause any problem.

But the problem is i can't police traffic based on the vlan as only the IP of the Proxy will be seen on the interface connected to the ASA for all Http traffic.

I cannot apply the policing on the vlan interfaces as, i do not want to police internal traffic.( yes there is one option where i can deny traffic with internal destination's from the policing. But in this case i'll have police configured on all vlan interface, a bit ugly and hectic.

Another alternative is to put the web proxy in the DMZ, but my ASA has only fast Ethernet interfaces and we have got high internet Bandwidth, this would cause congestion.

Any Ideas with respect to how i can proceed ????

Thanks in Advance


Re: QOS when using a WEB PROXY

Follow the URL for the Configuring Web-Based Proxy for 6500 it may help you


Re: QOS when using a WEB PROXY

"Another alternative is to put the web proxy in the DMZ, but my ASA has only fast Ethernet interfaces and we have got high internet Bandwidth, this would cause congestion. "

It's likely I just don't understand your network. If you put the proxy in the DMZ, why wouldn't your previous policy configuration work the same as it does today?

New Member

Re: QOS when using a WEB PROXY

If i put my proxy in the DMZ then my present configuration would work like a charm, no issues.

But i was talking about how much traffic can a 100 Mbps interface on my cisco ASA 5510 handle.

the interface will have,

1.Incoming traffic to the DMZ from the Inside.

2.Outgoing traffic from DMZ to Outside(Internet)

3. Incoming traffic from Outside(Internet) to DMZ.

4. Outgoing traffic from DMZ to Inside.

We definitely have a total traffic of more than 200 Mbps that will flow.

Hope u got me.


Re: QOS when using a WEB PROXY

No, I still don't get it;-) What interface are you talking about? Wouldn't the DMZ be hanging off a real physical interface? If that's the case, there should not be any increase in traffic utilization across the internal and external interfaces from today. The DMZ interface would be the only one you need to worry about. The picture doesn't mention show anything special going on with the internal or external interfaces. If they're just fast Ethernet, then the theoretical maximum of Internet traffic today is 100Mbps, but in reality it is almost certainly lower even if you are pegging the internal interface.

I agree that the DMZ interface, because it will see some traffic twice, may still need to be >100Mbit. Your internal interface utilization should help determine that. If it does, I believe there is a gig interface you can purchase for the 5510. This assumes you have a gig interface on the proxy (or multiple fast Ethernet interfaces)

New Member

Re: QOS when using a WEB PROXY

i can sure manage a gig interface on my proxy but the 5510 already has a CSC module, so i'll have to throw that in the trash first to accomodate a gig SSM. Moreover i have the ASA in Active/standby so, i'll throw two CSC modules and buy to gig modules.

gotta look for other options,