Basically we have a Cisco 6500 chassis with about 25 VLANS and around 25 -30 Access layer switches are serving as distribution layer switches in each VLAN.
We now have a Web Proxy for each segment serving the users for internet access. the proxy server has only 1 ethernet interface.
I used to police traffic for each segment at the interface connected to the Cisco ASA using Policy MAP's, This could also be done on the ASA Anyway.
Now my problem is , we are planning to have one single high-end web proxy to serve all the VLANS. And this will be connected in say the Vlan 1 of the Cisco 6500. I have no problem here as we have GIG ETH ports on the 6500. So traffic entering and leaving the same vlan would not cause any problem.
But the problem is i can't police traffic based on the vlan as only the IP of the Proxy will be seen on the interface connected to the ASA for all Http traffic.
I cannot apply the policing on the vlan interfaces as, i do not want to police internal traffic.( yes there is one option where i can deny traffic with internal destination's from the policing. But in this case i'll have police configured on all vlan interface, a bit ugly and hectic.
Another alternative is to put the web proxy in the DMZ, but my ASA has only fast Ethernet interfaces and we have got high internet Bandwidth, this would cause congestion.
No, I still don't get it;-) What interface are you talking about? Wouldn't the DMZ be hanging off a real physical interface? If that's the case, there should not be any increase in traffic utilization across the internal and external interfaces from today. The DMZ interface would be the only one you need to worry about. The picture doesn't mention show anything special going on with the internal or external interfaces. If they're just fast Ethernet, then the theoretical maximum of Internet traffic today is 100Mbps, but in reality it is almost certainly lower even if you are pegging the internal interface.
I agree that the DMZ interface, because it will see some traffic twice, may still need to be >100Mbit. Your internal interface utilization should help determine that. If it does, I believe there is a gig interface you can purchase for the 5510. This assumes you have a gig interface on the proxy (or multiple fast Ethernet interfaces)
i can sure manage a gig interface on my proxy but the 5510 already has a CSC module, so i'll have to throw that in the trash first to accomodate a gig SSM. Moreover i have the ASA in Active/standby so, i'll throw two CSC modules and buy to gig modules.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...