[c-nsp] ASA vs ISR ZBFW
Colin Whittaker
colin at netech.ie
Fri Sep 9 11:51:18 EDT 2011
On Fri, Sep 09, 2011 at 05:23:59PM +0200, Gert Doering wrote:
> > 1) It now does dynamic routing (RIP, OSPF, EIGRP)
>
> ... but still no BGP, which is undoubtly *the* routing protocol that you
> want to use if you don't trust your neighbours (due to much better filtering
> support) - and "firewall environment" is usually all about "not trusting".
This exact limitation is why everytime I deploy firewalls these days
there tends to be some form of L3 switch on either side just so I have
something to run BGP on and just do eBGP multihop across the ASA.
Colin
--
Colin Whittaker +353 (0)86 8211 965
http://colin.netech.ie colin at netech.ie
More information about the cisco-nsp
mailing list