[c-nsp] Can ASA 5550 do BGP
Phil Mayers
p.mayers at imperial.ac.uk
Tue Feb 12 04:38:11 EST 2013
On 02/11/2013 08:36 PM, Nick Hilliard wrote:
> nope, it doesn't do BGP. Categorically not and last time I asked, there
> were no plans to put it on the roadmap either. BGP is seen as a service
> provider protocol; the ASA is seen as an enterprise product.
I had a discussion with some ASA BU people about BGP on firewalls, and I
explained how we used it (routing between L3VPN for enterprise network
segmentation). They seemed interested, and didn't categorically rule out
the notion of adding BGP, but I wouldn't bet on it...
> As a secondary issue, I would recommend very strongly against the idea of
> using a firewall as a border edge router. It is incredibly easy to take
> out a firewall via a DoS attack, but not at all as easy with a router.
Surely that depends on the router; I keep hearing how crappy the sup720
is now that the new shiny is out, for example ;o)
Joking aside, I agree that having a router on the link generally allows
first-line filtering (e.g. iACLs) with more predictable and consistent
performance characteristics. Firewalls fall over at the funniest things;
they'll happily handle 30k TCP connections/sec but can't handle 1k PPS
of UDP dst port 80, or something equally random.
[OT, but that's one reason I like the Catalyst/hardware platforms -
slightly more consistent performance characteristics, at the cost of
fewer features and awkward config]
More information about the cisco-nsp
mailing list