[c-nsp] Can ASA 5550 do BGP

Phil Mayers p.mayers at imperial.ac.uk
Tue Feb 12 04:38:11 EST 2013

On 02/11/2013 08:36 PM, Nick Hilliard wrote:

> nope, it doesn't do BGP.  Categorically not and last time I asked, there
> were no plans to put it on the roadmap either.  BGP is seen as a service
> provider protocol; the ASA is seen as an enterprise product.

I had a discussion with some ASA BU people about BGP on firewalls, and I 
explained how we used it (routing between L3VPN for enterprise network 
segmentation). They seemed interested, and didn't categorically rule out 
the notion of adding BGP, but I wouldn't bet on it...

> As a secondary issue, I would recommend very strongly against the idea of
> using a firewall as a border edge router.  It is incredibly easy to take
> out a firewall via a DoS attack, but not at all as easy with a router.

Surely that depends on the router; I keep hearing how crappy the sup720 
is now that the new shiny is out, for example ;o)

Joking aside, I agree that having a router on the link generally allows 
first-line filtering (e.g. iACLs) with more predictable and consistent 
performance characteristics. Firewalls fall over at the funniest things; 
they'll happily handle 30k TCP connections/sec but can't handle 1k PPS 
of UDP dst port 80, or something equally random.

[OT, but that's one reason I like the Catalyst/hardware platforms - 
slightly more consistent performance characteristics, at the cost of 
fewer features and awkward config]

More information about the cisco-nsp mailing list