[c-nsp] Can ASA 5550 do BGP

Nick Hilliard nick at foobar.org
Tue Feb 12 05:20:35 EST 2013

On 11/02/2013 19:36, Juergen Marenda wrote:
> pix and asa did and do not "route" very well.

They both forward packets.  The main difference between the two is that a
firewall maintains the state of each traffic flow passing through it, while
a router does not.  Each of these network flows takes up a small amount of
resources on the firewall; on an asa5550 you can have up to 600,000 of
these sessions.

The problem is that these flow states are easy to generate.  Each DNS
request will take up a slot.  On a 100mbit client link, you can push out
about 200k DNS requests per second (each of ~70 bytes), which means that if
you have a random punter either inside or outside the firewall with 100Mbit
connectivity to the firewall, it will take them about three seconds to
knock it offline.  Obviously, if you have a GE connection, this drops to
less than half a second.

Also the packet rate will kill the box. I don't have any 5550s around, but
it's trivial to kill a smaller box stone dead with even a relatively low
pps rate.

For a university configuration, the OP really needs to consider a hardware
forwarding router which can withstand high packet rates and as you pointed
out, filtering should be done with packet filters rather than firewall
rules.  Otherwise it's downtime and lack of sleep waiting to happen.


More information about the cisco-nsp mailing list