[c-nsp] Can ASA 5550 do BGP

Nick Hilliard nick at foobar.org
Tue Feb 12 18:08:21 EST 2013

On 12/02/2013 09:38, Phil Mayers wrote:
> I had a discussion with some ASA BU people about BGP on firewalls, and I
> explained how we used it (routing between L3VPN for enterprise network
> segmentation). They seemed interested, and didn't categorically rule out
> the notion of adding BGP, but I wouldn't bet on it...

I would very much like BGP support on the ASA.  At the moment I use local
ospf networks with redistribution into the bgp core, but that's hacky
(although a lot less hacky than distributing routes right across the
network with ospf).

> Surely that depends on the router; I keep hearing how crappy the sup720 is
> now that the new shiny is out, for example ;o)

The sup720 has its uses.  It doesn't quite have enough rate limiter
buckets, and there are nasty problems with link-local connectivity but it's
not bad as a P router.  So long as you aren't doing ipv6 that is.

> Joking aside, I agree that having a router on the link generally allows
> first-line filtering (e.g. iACLs) with more predictable and consistent
> performance characteristics. Firewalls fall over at the funniest things;
> they'll happily handle 30k TCP connections/sec but can't handle 1k PPS of
> UDP dst port 80, or something equally random.

Just dns blast an ASA and it will fall over splat on its face.  Watching
this happen is hilarious in a slightly sick way, with session count going
up to maxsession + 1, and input errors / underruns on the ingress interface
as the box desperately tries to handle this stuff.


More information about the cisco-nsp mailing list