Sign up and stay connected to your favorite communities.

sign uplog in
18

BGP on Cisco ASA?

So I've recently taken over a datacetnre infrastructure which has a multihomed internet edge (eBGP, transit, peering, full tables etc.), feeding into Cisco ASAs which in turn have Nexus 9k switches inside connected to servers running VMware.

The switching are using BGP EVPN for VXLAN control plane. Currently there are static routes on the Internet edge routers for our aggregate public ranges pointing to the ASAs. In turn the ASAs have aggregate routes for these towards the Nexus switches, which are operating at layer 3 and have an internet VRF where the aggregates route into. The switches then have more specific routes pointing to particular end systems, some static some BGP from other network devices.

We're in the process of building another datacentre location and I was wondering if I should stick with the static routes on the border routers and ASA? My gut feeling is to run eBGP between internet edge and ASA, and again between ASA and the switching. This would allow me to originate our public aggregates from the switches, and in theory save all the hassle of static routes.

A colleague who just left was wary of running BGP on the ASAs (running 9.4 btw). But he never explained why. My own thinking is we have BGP everywhere apart from these statics, so why not remove them and make our lives easier?

Any thoughts welcome.

30 comments
72% Upvoted
What are your thoughts? Log in or Sign uplog insign up

A large customer I did some work with let there firewalls firewall and their routers route.

Not the only way to do things but was an effective way of doing things.

I assume Cisco gear when I hear stuff like this because you can’t do it any other way in a large environment with Cisco.

rfc9000 - Bitchslap over IP
4 points · 10 days ago

There's nothing wrong with dynamic routing on firewalls. I'd much prefer that to static routing where I can do it.

So long as you lower your expectations of performance and features you'll be fine. An ASA is a (pretty not great) firewall, not a router. So it's not going to be as good at it as your 9ks, but if you're just passing a few DMZ ranges through, then should be fine.

I have personally configured bgp at two sites on two ASAs. They are 5525-x on version 9.6. The only thing I've noticed is you can't see which routes you're receiving via the received-routes command. I also don't think it allows you to do a soft reset. We're running an active/standby pair.

3 points · 10 days ago

Which model ASA? Once upon a time I had 5515-x's take full tables and quickly found that the CPU wasn't powerful enough to process all the route's in a timely manner. It would spike the cpu to 100% for 15+ minutes and I ended up having the routers handle the full tables and kept a static route between the ASA's and routers. If you have a much larger ASA you might be fine.

Original Poster1 point · 10 days ago

5555-X’s.

But I’m only gonna announce like 10 routes probably, so full tables not a concern.

It's not what you are going to announce that is the problem. It's what you receive from you peers. Every prefix received will need to be processed by the ASA.

Original Poster2 points · 9 days ago

I’m announcing the routes both sides.

ASA in the middle, eBGP to edge and to switch fabric.

So 10 routes. Announced/received.

Most Cisco Firewalls have Horrible limits on routing ability and tables vs other vendors, thus cisco will sell you on an extra switch and router to get things done in their platforms by design. Check the specs closely, we ran very close to going over in a very small wan configuration using the ASAs to dynamicly route.

Juniper gear has excellent routing in all the firewalls.

PaloAlto also designs their equipment to be an all in one box.

2 points · 10 days ago

One possible issue with BGP on ASAs is reconvergence time during a failover if you’re running active/standby, since the standby doesn’t peer with anything (though it does receive learned routes). BGP graceful restart might help here.

Has anyone used active active ASAs with multiple context BGP and asynchronous routing groups to work around reconvergence time? (Allowing each ASA to act as an independent router?)

Original Poster1 point · 9 days ago

Thanks yeah that is a very valid concern.

If I go down this road I'll try to see how much of a difference graceful restart makes and report back.

I never took full tables but I did have active/standby firewalls running 9.4 5515-x I recall. They were fine with 28,000 routes. If you failover, even with a state link you only have 15 seconds to bring up the new adjacency/converge before dropping packets, with bgp it is not long enough.

There is no real additional load on your firewall running BGP on it, it's just control plane. If you say you prefer your firewall to firewall, but still put static routes on it, you're routing, you might as well use the additional tool that fits your requirements.

If you have a requirement to dynamically share routes and use BGP routing policy, then use BGP if you need it.

Original Poster1 point · 10 days ago

Thanks yeah that makes sense to me. The firewall is routing no matter what, so it’s not like “let the firewall filter”, its more about dynamic vs static routing.

And as we are BGP dynamic everywhere I see no reason to do it on the ASA too. We only have a small number of aggregates and a default from the Internet routers.

CCNP
2 points · 10 days ago

btw, ASA does not support BGP MIB, sucks isn't it. Our work around is syslog emails, we need it since we do BGP peering with our ASA's towards our clients network and I've seen a client's BGP that has been down for almost a month without us noticing. facepalm

And the client didn't notice either?

I work for and ISP, we don't actively monitor quite a few circuits. You would be surprised how many tickets that get opened for a circuit that has been down for months. My personal favorite: "Our internet has been really slow for the last six weeks." Turns out, someone had unplugged the connection from our NID to their router and traffic was passing over their Cradlepoint at like 10meg. It was like this for six weeks.

😂😂 very believable. When I started at my current shop the backup was 56k isdn. The primary t1 at a site was down for quite a while apparently and we got a 30k bill for the isdn. Around the time i started we also got a proper monitoring system in place to catch these kinds of things

CCNP
1 point · 9 days ago

yes, they didn't haha ;)

CCNP
1 point · 10 days ago

https://quickview.cloudapps.cisco.com/quickview/bug/CSCvd78303

we face this issue as well, the ASA fails to pass traffic after being up for 213 days

Original Poster1 point · 10 days ago

Ok thanks, this is very important for us. We use some Nexus 3k’s that don’t support it either, which is a pain.

2 points · 9 days ago

Watch out for issues when you change the interface that a prefix routes out of. Most firewalls (ASAs and Palo Alto for sure) consider the state of the flow before the route table. If suddenly traffic changes interfaces due to an upstream routing change/backup path being used, that flow has to die before any traffic can be passed again.

Original Poster1 point · 9 days ago

Ok thanks that is a good tip I will need to consider.

1 point · 10 days ago

I do BGP on my ASA-5545-X's running FTD. Only sending routes for Microsoft's ASNs so we can prefer one router over another for those routes.

Original Poster1 point · 10 days ago

Ok. And do you mind me asking why you do that in relation to Microsoft?

Is it for connectivity to Azure? Office 365?

1 point · 10 days ago · edited 10 days ago

We do BGP on our Palo-Alto's for AWS VPC tunnels, and to get default routes from the internet routers.

Original Poster1 point · 10 days ago

Yes that is very similar to my use case.

MEF-CECP, "CC & N/A"
1 point · 10 days ago

Generally, when you perform routing functions on a firewall, you should expect a limited feature set and a higher likelihood of support issues.

That said, Cisco is obviously no stranger to routing and their firewalls have supported BGP since forever and you would be very unlikely to have any problems.

I've seen BGP interop issues between routers and Sonicwalls and the like, but not an ASA, and all of the advantages BGP would offer in this scenario would lead to my recommending you set it up.

Original Poster2 points · 10 days ago

Thanks. It’s Cisco either side and we are only dealing with a handful of routes, so I don’t anticipate problems.

That said, Cisco is obviously no stranger to routing and their firewalls have supported BGP since forever

Forever? It only released BGP on to the ASA code base in 9.somthing and that's like 2014-15.

Community Details

121k

Subscribers

434

Online

###Enterprise Networking Routers, switches and firewalls. Network blogs, news and network management articles. Cisco, Juniper, Brocade and more all welcome.

Create Post

r/networking Rules

1.
Rule #1: No Home Networking.
2.
Rule #2: No Certification Brain Dumps / Cheating.
3.
Rule #3: No BlogSpam / Traffic re-direction.
4.
Rule #4: No Low Quality Posts.
5.
Rule #5: No Early Career Advice.
6.
Rule #6: Educational Questions must show effort.
Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.