topic Re: FMC/FTD BGP Question in Network Security

FMC/FTD BGP Question

benolyndav — Fri, 27 Feb 2026 15:15:05 GMT

Is it possible to peer twice to same ASN with BGP from FTD and use multipath? if I do this and I ask the remote side to propagate a default route to our FTD from both peering's will I get both defaults due to the AS number loop prevention? Is it advisable or not to enable allow-as etc to get round this any gotchas ?? Or should I be doing this another way.?

Thanks

Re: FMC/FTD BGP Question

Rob Ingram — Fri, 27 Feb 2026 15:45:02 GMT

@benolyndav yes, you should be able to peer with two peers in the same ASN and receive the default route from both. There shouldn't be a loop, as Loop prevention in BGP is achieved by verifying the AS number in the AS Path. BGP rejects route updates when the AS Path attribute contain its own AS number. The peer will also probably configure a list of allowed routes they are willing to receive.

Re: FMC/FTD BGP Question

saxenanitesh8522 — Fri, 27 Feb 2026 17:29:39 GMT

On FTD → ECMP only works if the two paths qualify as “equal.” If the provider makes one default look different (prepends, different attributes), you may end up with only one active default. Also, depending on FTD/FMC version, support for “multipath-relax” style behavior can be limited — so if AS_PATHs aren’t identical, don’t assume you’ll get ECMP.

That’s basically it: two peers, multipath enabled, keep the defaults equal, and verify you actually have two next-hops in the RIB/FIB.

Re: FMC/FTD BGP Question

benolyndav — Tue, 24 Mar 2026 10:04:56 GMT

@saxenanitesh8522 So what about ECMP with static routes is this generally ok ? and anything to watch out for at all??

Thanks

Re: FMC/FTD BGP Question

Rob Ingram — Tue, 24 Mar 2026 15:37:01 GMT

@benolyndav ECMP is supported with FTD, configure traffic zones if static routes via different interfaces. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/100/management-center-device-config-10-0/routing-ecmp.html

Re: FMC/FTD BGP Question

benolyndav — Tue, 24 Mar 2026 16:36:44 GMT

@Rob Ingram what would your preference be ECMP/Static default routes, or BGP multipath ??

Re: FMC/FTD BGP Question

Rob Ingram — Tue, 24 Mar 2026 16:44:44 GMT

@benolyndav it depends, I'd possibly prefer BGP. With statics you'd need to determine whether the route is up/down with tracking. With BGP this is dynamic, tune the timers or BFD for quicker dead peer detection.