cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1596
Views
5
Helpful
4
Replies
Highlighted
Enthusiast

ASA BGP - Full internet routing table

Just curious if anyone is using their ASA to peer via BGP with an ISP and receiving full internet routes. I currently have a set of 5545's (only running static routing) and am in the process of moving to a set of Firepower 4100's running ASA code. I would like to push dynamic routing down to the firewalls, but just not sure that they will handle the full table.

4 REPLIES 4
Highlighted
VIP Mentor

Hi

I think it is not good idea to receive all the internet routes, your device could become in a transit device and overload the CPU. Please check these links:

http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/23675-27.html

http://www.burningnode.com/2013/07/20/bgp-prevent-being-a-transit-as/

https://networklessons.com/bgp/bgp-prevent-transit-as/

You could use advertise a default route to devices behind the firewall.

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
Highlighted

Is this BGP with a single ISP? Or BGP with multiple ISP? Full table from one or full table from more than one? What is the reason that you are interested in receiving a full table? It seems to me that it is a large step to go from static routing to BGP with the full table and I wonder what leads to the interest in receiving the full table?

HTH

Rick

HTH

Rick
Highlighted

Thanks for the questions and feedback. I was was more asking the question to see if from a performance point could ASA on Firepower 4100 handle a full Internet routing table. My design requirement for this was to dynamically re-route traffic on partial far end ISP failures. I have since had more time to review my design and have come up with a better solution which does not require running BGP down into my firewalls.

Highlighted

Thanks for the update. It is good to know that you have found a solution that does not require running BGP down into your firewalls.

HTH

Rick

HTH

Rick