My guess is that maybe Cisco

snarayanaraju · ‎07-27-2015

Hello All - Why do Cisco promoted BGP in their Firewalls ASA/PIX till recently. I know the famous saying that it is good to have Routing Function separately from Firewall. But why does we prevent BGP peering with Firewall though OSPF/EIGRP/RIP has been supported since beginning?

Just a conceptual thought process

regards,

Sairam

kevin.szatkowski · ‎07-27-2015

For me, I would separate the two. Depending on your BGP setup and what your expecting your firewall to stop in terms of traffic, you could be asking too much of one device.

Regards, Kevin

Traian Bratescu · ‎07-28-2015

Hi,

I can give you an example where BGP would be usefull (specially in a multi-context mode where dynamic routing wasn't supported):

Main DC | Recovery DC

---- Internet ISP1/ISP2 ------

| |

R1 R2

| |

FW FW --- DMZ????

| |

CORE ----- CORE

You would need to place the DMZ somewhere behind the Core and not directly near the first firewall as it would not know how to switch the default route.

Now with BGP on the firewall you can exit through any site.

Traian

sean_evershed · ‎07-27-2015

My guess is that maybe Cisco didn't have sufficient demand from their customers to run BGP on their firewalls. Therefore they focussed their engineering efforts on developing other firewall features.

BGP in Firewall