07-27-2015 09:27 AM - edited 03-08-2019 01:07 AM
Hello All - Why do Cisco promoted BGP in their Firewalls ASA/PIX till recently. I know the famous saying that it is good to have Routing Function separately from Firewall. But why does we prevent BGP peering with Firewall though OSPF/EIGRP/RIP has been supported since beginning?
Just a conceptual thought process
regards,
Sairam
07-27-2015 07:39 PM
For me, I would separate the two. Depending on your BGP setup and what your expecting your firewall to stop in terms of traffic, you could be asking too much of one device.
Regards, Kevin
07-28-2015 08:22 AM
Hi,
I can give you an example where BGP would be usefull (specially in a multi-context mode where dynamic routing wasn't supported):
Main DC | Recovery DC
---- Internet ISP1/ISP2 ------
| |
R1 R2
| |
FW FW --- DMZ????
| |
CORE ----- CORE
You would need to place the DMZ somewhere behind the Core and not directly near the first firewall as it would not know how to switch the default route.
Now with BGP on the firewall you can exit through any site.
Traian
07-27-2015 08:20 PM
My guess is that maybe Cisco didn't have sufficient demand from their customers to run BGP on their firewalls. Therefore they focussed their engineering efforts on developing other firewall features.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide