[131825] in North American Network Operators' Group
Re: BGP support on ASA5585-X
daemon@ATHENA.MIT.EDU (khatfield@socllc.net)
Fri Nov 5 19:47:42 2010
Date: Fri, 5 Nov 2010 19:47:32 -0400 (EDT)
From: khatfield@socllc.net
To: "Greg Whynott" <Greg.Whynott@oicr.on.ca>
In-Reply-To: <45705FE2-B936-4485-9920-3B93AF33E19C@oicr.on.ca>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
They could make it out of the box but this is why Dylan made his statement.=
The platform simply doesn't perform well enough enough to support all of t=
hat functionality on the current ASA models. I know first-hand from much of=
our testing the ASA's rarely meet the box specs for PPS/throughput simply =
serving the purpose as a static firewall. They would have to dramatically i=
mprove the system performance prior to adding any additional CPU / timing d=
ependent features.=0A=0AIMHO you would see better performance out of BSD. I=
won't open that can o' worms but the ROI for the ASA line is quite out of =
balance. =0A=0A-----Original Message-----=0AFrom: "Greg Whynott" <Greg.Whyn=
ott@oicr.on.ca>=0ASent: Tuesday, November 2, 2010 1:46pm=0ATo: "Dylan Ebner=
" <dylan.ebner@crlmed.com>=0ACc: "nanog@nanog.org" <nanog@nanog.org>=0ASubj=
ect: Re: BGP support on ASA5585-X=0A=0Ai couldn't disagree with this statem=
ent more than I do.=0A=0Athey could make a box do it all if they wanted to,=
but it does not make business sense.=0A=0A=0A=0A=0AOn Nov 2, 2010, at 1:4=
2 PM, Dylan Ebner wrote:=0A=0A> IMHO, I don't think this is a marketing iss=
ue for cisco. It's a design issue. PIX/ASA is good at some things, and bad =
at others. They have never been good as routers. You have to remember, EIGR=
P didn't even come to the security line until 8.0 code and they still do no=
t support traffic shaping. These services use memory and cpu resources whic=
h can dramatically reduce your ability to get through very long access list=
s. I am not positive on the ASAs, but I seem to remember that the routing f=
eatures on the PIX was all done in software. If that is still true today, I=
can't imagine you could effectively perform stateful inspection, access li=
sts, maybe VPN services, and BGP for a 100Mb+ internet connection on even a=
5585. They just aren't that powerful.=0A>=0A>=0A>=0A>=0A>=0A> Dylan Ebner=
=0A>=0A> -----Original Message-----=0A> From: srg [mailto:srgqwerty@gmail.c=
om]=0A> Sent: Friday, October 29, 2010 12:43 PM=0A> To: nanog@nanog.org=0A>=
Subject: BGP support on ASA5585-X=0A>=0A> Hi:=0A>=0A> At this moment we kn=
ow that ASA5585-X does not support BGP.=0A>=0A> Does anybody know if BGP su=
pport in the ASA5585-X is in roadmap?=0A> More precisely... MP-BGP support =
in the ASA5585-X?=0A> Any "oficial" link in the Cisco website about this? (=
I did't find it)=0A>=0A> Thanks a lot and best regards=0A>=0A>=0A=0A=0A--=
=0A=0AThis message and any attachments may contain confidential and/or priv=
ileged information for the sole use of the intended recipient. Any review o=
r distribution by anyone other than the person for whom it was originally i=
ntended is strictly prohibited. If you have received this message in error,=
please contact the sender and delete all copies. Opinions, conclusions or =
other information contained in this message may not be that of the organiza=
tion.=0A=0A=0A=0A=0A
