lukasz.bromirski.net

aviate, navigate, communicate

ASA and full BGP table(s)

while I already mentioned couple of times on this blog, that handling dynamic routing on firewall is asking yourself for unexpected problems, sometimes it’s needed.

as Cisco, we don’t normally recommend using ASA or FTD boxes as full table BGP routers. not because they can’t be used in this role, but because we don’t believe it’s a good networking and security practice.

here’s example from my home lab testing lab cluster of two ASA 5516-X, running 9.13(1) and getting full BGP feed from my upstream ASR 1001-X router:

asa-cluster/TOP/master# cluster exec sh bgp sum
TOP(LOCAL):**********************************************************
BGP router identifier 192.168.254.1, local AS number 65011
BGP table version is 799115, main routing table version 799115
798962 network entries using 159792400 bytes of memory
798962 path entries using 63916960 bytes of memory
121273/121252 BGP path/bestpath attribute entries using 25224784 bytes of memory
107331 BGP AS-PATH entries using 5986830 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 254920974 total bytes of memory
BGP activity 798968/0 prefixes, 798968/1 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.253.1   4        65055 121715  5         799329    0    0 00:01:54  798967

DOWN:****************************************************************
BGP router identifier 192.168.254.1, local AS number 65011
BGP table version is 1, main routing table version 1

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.253.1   4        65055 0       0              1    0    0 never  Idle</pre>

ASA 5516-X doesn’t have very powerful CPU (it’s Intel Atom!), but handling 800k prefixes upload won’t tax it too much - actually, while you’ll see spike to around 40% initially, it will fall down back to 5% once the prefixes are loaded and installed in RIB/FIB.

memory-wise, for 8GB config you’ll see around 3.5GB taken:

asa-cluster/DOWN/master# sh cluster memory 
Usage Summary In Cluster:********************************************* 
Free memory:      8002141434 bytes (53%) 
Used memory:      7172860392 bytes (47%) 
-------------     --------------- 
Total memory:     15175001826 bytes (100%)

DOWN(LOCAL):********************************************************** 
Free memory:      3881306753 bytes (51%) 
Used memory:      3706194160 bytes (49%) 
-------------     ---------------- 
Total memory:     7587500913 bytes (100%)

TOP:****************************************************************** 
Free memory:      4120834681 bytes (54%) 
Used memory:      3466666232 bytes (46%) 
-------------     ---------------- 
Total memory:     7587500913 bytes (100%)

Share