while I already mentioned couple of times on this blog, that handling dynamic routing on firewall is asking yourself for unexpected problems, sometimes it’s needed.

as Cisco, we don’t normally recommend using ASA or FTD boxes as full table BGP routers. not because they can’t be used in this role, but because we don’t believe it’s a good networking and security practice.

here’s example from my home lab testing lab cluster of two ASA 5516-X, running 9.13(1) and getting full BGP feed from my upstream ASR 1001-X router:

asa-cluster/TOP/master# cluster exec sh bgp sum
TOP(LOCAL):**********************************************************
BGP router identifier 192.168.254.1, local AS number 65011
BGP table version is 799115, main routing table version 799115
798962 network entries using 159792400 bytes of memory
798962 path entries using 63916960 bytes of memory
121273/121252 BGP path/bestpath attribute entries using 25224784 bytes of memory
107331 BGP AS-PATH entries using 5986830 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 254920974 total bytes of memory
BGP activity 798968/0 prefixes, 798968/1 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.253.1   4        65055 121715  5         799329    0    0 00:01:54  798967

DOWN:****************************************************************
BGP router identifier 192.168.254.1, local AS number 65011
BGP table version is 1, main routing table version 1

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.253.1   4        65055 0       0              1    0    0 never  Idle

ASA 5516-X doesn’t have very powerful CPU (it’s Intel Atom!), but handling loading of 800k won’t tax it too much - actually, while you’ll see spike to around 40% initially, it will fall down back to 5% once the prefixes are loaded and installed in RIB/FIB.

current full default-free table (circa 800k IPv4 prefixes) takes around 255MB of RAM, but you’ll need more given additional work done by BGP process. i wouldn’t even start to consider playing such games in lab environment without 1-1.5GB free RAM - not to mention trying such ideas in production gear.

asa-cluster/DOWN/master# sh processes memory | i Allocated|BGP
Allocs      Allocated             Frees       Freed                 Process
0           0                     0           0                     BGP Scheduler
0           0                     0           0                     BGP Task
0           0                     1987        58343399              BGP Scanner
2032        71348506              2           70294                 BGP I/O
0           0                     0           0                     BGP Event
155008      1403827620            64362       365655449             BGP Router

as you can see, BGP Router holds around 1GB of RAM, and BGP I/O additional 71MB.

quick peek at cluster memory stats:

asa-cluster/DOWN/master# sh cluster memory 
Usage Summary In Cluster:********************************************* 
Free memory:      8002141434 bytes (53%) 
Used memory:      7172860392 bytes (47%) 
-------------     --------------- 
Total memory:     15175001826 bytes (100%)

DOWN(LOCAL):********************************************************** 
Free memory:      3881306753 bytes (51%) 
Used memory:      3706194160 bytes (49%) 
-------------     ---------------- 
Total memory:     7587500913 bytes (100%)

TOP:****************************************************************** 
Free memory:      4120834681 bytes (54%) 
Used memory:      3466666232 bytes (46%) 
-------------     ---------------- 
Total memory:     7587500913 bytes (100%)

and that’s about that - do you really need to run full BGP on your firewall? having option to do so, doesn’t mean you need to do that :)

i’ll demonstrate how to use less number of prefixes to achieve optimal routing, without sacrificing accuracy too much.