Sunday, October 20, 2013

why friends don't let friends, buy cisco ASA part#3 "A quick glance at cisco support for dynamic routing within a context "

Finally cisco has started including dynamic routing within a context since 9.1.2. The demonstration here, are  done 9.1.3 version and on a ASA5558-X




If you're familiar with the cisco ASA lineup, then the enabling of multi-context-mode in the past, only allowed for static routing. This lack of  dynamic-routing feature,  has been available in the juniper & fortinet based firewalls for a while now and within the equivalent multi-mode  ( virtual routers and vdoms )

Cisco within the ASA5558-X series, has just now started supporting  EIGRP or OSPF  as indicated here on a multi-context firewall ;



NOTE:  So that means no rip (v1/v2 ) or BGP


You  will also find out only  2 ospf  process can be started in the one context. If you try to start more than two process, you will quickly discover the following error


Playing around with the admin context showed me you can only start one  EIGRP process;


And finally, we can not enable any ipv6 dynamic routing.The ipv6 router process as seen here in a non multi-context mode firewall ;



Is flatout not available in a multi-context ASA;



One other thing you might want to considered when design routing for your ASA, you need to be aware of resources limits. The cmd " show resource usage context 'context-name' resource routes
" will display your route limits and usages.

note: the admin context by default is not limited in any shape or fashion;



note: And I'm not 100% sure if the limits set are for both;   ipv4 and ipv6 routes & regardless if you running a dynamic routing.


keyPoints and take aways;

1:  support for only EIGRP or OSPF dynamic protocols
2:  can run 2 instances of  OSPF in  single context
3:  but can only run 1 instances of EIGRP per context
4:  You can also run a  1of each (  OSPF+EIRGP process  ) per context
5:  no ipv6 dynamic routing support
6:  No support for the other open routing protocols like RIP or BGP



Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
          o
       /     \



No comments:

Post a Comment