Re: BGP support on ASA5585-X

[Pete Lumbis <alumbis () gmail com>]

I won't speak to the wrong solution for the wrong market but as far as
large ACLs, I would agree with Tony.

I've seen hundreds of different ASA configurations for a variety of
customers in a variety of markets and generally once you start
reaching the limits of the box you start losing sight of what your
original security policies are.

In almost every (not all) cases that I've seen resource exhaustion due
to ACLs it's almost always gone hand in hand with security policies
that aren't followed well or clear cut (i.e., overlapping security
rules, lack of rule aggregation, not sure why rule X is in there,
things of this nature).

-Pete

On Sat, Nov 6, 2010 at 9:54 AM, Tony Varriale <tvarriale () comcast net> wrote:
> ----- Original Message ----- From: "gordon b slater" <gordslater () ieee org>
> To: "Tony Varriale" <tvarriale () comcast net>
> Cc: <nanog () nanog org>
> Sent: Saturday, November 06, 2010 4:38 AM
> Subject: Re: BGP support on ASA5585-X
>
>
> > On Fri, 2010-11-05 at 21:50 -0500, Tony Varriale wrote:
> >
> > > <somebody> said:
> > > > They could make it out of the box but this is why Dylan made his
> > > > > statement.
> > >
> > > His statement is far fetched at best.  Unless of course he's speaking of
> > > 100
> > > million line ACLs.
> >
> > Can I just ask out of technical curiosity:
>
> Well, let me preface this thread with: the previous poster was/is from a
> hosting company.  ASAs aren't ISP/Hosting level boxes.  They are SMB to
> enterprise boxes.
>
> It's like saying yeah that 2501 doesn't meet our customer agg requirements
> at our ISP.  Of course it doesn't.  Wrong product wrong solution.
>
> With that said, from what I see in the field 10s of thousands.  I've seen as
> high as 80k.
>
> But, once you get into that many ACLs, IMO there's either an ACL or
> security/network design problem.
>
> tv