Just bought a new ASA 5506-x to play with it, and found out the 8 ports cannot be configured as a switch in the same way we do with ASA5505.
There are any option to use the remaining ports as a switch?
Solved! Go to Solution.
Thanks for your comments regarding Cisco ASA 5506-X next-gen firewall with FirePOWER Services. There have been questions regarding the ASA 5506-X not supporting L2 switch ports and what alternatives to consider to provide this support.
For those instances where customers require L2 switching capabilities with the ASA5506-X, the following options are available:
The ASA 5506-X brings Cisco’s threat-protection capability to small to midsize businesses and distributed enterprises. Added features include:
These are critical capabilities that competing UTM solutions and next-generation firewalls do not have. We have brought this capability to SMBs and branch/remote offices, and it saves organizations money by reducing the number of exploits that succeed and also dramatically lowers remediation costs.
We appreciate the opportunity to assist you and hope this information was helpful.
Hi Brian, are you Cisco Employee? Do you know the timeframe when support is coming. The 5506 is the successor of the 5505. Pretty weird if you don't get the same (essential) features in the new hardware.
Is there an update on this? This is a pretty big mess for everyone that was expecting to be able to use the 5506 the same way as the 5505.
Have there been any updates on this limitation of the 5506-X, specifically the lack of switch-ports? If the ASA5505 is End-of-Life, and the ASA5506-X is the recommended replacement, the lack of this functionality is a big non-starter.
It is useful to note that none of the aforementioned "workarounds" in this thread are viable.
We sold about ten of these already . Day one we got it and tried to enable the switch and ran into this issue .. Contacted TAC and was told that feature is not available because they are gig ports . So we just decided to combine 200 or 300 SB switch's and keep it as a straight firewall device . Firepower features are pretty and a lot faster that the old 5505 . More likely Cisco will resolve this is but with no POE and limited N wifi support I would rather buy switch and AC based ap's. ..
I respectfully have to disagree...
Its all in a matter of knowing how to maneuver around the various options and the lack of youtube videos and config examples for real world configs are very challenging here, to say the lease..
This is a very simple accomplishment that will group all the ports into a logical switch and assign each port to a group.. We will be using a concept of etherchannels or port-channels as Cisco defines them... Here is the example.
|interface GigabitEthernet1/1||interface GigabitEthernet1/1|
|nameif outside||nameif outside|
|security-level 0||security-level 0|
|ip address 184.108.40.206 255.255.255.0||ip address 220.127.116.11 255.255.255.0|
|interface GigabitEthernet1/2||interface GigabitEthernet1/2|
|nameif inside||no nameif|
|security-level 100||no security-level|
|ip address 192.168.1.1 255.255.255.0||no ip address|
|interface GigabitEthernet1/3||interface GigabitEthernet1/3|
|no nameif||channel-group 1 mode active|
|no security-level||no nameif|
|no ip address||no security-level|
|!||no ip address|
|no nameif||interface GigabitEthernet1/4|
|no security-level||channel-group 1 mode active|
|no ip address||no nameif|
|interface GigabitEthernet1/5||no ip address|
|no security-level||interface GigabitEthernet1/5|
|no ip address||channel-group 1 mode active|
|interface GigabitEthernet1/6||no security-level|
|no nameif||no ip address|
|no ip address||interface GigabitEthernet1/6|
|!||channel-group 1 mode passive|
|interface GigabitEthernet1/7||no nameif|
|no nameif||no security-level|
|no security-level||no ip address|
|no ip address||!|
|interface GigabitEthernet1/8||channel-group 1 mode passive|
|no nameif||no nameif|
|no security-level||no security-level|
|no ip address||no ip address|
|interface Management1/1||interface GigabitEthernet1/8|
|nameif management||no security-level|
|security-level 100||no ip address|
|ip address 192.168.15.13 255.255.255.0||!|
|ip address 192.168.15.13 255.255.255.0|
|lacp max-bundle 8|
|ip address 192.168.1.1 255.255.255.0|
As you can see the column labeled "Grouped" will arrange all the specified ports into a LACP etherport channel group, logically creating two separate segments, much like a VLAN; however there are substantial other config items that must be configured in order for this to work successfully; however it will work and function as a L2 switch, just as described...
I will post more examples and comments as I come across issues that plague me as well...
I would suggest instead of saying the latest ASA5506-X does not support switch ports or "X" you may want to fully investigate the broad range of options available to the resource users... Lack of knowledge doesn't constitute the intended use of product support.
There is not much this robust ASA5506-X platform can not do, given, time, patience and the willingness to not rely on a point and click solution.
Our company will be glad to support any users on this platform, of course for a small fee.. Please feel free to reach out with your request and we can move forward... This is a great and rocksolid brand new product; which WILL REQUIRE relearning some basic 5505 mentality; but again.. no videos, docs or real world examples are available yet... I think this is probably the first of many to come...
Ty Carter, President
Strategic Network Consultants, Inc.
524 East 9th Street
Washington, NC 27889
Etherchannels will work when you connect the new ASA 5506 to another switch. A matter of adapt, i agree.
However, when no switch around, and you see this often in small remote offices/ soho (4-5 devices), what are you going to do?
Are you going to ask the customer to buy a switch for that??? no good.
The ASA 5505 was cheap, simple and it worked perfect.
To Cisco: If it ain't broke, don't fix it
I don’t believe you have to attach the device to another switch… The IOS will create its own grouping internally… I am going to put this to the test tomorrow…
I agree wholeheartedly it is a definite change in dynamic; but that was not the question posed here… I didn’t say I liked it any more than the next person.
We will see where this takes us.. at least this is according to TAC group.
Have you actually tested this with a PC connected to a channel-group1 port?
I have this setup in the lab and ran into the same issues as everyone else. We use the 5505 as a one box solution and this forces us to buy a second switch which kills our design and increases our points of failure not to mention Smartnet fees for two devices. I thought maybe your solution would work for us but I am unable to receive an address via DHCP. We use the ASA for DHCP and when I try to configure the port-channel we never receive an address. Once I remove the port-channel and use a physical interface the ASA assigns the DHCP address no problem. I'm wondering if this was a solution in theory or if it has actually been vetted.
I would like to know this too. I've read countless posts now and the fact that you have to use a kludgy hack to utilize ports on a network device that costs $1500 dollars is absolutely inexcusable. Cisco needs a serious smack in the ass. They are so transparently selfish with their focus on costs and returns; any lay-person can see that they actually sit down and develop ways to intentionally gouge customers.
The simple brainless return on this problem is "now I need to buy a switch", which is exactly what they intended. Now ask yourself what kind of people run this company.
This has to be the worst response I've ever seen. the only conclusion would be to never use Strategic Network Consultants, Inc for anything and if this fly-by-night operation is in your area please inform everyone you can to not use this guy.
EtherChannels will most certainly not work as a replacement for switchports.
It seems you are assuming the other end of those connections are all to the same device (e.g., another switch).
As 100's of others have pointed out, the 5505 is in use in SMALL deployments.
Who at Cisco decided a SOHO, or small branch needs 8 ROUTED PORTS!?!?!?!?
I'd really like to see the logic used. Whether Cisco likes it or not, the real world use case for the 5505 *relies* on those switchports.
To say the "next generation" or "replacement" doesn't support switchports because the original use case only included them as an afterthought completely overlooks the actual use case.
If Ford puts out a truck with a trailer hitch, and the majority of users take advantage of the hitch - why would Ford remove that feature in the next release because they "didn't intend for the truck to actually tow things".
"Course Correction" is needed on this.