Showing results for 
Search instead for 
Did you mean: 

5506-x no switch option as 5505?

Level 1
Level 1

Just bought a new ASA 5506-x to play with it, and found out the 8 ports cannot be configured as a switch in the same way we do with ASA5505.

There are any option to use the remaining ports as a switch?

1 Accepted Solution

Accepted Solutions
Cisco Employee
Cisco Employee

Thanks for your comments regarding Cisco ASA 5506-X next-gen firewall with FirePOWER Services. There have been questions regarding the ASA 5506-X not supporting L2 switch ports and what alternatives to consider to provide this support.

For those instances where customers require L2 switching capabilities with the ASA5506-X, the following options are available:

  • Cisco recommends an external switch solution through the Cisco Small Business group: an 8-port model (SG110D-08) or a 5-port model (SG110D-05) unmanaged gigabit switch. Both have been tested for compatibility with the ASA 5506-X. For more information about the 110 Series Unmanaged Switches, please refer to the attached document, or visit this site.

  • For those customers looking for a firewall without FirePOWER Services, the ASA 5505 offers integrated L2 switching to meet this requirement.  There are no plans at this time to end of sale the ASA 5505 and continues to support the full-featured firewall for small business, branch and enterprise teleworker environments.

The ASA 5506-X brings Cisco’s threat-protection capability to small to midsize businesses and distributed enterprises.  Added features include:

  • The same next generation firewall capabilities as our mid- and high-range ASA with FirePOWER Services models which include Application Visibility and Control (AVC), Advanced Malware Protection (AMP), Next Gen Intrusion Prevention System (NGIPS), and URL filtering applications via subscription

  • Higher performance and increased throughput (more than 2.5x firewall throughput)

  • A variety of form factors including wired and wireless models, a ruggedized version for industrial control deployments as well as two high performance rack mounts.

  • On-box or centralized management for deployment flexibility

  • Hardware security and anti-counterfeiting trust anchor technologies

  • VPN with enhanced mobility support

These are critical capabilities that competing UTM solutions and next-generation firewalls do not have. We have brought this capability to SMBs and branch/remote offices, and it saves organizations money by reducing the number of exploits that succeed and also dramatically lowers remediation costs.

We appreciate the opportunity to assist you and hope this information was helpful.

View solution in original post

27 Replies 27

Cisco Employee
Cisco Employee

Unlike ASA5505, ASA5506-X does not support switch ports at this time.

Hi Brian, are you Cisco Employee? Do you know the timeframe when support is coming. The 5506 is the successor of the 5505. Pretty weird if you don't get the same (essential)  features in the new hardware.

Hi Sander,

Yes, I am a Cisco employee. I'm investigating this and will get back to you.




Is there an update on this? This is a pretty big mess for everyone that was expecting to be able to use the 5506 the same way as the 5505.

Thanks,5506-x no switch option as 5505?


Have there been any updates on this limitation of the 5506-X, specifically the lack of switch-ports?  If the ASA5505 is End-of-Life, and the ASA5506-X is the recommended replacement, the lack of this functionality is a big non-starter.

It is useful to note that none of the aforementioned "workarounds" in this thread are viable.


We sold about ten of these already . Day one we got it and tried to enable the switch and ran into this issue .. Contacted TAC and was told that feature is not available because they are gig ports . So we just decided to combine 200 or 300 SB switch's and keep it as a straight firewall device . Firepower features are pretty and a lot faster that the old 5505 . More likely Cisco will resolve this is but with no POE and limited N wifi support I would rather buy switch and AC based ap's.  ..


I respectfully have to disagree...

Its all in a matter of knowing how to maneuver around the various options and the lack of youtube videos and config examples for real world configs  are very challenging here, to say the lease..

This is a very simple accomplishment that will group all the ports into a logical switch and assign each port to a group..  We will be using a concept of etherchannels or port-channels as Cisco defines them...  Here is the example.

interface GigabitEthernet1/1 interface GigabitEthernet1/1
nameif outside nameif outside
security-level 0 security-level 0
ip address ip address
! !
interface GigabitEthernet1/2 interface GigabitEthernet1/2
nameif inside no nameif
security-level 100 no security-level
ip address no ip address
! !
interface GigabitEthernet1/3 interface GigabitEthernet1/3
no nameif channel-group 1 mode active
no security-level no nameif
no ip address no security-level
! no ip address
interface GigabitEthernet1/4 !
no nameif interface GigabitEthernet1/4
no security-level channel-group 1 mode active
no ip address no nameif
! no security-level
interface GigabitEthernet1/5 no ip address
no nameif !
no security-level interface GigabitEthernet1/5
no ip address channel-group 1 mode active
! no nameif
interface GigabitEthernet1/6 no security-level
no nameif no ip address
no security-level !
no ip address interface GigabitEthernet1/6
! channel-group 1 mode passive
interface GigabitEthernet1/7 no nameif
no nameif no security-level
no security-level no ip address
no ip address !
! interface GigabitEthernet1/7
interface GigabitEthernet1/8 channel-group 1 mode passive
no nameif no nameif
no security-level no security-level
no ip address no ip address
! !
interface Management1/1 interface GigabitEthernet1/8
management-only no nameif
nameif management no security-level
security-level 100 no ip address
ip address !
interface Management1/1
nameif management
security-level 0
ip address
interface Port-channel1
lacp max-bundle 8
nameif inside
security-level 100
ip address

As you can see the column labeled "Grouped" will arrange all the specified ports into a LACP etherport channel group, logically creating two separate segments, much like a VLAN; however there are substantial other config items that must be configured in order for this to work successfully; however it will work and function as a L2 switch, just as described...

I will post more examples and comments as I come across issues that plague me as well...

I would suggest instead of saying the latest ASA5506-X does not support switch ports or "X" you may want to fully investigate the broad range of options available to the resource users... Lack of knowledge doesn't constitute the intended use of product support.

There is not much this robust ASA5506-X platform can not do, given, time, patience and the willingness to not rely on a point and click solution.

Our company will be glad to support any users on this platform, of course for a small fee.. Please feel free to reach out with your request and we can move forward... This is a great and rocksolid brand new product; which WILL REQUIRE relearning some basic 5505 mentality; but again.. no videos, docs or real world examples are available yet...  I think this is probably the first of many to come...


Ty Carter, President

Strategic Network Consultants, Inc.

524 East 9th Street

Washington, NC  27889

Etherchannels will work when you connect the new ASA 5506 to another switch. A matter of adapt, i agree.

However, when no switch around, and you see this often in small remote offices/ soho (4-5 devices), what are you going to do?

Are you going to ask the customer to buy a switch for that??? no good.

The ASA 5505 was cheap, simple and it worked perfect.

To Cisco: If it ain't broke, don't fix it