cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
77410
Views
251
Helpful
93
Replies

ASA 5506-X - Switchports?

danplacek
Level 4
Level 4

Just got my hands on a new ASA 5506-X and immediately ran into an odd issue:

 

There are eight layer 3 ports that seemingly cannot be used as switch ports.

There is no bridge-group capability available either. (which, if present, could be used to resolve this issue)

 

Why does this device even have 8 ports if they cannot be used as switchports?

Is this going to be fixed in future software? (By adding bridge groups?)

Can anyone think of any other "clever" workarounds?

 

Between this issue and the lack of POE, this device seems to be significantly less useful than the ASA5505.

 

Thank you.

93 Replies 93

This is what makes NO sense to me... An AP indicates a SOHO device... and no switch?

Most companies love an easy upgrade. I know 2-3 places with around 50-200 ASA5505s with the following set-up:

ASA5505---Cisco Aironet1141

1-2 PC, 1 printer, 2-3 laptops
 

Now... pls tell me... HOW can I easily upgrade my network using 5506?

 

ASA with a built-in AP is great but you realize most ASAs are in a basement next to a VDSL line, right?

 

 

The key issue here is that the ASA5506 is being positioned as the replacement for the ASA5505 by Cisco. While the 5506 is certainly an impressive piece of hardware -- it lacks features that the 5505 has -- features that make it unusable in *many* of the places that 5505's have been deployed.

 

I have seen many 5505 deployments that make use of the both the switchports and the POE. It is very common to see an ASA5505 with a standalone access point or two at someones home or a small branch office.

 

Just to emphasize - the lack of these features would not be an issue if this wasn't for the fact that this is the intended replacement for the ASA5505 - it simply doesn't fit the same role that the 5505 does.

 

- Dan

Couldn't agree more. I wonder what a small location/SOHO office needs eight different FW zones for.

 

It's simply not a successor to the 5505 if it can't provide one of the most popular features of the 5505. Plugging in a switch is doable, but makes little sense. Most sites would have five or six unused 5506 ports just sitting there.

 

It's almost as if Cisco acknowledges that the 5505 provided too much functionality at that price point by replacing it with the 5506 which lacks the most important feature. The argument about the CPU, RAM etc of the 5506 vs 5505 is not a good one. The 5505 is usually not used to its max FW wise in most sites. It's there to provide internet service, simple FW and potentially also a VPN connection to a central site, for a small number of users.

 

It's great seeing IPS functionality in the 5506, but the basic features need to be there first. I don't need to put my girlfriend and kid in separate FW zones at home. 

 

This is a very simple accomplishment that will group all the ports into a logical switch and assign each port to a group..  We will be using a concept of etherchannels or port-channels as Cisco defines them...  Here is the example.

 

 

NOT GROUPEDGROUPED
interface GigabitEthernet1/1interface GigabitEthernet1/1
nameif outsidenameif outside
security-level 0security-level 0
ip address 1.1.1.1 255.255.255.0ip address 1.1.1.1 255.255.255.0
!!
interface GigabitEthernet1/2interface GigabitEthernet1/2
nameif insideno nameif
security-level 100no security-level
ip address 192.168.1.1 255.255.255.0no ip address
!!
interface GigabitEthernet1/3interface GigabitEthernet1/3
no nameifchannel-group 1 mode active
no security-levelno nameif
no ip addressno security-level
!no ip address
interface GigabitEthernet1/4!
no nameifinterface GigabitEthernet1/4
no security-levelchannel-group 1 mode active
no ip addressno nameif
!no security-level
interface GigabitEthernet1/5no ip address
no nameif!
no security-levelinterface GigabitEthernet1/5
no ip addresschannel-group 1 mode active
!no nameif
interface GigabitEthernet1/6no security-level
no nameifno ip address
no security-level!
no ip addressinterface GigabitEthernet1/6
!channel-group 1 mode passive
interface GigabitEthernet1/7no nameif
no nameifno security-level
no security-levelno ip address
no ip address!
!interface GigabitEthernet1/7
interface GigabitEthernet1/8channel-group 1 mode passive
no nameifno nameif
no security-levelno security-level
no ip addressno ip address
!!
interface Management1/1interface GigabitEthernet1/8
management-onlyno nameif
nameif managementno security-level
security-level 100no ip address
ip address 192.168.15.13 255.255.255.0!
 interface Management1/1
 management-only
 nameif management
 security-level 0
 ip address 192.168.15.13 255.255.255.0
 !
 interface Port-channel1
 lacp max-bundle 8
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0

Hehe, this is not what I'd call correct use of port channels, but nevertheless an interesting workaround. Thanks for sharing. My creativity is apparently limited since I would never think of this :-)

 

I wonder if we'll get an official answer from Cisco anytime soon.

no, not limited. the suggested solution falls flat and isn't practical. 

hi again

Really good idea - can just say as Bjerkeland that this didn't came into my mind because - well - using portchannels wasnt what I expected was possibly - but there are also some minor restrictions was probably wont make it useable in real life:

 

channel-group 1 mode on
INFO: security-level, delay, IP address and cts manual are cleared on GigabitEthernet1/3.
WARNING: GigabitEthernet1/3 is not compatible with GigabitEthernet1/2 and will be suspended (speed of GigabitEthernet1/3 is 100 Mbps, GigabitEthernet1/2 is 1000 Mbps)
ti5506(config-if)# WARNING: GigabitEthernet1/3 is not compatible with GigabitEthernet1/2 and will be suspended (speed of GigabitEthernet1/3 is 100 Mbps, GigabitEthernet1/2 is 1000 Mbps)

 

this is a very annoying restriction but ok - it is the best guess until now on how to circumwent that stupid limitation from Cisco

 

br /ti
 

If I were Cisco, I'd be ashamed to suggest anything like this. What's next? Using a paper-clip to remove a cable because we will get a port 'very similar to RJ45' in ASA5507? ;-)

A new platform should be a step forward especially if you release sth to replace a very old and slow device. The truth is that if Cisco does not fix it, it will cost them a lot of money...

If we connect end devices to ports on this port-channel, do they then work properly?

Reason for question is due to Cisco's feedback stating that the connected devices need to be configured to use the port-channel.

Can anyone confirm this to be a working work-around?

Thank you!

It most certainly is not a workaround.  LAGing layer 3 interfaces will not work as a replacement for layer 2 forwarding. Anyone that is responsible for and believes such in a production network that sends and receives Ethernet traffic should strongly reconsider their career choice.

-John

It looks like port-channels suppose to make all ports work like switch, but it is not, when I could not get IP address when connecting a PC to the of of those ports, and when I assigned static IP address I could not ping inside interface IP, I think this is really Cisco make big mistake, how come 5506 came with 8 ports but only allow use 5 VLAN what is other 3 ports going to use, nothing?

atadams77
Level 1
Level 1

I agree this is a problem.  This may force some loyal cisco customer to switch to alternate platforms.  Such as say..the Juniper SRX220.  

stownsend
Level 2
Level 2

I have a TAC Case open : SR 635080803

I'll let you know what they say...

crap....i just ordered one for my home hopping to use the switch port and bundle some ports together. Please let me know or else mine will be going back for refund.

Thanks

Review Cisco Networking for a $25 gift card