cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

53068
Views
251
Helpful
92
Replies
Highlighted
Enthusiast

ASA 5506-X - Switchports?

Just got my hands on a new ASA 5506-X and immediately ran into an odd issue:

 

There are eight layer 3 ports that seemingly cannot be used as switch ports.

There is no bridge-group capability available either. (which, if present, could be used to resolve this issue)

 

Why does this device even have 8 ports if they cannot be used as switchports?

Is this going to be fixed in future software? (By adding bridge groups?)

Can anyone think of any other "clever" workarounds?

 

Between this issue and the lack of POE, this device seems to be significantly less useful than the ASA5505.

 

Thank you.

92 REPLIES 92
Highlighted

I returned mine for a refund and planing on getting the much cheaper better solution that th 5505 provides. Unbelievable they would ruin such nice product that offer soho great solution in one box. 

 

Now i need to explain to my client they need another box and more $$$ 

 

way to go Cisco, give us more reason to switch firewall vendors. 

Highlighted

Looks like we are pretty much SOL...

Here is the Initial Reply when I asked how to get the ports to act like a Switch

Unfortunately the ASA5506 does not have switch port or switch port capabilities so you cannot Bridge/group from 2 to 8.

Please let me know if you have any other question. 

Cisco TAC Support Engineer, Security Team

 

I then replied back with abidlatif's reply about the Grouping and if that would work, Cisco's Reply was:

When you set up a port-channel you are creating a logical interface that will allow to load balance the traffic across the interfaces that you join to the port-channel. But you will need to have the device connected to the ASA configure in the same way. 

Cisco TAC Support Engineer, Security Team

 

Scott<-

 

Highlighted

Looks I'll be sending it and get me a cheaper 5505 and pair it up with an access point. 

 

Thanks again

Highlighted

Anybody going to Cisco Live be sure to stop by Cisco's security products area in the World of Solutions and make your voice heard about this shortcoming.

If you're not, then feed it back locally to your partner SEs and/or Cisco account managers.

This can be addressed by Cisco product management if they hear enough from the customer and partner base.

 

Highlighted
Participant

But wait, in the base license I only have 5 vlans but 8 physical L3 interfaces? So I can never use the last 3 ports? Surely that’s a  mistake.

Also I have 8 X 1Gbit L3 interfaces on a firewall that, according to cisco, has an inspection throughput of 750Mbps under ideal conditions. But why?

With the LACP “fix” (I would call it a workaround if there ever was one), wouldn’t I have to have all my connected AP’s, printers and PC’s running either 100Mbps or 1000Mbps? So if a customer has one old printer all ports would have to run 100Mbps? Even calling this a workaround seems like exaggerating.

I’m now sitting here with two worthless 5506 on my table. Why is it that cisco believe they can tell their customers what the customers needs are, have cisco been spending too much time with apple?

It might sound like I’m angry at cisco, I’m not…….I’m just very, very disappointed.

 

BTW. Am I correct in thinking the ASA 5506 has an actual switch build into it? I does seem like it.

 

*** --- START GRACEFUL SHUTDOWN ---

Shutting down isakmp

Shutting down webvpn

Shutting down sw-module

Highlighted

tekha,

"sw-module" is the FirePOWER software module (sfr).

The architecture of the 5506 is explained in presentation for session BRKSEC-3021 from Cisco Live! (June 2105 San Diego). See the copy of slide #21 below (open in new tab to zoom):

 

Highlighted

Does this slide suggest that there is a hardware limitation here that is not software fixable?

Highlighted

It's ambiguous to me.

The block titled "external NICs" needs to be explained and understood by people (i.e. Cisco developers or TMEs) who know the hardware / firmware / software capabilities.

Those of us outside those roles can only speculate (and bug Cisco to right the wrong).

Highlighted

The Atom C2000 series is an SoC with 2 GE interfaces, so looks like one of them is used for the management interface.

From reading other literature, looks like the NPU has at least 9 interfaces, with one being used for the AP.  So, really, you could simplify the diagram by removing the "External NICs" block and connect the brown ethernet arrows directly to the NPU.  My hunch is that Cisco knows that it's silly to have 8 interfaces, 3 of which can't be used with the base license, not to mention that most deployments would only use 2.  So I think switchports were thought of in the hardware planning phase, but the software to go with it simply doesn't exist.

Highlighted

tekha

"in the base license I only have 5 vlans but 8 physical L3 interfaces? So I can never use the last 3 ports"

Don't know how you did your math there, you have 8 individual physical L3 interfaces, which you can and may bind as what ever you need to your own L3-network setup, and as an add-on, you may also use up to 5 individual VLAN's. So basically you are now able to have up to 13 L3-networks "directly" attached to the ASA5506 with the base license. Where we used to be able to handle a maximum of 3 VLAN's on the ASA5505. 

As for my small home office, I am on 5 different L3-networks, so I am quite pleased with the new design, even though I do understand a lot if you guys frustration regarding the L2 possibility of the Gbps ports. 

 *cheers*

Highlighted

hey michael... while i could do 2 different L3 networks for a home network, i have devices that need to be on the same l2 network before they will communicate.  For example, i have a Stereo receiver in which the app only works if the devices are on the "same network".  My AppleTV's would be behind 2 different L3 networks, along with the wireless clients trying to connect to them.

Another delima... soon to have a wlc2504.  My thought was to have the ASA as the default gateway for each network.  Drop the guest users in a lower security level.  Guessing i have "zone's" now to address that shortcoming???

Anyone have any beginners 5506x guides?  Been trying to get this setup with (2) compact series switches and I'm struggling with the basics. I did configure eigrp when i didn't see any switch commands & had that working... but then the switch is default gateway & i'm trying to figure a way to isolate guest traffic.  Any help would be greatly appreciated!!!!

Highlighted
Beginner

This is just non-sense.

 

I was about to make a big order for 4 projects. I am going with another vendor as I now have to buy separate siwtches.

 

I have one project where I have a switch already and can test this. Does the 5506X support trunk ports? or do I need to waste a switch port ver VLAN.

 

 

Highlighted
Beginner

It appears you can use subinterfaces as well as VXLANs/VNIs?

interface GigabitEthernet1/2
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/2.200
 vlan 2
 nameif inside
 security-level 100
 ip address 172.25.82.1 255.255.255.0 

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/configuration/general/asa-general-cli.pdf

Licensing for Basic Interface Configuration Model License Requirement ASA 5506-X series Interfaces of all types:

Base License: 536

Security Plus License: 636

 

VLAN subinterfaces—Enabled. However, for traffic to pass through the subinterface, the physical interface must also be enabled.

VXLAN VNI interfaces—Enabled.

 

interface vni2
 segment-id 2
 no nameif
 security-level 100
 ip address 172.25.83.1 255.255.255.0 

Highlighted
Beginner

Does anyone know if there is a status update on this issue?

 

 

Highlighted

This isn't an issue - it's a Cisco design. The 5506-X is an 8 port Layer 3 firewall. You'll need a L2 switch to do multiple ports in the same VLAN.

Content for Community-Ad