Just got my hands on a new ASA 5506-X and immediately ran into an odd issue:
There are eight layer 3 ports that seemingly cannot be used as switch ports.
There is no bridge-group capability available either. (which, if present, could be used to resolve this issue)
Why does this device even have 8 ports if they cannot be used as switchports?
Is this going to be fixed in future software? (By adding bridge groups?)
Can anyone think of any other "clever" workarounds?
Between this issue and the lack of POE, this device seems to be significantly less useful than the ASA5505.
I returned mine for a refund and planing on getting the much cheaper better solution that th 5505 provides. Unbelievable they would ruin such nice product that offer soho great solution in one box.
Now i need to explain to my client they need another box and more $$$
way to go Cisco, give us more reason to switch firewall vendors.
Looks like we are pretty much SOL...
Here is the Initial Reply when I asked how to get the ports to act like a Switch
Unfortunately the ASA5506 does not have switch port or switch port capabilities so you cannot Bridge/group from 2 to 8. Please let me know if you have any other question. Cisco TAC Support Engineer, Security Team
I then replied back with abidlatif's reply about the Grouping and if that would work, Cisco's Reply was:
When you set up a port-channel you are creating a logical interface that will allow to load balance the traffic across the interfaces that you join to the port-channel. But you will need to have the device connected to the ASA configure in the same way. Cisco TAC Support Engineer, Security Team
Anybody going to Cisco Live be sure to stop by Cisco's security products area in the World of Solutions and make your voice heard about this shortcoming.
If you're not, then feed it back locally to your partner SEs and/or Cisco account managers.
This can be addressed by Cisco product management if they hear enough from the customer and partner base.
But wait, in the base license I only have 5 vlans but 8 physical L3 interfaces? So I can never use the last 3 ports? Surely that’s a mistake.
Also I have 8 X 1Gbit L3 interfaces on a firewall that, according to cisco, has an inspection throughput of 750Mbps under ideal conditions. But why?
With the LACP “fix” (I would call it a workaround if there ever was one), wouldn’t I have to have all my connected AP’s, printers and PC’s running either 100Mbps or 1000Mbps? So if a customer has one old printer all ports would have to run 100Mbps? Even calling this a workaround seems like exaggerating.
I’m now sitting here with two worthless 5506 on my table. Why is it that cisco believe they can tell their customers what the customers needs are, have cisco been spending too much time with apple?
It might sound like I’m angry at cisco, I’m not…….I’m just very, very disappointed.
BTW. Am I correct in thinking the ASA 5506 has an actual switch build into it? I does seem like it.
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down webvpn
Shutting down sw-module
"sw-module" is the FirePOWER software module (sfr).
The architecture of the 5506 is explained in presentation for session BRKSEC-3021 from Cisco Live! (June 2105 San Diego). See the copy of slide #21 below (open in new tab to zoom):
It's ambiguous to me.
The block titled "external NICs" needs to be explained and understood by people (i.e. Cisco developers or TMEs) who know the hardware / firmware / software capabilities.
Those of us outside those roles can only speculate (and bug Cisco to right the wrong).
The Atom C2000 series is an SoC with 2 GE interfaces, so looks like one of them is used for the management interface.
From reading other literature, looks like the NPU has at least 9 interfaces, with one being used for the AP. So, really, you could simplify the diagram by removing the "External NICs" block and connect the brown ethernet arrows directly to the NPU. My hunch is that Cisco knows that it's silly to have 8 interfaces, 3 of which can't be used with the base license, not to mention that most deployments would only use 2. So I think switchports were thought of in the hardware planning phase, but the software to go with it simply doesn't exist.
"in the base license I only have 5 vlans but 8 physical L3 interfaces? So I can never use the last 3 ports"
Don't know how you did your math there, you have 8 individual physical L3 interfaces, which you can and may bind as what ever you need to your own L3-network setup, and as an add-on, you may also use up to 5 individual VLAN's. So basically you are now able to have up to 13 L3-networks "directly" attached to the ASA5506 with the base license. Where we used to be able to handle a maximum of 3 VLAN's on the ASA5505.
As for my small home office, I am on 5 different L3-networks, so I am quite pleased with the new design, even though I do understand a lot if you guys frustration regarding the L2 possibility of the Gbps ports.
hey michael... while i could do 2 different L3 networks for a home network, i have devices that need to be on the same l2 network before they will communicate. For example, i have a Stereo receiver in which the app only works if the devices are on the "same network". My AppleTV's would be behind 2 different L3 networks, along with the wireless clients trying to connect to them.
Another delima... soon to have a wlc2504. My thought was to have the ASA as the default gateway for each network. Drop the guest users in a lower security level. Guessing i have "zone's" now to address that shortcoming???
Anyone have any beginners 5506x guides? Been trying to get this setup with (2) compact series switches and I'm struggling with the basics. I did configure eigrp when i didn't see any switch commands & had that working... but then the switch is default gateway & i'm trying to figure a way to isolate guest traffic. Any help would be greatly appreciated!!!!
This is just non-sense.
I was about to make a big order for 4 projects. I am going with another vendor as I now have to buy separate siwtches.
I have one project where I have a switch already and can test this. Does the 5506X support trunk ports? or do I need to waste a switch port ver VLAN.
It appears you can use subinterfaces as well as VXLANs/VNIs?
no ip address
ip address 172.25.82.1 255.255.255.0
Licensing for Basic Interface Configuration Model License Requirement ASA 5506-X series Interfaces of all types:
Base License: 536
Security Plus License: 636
VLAN subinterfaces—Enabled. However, for traffic to pass through the subinterface, the physical interface must also be enabled.
VXLAN VNI interfaces—Enabled.
ip address 172.25.83.1 255.255.255.0
This isn't an issue - it's a Cisco design. The 5506-X is an 8 port Layer 3 firewall. You'll need a L2 switch to do multiple ports in the same VLAN.