cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
77406
Views
251
Helpful
93
Replies

ASA 5506-X - Switchports?

danplacek
Level 4
Level 4

Just got my hands on a new ASA 5506-X and immediately ran into an odd issue:

 

There are eight layer 3 ports that seemingly cannot be used as switch ports.

There is no bridge-group capability available either. (which, if present, could be used to resolve this issue)

 

Why does this device even have 8 ports if they cannot be used as switchports?

Is this going to be fixed in future software? (By adding bridge groups?)

Can anyone think of any other "clever" workarounds?

 

Between this issue and the lack of POE, this device seems to be significantly less useful than the ASA5505.

 

Thank you.

93 Replies 93

JohnUrbanek
Level 1
Level 1

Based on my experience with the ASA5506-X (which was just released, I understand) Cisco spent more resources ensuring the Ferrari designer responsible for the physical shell was able to get Ferrari red included somewhere on the shell instead of focusing on the real-life deployment scenarios for a lot of ASA5505's.

I have 500+ deployments of the 5505 little green goblin and the built-in switchports (even at 100Mb/s) and two PoE ports provided an amazing all-in-one device when paired with an access point (powered by the PoE).

I understand that the 5506-X is available with integrated access point -- but the removal of the switchports -- or at least the ability to create bridge-groups out of routed ports is inexcusable on the successor to the 5505.

I don't know at what level of product development this failed, but it is a failure.  At the very least now the ASA OS could add bridge-group support to routed mode (it exists only in transparent mode to facilitate the mode itself).

-John

I couldn't agree more.   I don't understand how Cisco can say this is the successor to the 5505 when it can't perform the same basic functions. We use 5505's in our small sub-branche offices and plug each device into the FW.  Now I need to buy and additional switch as well?  Having 8 ports and not provide switching or bridge-groups is totally ridiculous.  What could I possibly need with 8 layer 3 ports on such a small device?  I hope they address this very soon.  

Same here. We waited for a year with a project to replace the old 5505 with a new model and now this! We are just extremely lucky that we only bought one for initial testing and not the whole 3xx+

The lack of Switchports really wipes out any arguments we had for a Cisco ASA VPN Solution…

Really hope they will announce a model with Switchports soon, otherwise it looks bad for our central Cisco Firewall replacement too.

 

-

yes - and when they build that beast why didn't they also give us the possibility to use these 8 1GB ports as a switch - not all customers wan't more "stuff" laying around and f.ex for Windows networking it is needed with a switch to permit the discovery of services

The 5506 is positioned as a replacement for the 5505 and I really don't want to place a switch in front of it if I can awoid it...

I don't need clustering for a homeoffice - small branch office - nor routemaps or zone based firewalling - but I need a switch

br /ti

Cannot agree more.

Just to remind you it is 2015 so what's so special about 4GB of RAM... come on... Cisco could do things like this 20 years ago and tell people: OH YES!!!! GIGABIT PORTS in ALL ASAs!!! YEah!!!! It is a BEAST now... come on!

 

I do not get it how you could 'forget' about a switch and PoE...

 

 

-

There are many UTMs with a HDD and 2-8GB of RAM that can run IPS, AV and so on.

 

What we are trying to say is that Cisco added all these awesome features, AMP, mSata, wireless... and 'forgot' about basic features like a switch and PoE?

 

It is like giving you ESP, ABS, 8xASR, Park Assistant in a new car but no radio ;-)

 

Most companies will NOT go for IPS and additional features on this box. It is nice to have an option but we just needed a nice UPGRADE of a really old 5505. I expected gigabit ports and PBR - two really important new features for SOHO.

 

They are there but where is my switch and PoE? :)

 

Akram,

 

If you have a way around the lack of switch ports -- short of buying an entire separate switch -- we would love to hear about it.

 

In regards to the POE - as I said in my post above, it is VERY common for a standalone Access Point or two to be deployed alongside an ASA5505. While the ASA5506 version that has an integrated AP partially addresses this concern it has some limitations - namely that you cannot locate the access point at a different location than the firewall. In addition to that of course you only get a single AP - not two.

 

You noted above that for home use people should "go to best buy" -- this ignores the fact that many enterprises put their own hardware in employee or executive homes to support work-from-home. This can often include wireless or an IP phone.

 

- Dan

Most of our ASA 5505 deployments used the switch "feature" of the 5505.  I'm assuming if the switch feature is gone, then the ability to set up a SPAN port for a traffic analysis system is also gone - also a useful feature.

For telecommuting the 5505 provided the convenience of shipping a single device that could establish a VPN and provide PoE for a Cisco phone, and provide connectivity to a laptop and other devices using the switch ports.  Some may argue "so what", simply ship a small switch with it.  I'm not saying it's an insurmountable problem, I'm just saying it's a poor decision for Cisco to leave such a fundamental aspect of the product out when developing the successor device.

At the end of the day I think all of us would have been more than happy with the existing features of the 5505 with gigabit enhancement. 

 

I made the feedback heard loud and clear in speaking face-to-face with several execs and engineers at last week's Cisco Live! conference.

They are hearing it from many customers and partners and are very aware they dropped the ball on this one. They are working on a course correction.

Marvin, I'm glad you were there and it sounds like very good news.   I would think they could fix this with an os revision, and not change the hardware.  Either way, I'm sure it's a lesson learned for cisco. 

Review Cisco Networking for a $25 gift card