03-19-2015 03:52 PM - edited 03-11-2019 10:40 PM
Just got my hands on a new ASA 5506-X and immediately ran into an odd issue:
There are eight layer 3 ports that seemingly cannot be used as switch ports.
There is no bridge-group capability available either. (which, if present, could be used to resolve this issue)
Why does this device even have 8 ports if they cannot be used as switchports?
Is this going to be fixed in future software? (By adding bridge groups?)
Can anyone think of any other "clever" workarounds?
Between this issue and the lack of POE, this device seems to be significantly less useful than the ASA5505.
Thank you.
07-30-2015 03:32 PM
As discussed here and elsewhere, you would be perfectly right if it were not that Cisco is positioning this device as a replacement for the 5505.
I have a 5506-X sitting on my desk. It's a nice piece of hardware, but in spirit, all we really wanted is a 5505 with gigabit. Why is that so hard?
07-30-2015 03:35 PM
I hear you. Apparently Cisco had other plans and wanted to replace a SoHo 5505 with a non-direct replacement with more horsepower and options, but left off some of the SoHo attractiveness of the 5505.
Maybe they'll get it right with a 5507-X? ;)
08-01-2015 05:09 PM
Not funny for anyone who bought a 5506 thinking it was a drop in upgrade from the 5505.
Also not funny for anyone who is yet to learn this.
08-17-2015 01:27 PM
So do you have to use a particular switch, since the 5506-X lan ports do not support switching? Or can you just use a dumb/non-managed switch?
08-17-2015 01:33 PM
If all you need is a single VLAN, no Power over Ethernet etc. then a dumb switch is fine.
If you need multiple VLANs, LACP/LAG, PoE etc. then you select the switch accordingly.
09-23-2015 09:42 AM
Has anyone had any experience with the ASA 5508-X? Do it's interfaces support switching?
10-12-2015 09:16 AM
All,
I ran into the same problem and I came up with the following work-around/ solution.
Create separate inside networks with the same '100' value for the security-zone, like you normally would on your inside interface. Set up NAT, dhcpd, etc. for each inside interface. (inside, inside1, inside2,....) I used ascending subnets: 10.10.10.0/24, 10.10.11.0/24, .... for each interface.
Use the commands:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
to allow traffic to pass between the vlans. This will allow traffic across the subnets and allow your devices to communicate. You will not get broadcast traffic, but as long as you're looking for an IP address it should route between the interfaces.
02-08-2016 02:25 PM
last paragraph -> absosecurelutely true
12-22-2015 08:52 AM
Has there been any movement from Cisco on this issue? I just had a couple of 5506s dropped on my desk and, without switching functionality, they're about as useful as paperweights...
12-22-2015 09:04 AM
Posted this two months ago, does it help you?
I ran into the same problem and I came up with the following work-around/ solution.
Create separate inside networks with the same '100' value for the security-zone, like you normally would on your inside interface. Set up NAT, dhcpd, etc. for each inside interface. (inside, inside1, inside2,....) I used ascending subnets: 10.10.10.0/24, 10.10.11.0/24, .... for each interface.
Use the commands:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
to allow traffic to pass between the vlans. This will allow traffic across the subnets and allow your devices to communicate. You will not get broadcast traffic, but as long as you're looking for an IP address it should route between the interfaces.
12-22-2015 11:31 AM
This doesn't address the problem of needing multiple interfaces in the same VLAN...
01-05-2016 09:08 AM
"I came up with the following work-around/ solution. "
"to allow traffic to pass between the vlans. This will allow traffic across the subnets and allow your devices to communicate. You will not get broadcast traffic, but as long as you're looking for an IP address it should route between the interfaces. "
02-05-2016 01:12 AM
Any Update on this? Will there be a "ASA5506>S<-X"?
Or is the following slightly sarcastic personal interpretation final:
We listened to our dear customers and have decided to include the WLAN Access Point in the “W” Model, so that you do not have to send out 2 boxes to your VPN locations. But since we like to sell stuff at Cisco, you unfortunately have to buy a POE Switch (preferably Cisco!) to replace your fleet of 5505’s.
(You really should buy a Switch anyway, since we introduced the FirePower capabilities in a really quick & dirty way – the competition was eating away our market and our marketing/sales people needed something presentable - sorry techies - but we'll fix it in March 2016(?) with the FTD unified release).
And just as a note:
NO! – Neither creating one subnet per port nor using an etherchannel is a workaround for a SOHO enterprise Firewall. And when we talk Meraki, we are talking about changing the vendor, something a Cisco guy tries to avoid with the current offerings from other vendors.
02-08-2016 02:17 PM
I am not interested in complaining, nagging around - I do understand everyone who is missing the switching functionality - personally, I couldn't agree more that the missing switching functionality is a pain bla bla bla.
However, I am interested in solutions. I like to be part of a solution instead of participating in the problem.
Here's a solution that works - as long as you are willing to think into it. Get 1 cheapest unmanaged 4-port-GigabitSwitch -> you need it to connect the management-port with 1 from the other L3 ports and a host. Assuming you have 1 interface (Number 1) connected to the internet you have 7 (2-8) left to connect 7 hosts. If you need 2 interfaces (1 & 2) for WAN (backup-lines or any other name you prefer) there are 6 (3-8) left to connect 6 hosts.
take the 192.168.1.0/24 network (why this one/way -> summarization) - or any other number that is your personal favorite and break it down into segments of 32 each, or any other number you like as long as you are able to derive at least 7 consecutive networks:
and apply them to the physical interfaces - give each interface a distinctive name i.e. inside-1/3, inside-1/4 and so forth.
and apply them to the physical interfaces - give each interface a distinctive name i.e. inside-1/3, inside-1/4 and so forth.
connect ASA's mgmt-intf, gi1/8 (or any other you like), and the one host, to the cheap switch. Make sure to configure the firepower-address according to the network you've chosen for that physical interface.
I know this is not "beautiful" - I KNOW IT - however, if you are in tight spot, this is a way to get out of it. IT WORKS - keep that in mind.
05-27-2016 01:47 PM
That is terrible.
Just bought 5506 to connect small sales point (1 pc, 1 prnt, 2 special devices) via site-to-site,
Spent 2 days to find out how to configure switchports.. for what? to find out that it is impossible?
Sad, that i have not found this article before i bought this stuff, it would be better to buy 5505.
Subnetting for such small office is the worst thing i could imagine.
Hope this issue will be fixed in the future.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide