cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
72031
Views
251
Helpful
92
Replies

ASA 5506-X - Switchports?

danplacek
Level 4
Level 4

Just got my hands on a new ASA 5506-X and immediately ran into an odd issue:

 

There are eight layer 3 ports that seemingly cannot be used as switch ports.

There is no bridge-group capability available either. (which, if present, could be used to resolve this issue)

 

Why does this device even have 8 ports if they cannot be used as switchports?

Is this going to be fixed in future software? (By adding bridge groups?)

Can anyone think of any other "clever" workarounds?

 

Between this issue and the lack of POE, this device seems to be significantly less useful than the ASA5505.

 

Thank you.

92 Replies 92

Cisco dropped the ball on this. All we wanted was an ASA5505 with gigabit. Make all the ports POE and it would be even more awesome. Removing POE completely makes me realize how out of touch product managers can be with reality.

It's almost that Cisco was so concerned with competing in the NGFW FIREPOWER!!!!!!!! space that they forgot the use case of the gigantic installed base of 5505s.

I attended Cisco live this year, and met Eric Kostlan and another engineer on the design team for these FWs from Cisco.  When I talked to them, they couldn't get passed the use case scenarios we are all bringing up here.  It almost seemed as if they were focused on enterprise rather than the "small business" use cases the original 5505, seemed to fit into perfectly. Enterprise won't use a 5506, why make these ports routed ports?  It's interesting that Eric Said the words "Course correction", they gave me the same rhetoric. Whatever "course correction" means in Cisco world, I'm waiting on the "no switchport" command to be release so we can get passed all this. Also, not to hijack this thread, but I pinned them against the wall with regard to L7 PBR (eg. if facebook go ISP 2, if Business critical traffic go ISP1), I told them lower end competitors eg.. sonicwall, watchguard, fortinet, all do this on box (Hell the Cisco WLC can even do it), why can't the ASA55xx?

The secret to succeeding at technology is to say yes you can, and to not be afraid of change. Forget the words, "That's how we always do it"

Hello all,

Is there a latest update on this? I use 5505's as switches for small offices and now with the purchased 5506's I thought it was a 5505 with 1GB ports and includes the Sourcefire. Sad to see what happened here.

Is there an update that will fix this design or any way around it? Using multiple vlans and having L2 switches doesnt seem to help. I was relying on the 5506 to do the vlan routing.

Hi all,

Any news about the switchport problem?

Cisco has been publicly silent on this issue. I've not heard anything privately either.

I plan to bring it up again at Cisco Live in Las Vegas in July for what it's worth. I'd encourage every customer with an interest to send the message to their Cisco or partner account manager.

There's an ENH to add this in SW which you can track and follow up with your Account Teams:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus84400/?reffering_site=dumpcr

-Gustavo

Cisco has no intention of meeting our requiest to add switching functionality to the 5506.  They have not found the 5506 or 5508 lines to be worth the re-engineering time required.  The SMB space who notoriously used the 5505 line of ASA's was not considered a factor in the decision making, the features Cisco developed and added into the larger scale companies was more important, as those companies purchase in quantity.  Guys, this decision Cisco made was purely a sales/monetary decision and not technical.  Think about it, the time that this thread has been opened is more than enough time to add the "switchport" command and other related capabilities to the 5506 ASAs.  It comes down to money, and the clients that use the 5506 and 08, are nt as important fiscally as the significantly larger firms on the larger platforms.

Cisco's big fail, is Palo Alto's big win....

The secret to succeeding at technology is to say yes you can, and to not be afraid of change. Forget the words, "That's how we always do it"

We are looking into a future solution possibly towards the end of this CY and or first part of 2017.

- Gustavo

I agree with all of you and here is my 2 cents. Take it or leave it.

1 year later and CL2016 completed - Status = No change.

Here is the official 2 part answer:

1 - Since they (Cisco) have made no attempt to give us a direct migration platform for a 5505 and the 5506-x prevents acceptable SMB deployments for existing network typologies or anticipated new typologies, its obvious they either don't care or your not enough of their product margin to invest the proper resources to correct this issue.

2 - Cisco ..... Meraki (cough) is a SMB platform that is to quote a Cisco sales person "not competing with the primary Cisco platform" that you could use and he recommended the Meraki Z1.

We have some options:

1 - switch manufactures - I have since experimented with the Ubiquiti Edge Router x, the MikroTik router series and Untangle with a dumb switch. For price these are great alternative for a small office that will give you a S-2-S ipsec tunnel and as SPI4 firewall. The Untangle server provides several benefits for advanced filtering though. Possibly a combination of cheap alternatives with spares due to the cost savings.

2 - You use a managed switch with the ASA 5506-x or the Meraki appliance. Now I am not particularly fond of the Meraki appliance for Client VPN use as the L2TP deployed with the Meraki appliance is not as secure as it should be. That is evident with the lack of documentation provided by Cisco and how they hide its security levels.

and now we got at least the bridge functionality in the ASA OS 9.7 - well - even though I now risc to be known as a grumbling old man - that is a ugly implementation but ok - it is a start...

I recently used the bridge group function on 9.7. It made me so upset. I made one bridge group, and I had to make an if-name for every physical interface in the 1 bridge-group. It's crazy, I had to have separate NAT statement for each interface. It's a HORRIBLE and HORRIFIC implementation of L2 on the firewall. I'm so disappointed by Cisco. After 2+ years of complaining, this is the hot mess we get.

The secret to succeeding at technology is to say yes you can, and to not be afraid of change. Forget the words, "That's how we always do it"

I'm afraid the build-in chipset simply has no built-in hardware switch  so the bridge group is the best they could come up with.

Note, software bridging probably will take CPU, whereas a hardware switch doesn't.  Do we really want that?

That kind of leaves us partners open as for PCI and HIPPA compliance on the 5505 lines until then doesn't it? I would consider this a HUGE security ball drop on Cisco's part.

Is there a working update for this issue yet?

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/interface-transparent.html

This page mentions using bridge groups and does not say anything about the 5506-X not supporting them that I could find. Do we have a firmware fix yet? This is a needed FIX, even if it's primary target is branch office as part of enterprise network.

Bridge groups would work great, I could get past the no-poe if they get the L2/L3 issue sorted. This is something very easily resolvable with firmware, what is the hold up?

Cisco dropped the ball on this. All we wanted was an ASA5505 with gigabit. Make all the ports POE and it would be even more awesome. Removing POE completely makes me realize how out of touch product managers can be with reality.

It's almost that Cisco was so concerned with competing in the NGFW FIREPOWER!!!!!!!! space that they forgot the use case of the gigantic installed base of 5505s.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: