We're looking at a RV345P-K9-NA.  8 POE and can do VPN and has16 total ports.

interesting thread, that doesn't seem to die. I worked at ASA shops, then went to PaloAlto shops. and now back at an ASA shop. the lack of switching in 5506-x is new to me, since I haven't worked with them in the past 4 years. I will reiterate that Cisco ASA team has officially, for years, been on a downward spiral. I almost crapped my pants when I found out that there was no switchport on the 5506-x, especially since there are 8 freaking ports on the dam thing. So i will change my comment to ASA team is has officially gone "stupid," or whatever the hell you want to say. First off, why 8 dam ports on a SOHO device - unless you make them a switch? Nobody is going to have 6+ routed subnets in a SOHO deployment? So I would almost give Cisco a "F", but for a good college try. but why not build the dam thing with 3-4 ports then - if they are going to be only routed?

So you are now officially stupid as a team, and didn't even try. It almost like someone opted to make a rube-goldberg type of ASA firewall just for the **bleep**s/giggles. Only, it actually got productized?!?!?! I guess that's what too much money does to a company. Anyway, this trend is disheartening. I was around for the ACE load-balancer, which was a fine device, until Cisco killed it off.

And i have seen the downward spiral of the switch platform as Cisco tries to push overly complicated SD networking, and diminish the 2960 line. And Cisco phone systems have become an untamed outlandishly complicated beast. So man, I would start dumping Cisco stock ASAP. Look at Ubiquiti, Palo Alto, A10, Citrix, F5, Digium, Shoretel, HP, Aruba.

BTW... i played around with the BVI interface thing on the ASA 5506x, and its equally stupid. Here are some issues:

1. the BVI interface doesn't accept ACL's like a regular interface (making it not like a VLAN)

2. to manage the ASA from the inside G1/X ports, you need to configure ssh/http management command for each G1/x port. this should normally go on the Vlan=BVI interface only, as the G1/x ports are bound to that broadcast domain. Very strange.

3. In ASDM, the Inside interface shows "down", even though its up and attached to BVI interface. Whats up with that?!?!?

4. The general config bloat and unnecessary nat/acl commands required at each G1/X interface suggest something is really wrong.

5. im seeing some strange ICMP connection loss error message, probably related to the crappy BVI implementation. I shodul say that I cannot ACL my way out of the error with a very liberal allow rule, so there has to be some sort of ASIC hardware **bleep** going on under the covers that i cannot fathom.

So WTF cisco! From "firepower" to "firesale"! activate your wonder twin powers quickly!

I have no ASA5506-x, but  woud it  be a  soution to configure  all "inside" interaces as membersof the  same bridge-group (bridge-groups in routed fiirewall mode require  at  least firmware  9.7), assign all  bridge-group members  the  same security-leve, allow  sae-security-trafic intra-interface and and all "inside" interfaces  as  members  of  the same "zone". Then configure access-rules  and nat-rules between zones instead  of interface based. I don't  now,i that  rellay  works, but if it works, it may be a solution.

I have  ordered  an ASA5508-x  and  i wi tryy  such a  configuration, when i got that  device.