cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
48146
Views
23
Helpful
27
Replies

5506-x no switch option as 5505?

leo.espinosa
Level 1
Level 1

Just bought a new ASA 5506-x to play with it, and found out the 8 ports cannot be configured as a switch in the same way we do with ASA5505.

There are any option to use the remaining ports as a switch?

27 Replies 27

clockworthy
Level 5
Level 5

This is a pretty big miss on Cisco's side.  How is this supposed to be a replacement for the Cisco ASA 5505?

Is there an ETA for when the switch port feature will be available for the ASA 5506X?

clockworthy
Level 5
Level 5

Here is the information I got from the Partner Virtual Team Support group.

Q. We just got our first ASA 5506 and found out that we cannot configure VLAN interface on it like the 5505.

    This is a big problem if we are trying to position the 5506 as a replacement for the 5505.

    ...

   Can you look into when/if this feature is going to be available?

A. The ASA5506 does not have switch ports as the old ASA5506. The ASA5506 is similar to the ASA5512 and 5515 from a

     configuration perspective.

    Based on our internal resources, for now there are no plans to implement switch ports on the ASA5506.

Q. Can you explain why this is not a feature of the ASA 5506?

A. Because the ASA5506-X includes all routed ports, there is currently no built-in switch capabilities like the ASA5505. Each port can be use as a WAN port.

HI All

I am in a bit of a fix with this too. Some of the 5506-X links are connected to servers, PC's and printers in my case. I have been trying to find a way to get the 6 spare ports working as switchports. I have configured a Port-Channel which is up and showing ports as bundled. This appears to work only intermittently, some pings work some don't. I get arp for hosts but can't ping them so need to look at further.

I used Channel-group 1 mode on to force the Port-Channel up as I will get no lacp or pagp from anywhere and the Port-Channel interface showed as down with any other mode, as expected.

I will know more tomorrow as our customer is going to see what connectivity is like first thing.....

Not great though, already been caught out by the lack of POE, now a SOHO device will not do switchports. Maybe its not a SoHo device?

So we had a call with Cisco yesterday concerning this new 5506 and asked them some very direct questions:

Q: We currently use the 5505 as a SOHO solution using EZVPN with a pair of 5525's at the head-end. Will the 5506's work? Keep in mind that we use these as a primary means of connectivity for home users that have dynamic ip addresses.

A: Yes, if the 5506 has a static ip address it will work with the 5525 via a s2s tunnel. (not feasible for us) If they are using dynamic ip addresses, these will not work.

Then Cisco recommended we checkout the Meraki line of new stuff: meraki.cisco.com. (basically a new solution for SOHO I gathered).

Basically, we asked them about of EOL/EOS for the 5505 and they couldn't/wouldn't tell us. It basically just screws us with the investment we've made in the last year with the 5505's.

We're not happy, not happy at all.

Yeah...using LACP is not a solution, I would never try and hack that together for a production system....not to mention it won't work correctly due to LACP load balancing issues.

This lack of switch ports is doubly bad for those users who are using 5505 with switchports as a soho in a box. 

You can use the 5506 using aggressive mode tunnels as a replacement for ezvpn (it's aggressive mode), but you lose the group key...I guess ikev2 is maybe an ok alternative as it uses asynchronous preshared keys.

No switch as stated means cisco can sell you another box.  Especially since it has no POE.

Meraki...this means a whole new infrastructure (more sales) and it also means no POE.  This effectively means Cisco doesn't have SOHO solution with built in POE anymore.  This is a huge pain if you are using a 5505 to drive a phone and wireless AP...Especially if the AP is distant remote...basically, yes another thing to buy (POE injector).

dkingfx00
Level 1
Level 1

Do we know if this is software limitation or both software and hardware?

thompson318
Level 1
Level 1

I was really looking forward to the next generation of the 5505, lack of switch port and PoE is something. I had to read things twice as I couldn't understand how they would release it without these options. Does anyone know the lifecycle of the 5505? To bad though the age is coming out in the performance.

mbluemel
Level 1
Level 1

Hi all. I have had the same issue but looking at the ASDM on one this morning I saw the Zone option on the interfaces. It appears you can add interfaces to the inside from this tab. Unfortunately the only 5506 I have is on a remote site that is mostly unmanned so I cannot test it. Does anyone have one handy they could test with? Running 9.3(3).

Won't work .. Tried that

Sent from my iPhone

Thanks Steve. So it really is a massive cock up from Cisco. Not at all a replacement for the 5505 in a small business. Vigor etc must be laughing at this one.

the79bomb
Level 1
Level 1

░░░░░░░░░░░█████████████
░░░░░░░░░███░███░░░░░░██
███░░░░░██░░░░██░██████████
████████░░░░░░████░░░░░░░██
████░░░░░░░░░░██░░██████████
████░░░░░░░░░░░███░░░░░░░░░██
████░░░░░░░░░░░██░░██████████
████░░░░░░░░░░░░████░░░░░░░░█
████░░░░░░░░░░░░░███░░████░░█
█████████░░░░░░░░░░████░░░░░█
███░░░░░██░░░░░░░░░░░░░█████
░░░░░░░░░███░░░░░░░██████
░░░░░░░░░░░██░░░░░░██
░░░░░░░░░░░░███░░░░░██
░░░░░░░░░░░░░░██░░░░██
░░░░░░░░░░░░░░░███░░░██
░░░░░░░░░░░░░░░░░██░░░█
░░░░░░░░░░░░░░░░░░█░░░█
░░░░░░░░░░░░░░░░░░██░██
░░░░░░░░░░░░░░░░░░░███

siracuse@cisco.com
Cisco Employee
Cisco Employee

Thanks for your comments regarding Cisco ASA 5506-X next-gen firewall with FirePOWER Services. There have been questions regarding the ASA 5506-X not supporting L2 switch ports and what alternatives to consider to provide this support.

For those instances where customers require L2 switching capabilities with the ASA5506-X, the following options are available:

  • Cisco recommends an external switch solution through the Cisco Small Business group: an 8-port model (SG110D-08) or a 5-port model (SG110D-05) unmanaged gigabit switch. Both have been tested for compatibility with the ASA 5506-X. For more information about the 110 Series Unmanaged Switches, please refer to the attached document, or visit this site.

  • For those customers looking for a firewall without FirePOWER Services, the ASA 5505 offers integrated L2 switching to meet this requirement.  There are no plans at this time to end of sale the ASA 5505 and continues to support the full-featured firewall for small business, branch and enterprise teleworker environments.


The ASA 5506-X brings Cisco’s threat-protection capability to small to midsize businesses and distributed enterprises.  Added features include:

  • The same next generation firewall capabilities as our mid- and high-range ASA with FirePOWER Services models which include Application Visibility and Control (AVC), Advanced Malware Protection (AMP), Next Gen Intrusion Prevention System (NGIPS), and URL filtering applications via subscription

  • Higher performance and increased throughput (more than 2.5x firewall throughput)

  • A variety of form factors including wired and wireless models, a ruggedized version for industrial control deployments as well as two high performance rack mounts.

  • On-box or centralized management for deployment flexibility

  • Hardware security and anti-counterfeiting trust anchor technologies

  • VPN with enhanced mobility support


These are critical capabilities that competing UTM solutions and next-generation firewalls do not have. We have brought this capability to SMBs and branch/remote offices, and it saves organizations money by reducing the number of exploits that succeed and also dramatically lowers remediation costs.


We appreciate the opportunity to assist you and hope this information was helpful.

This is kind of like the "how do you cook Tofu" question.  "Throw it in the trash and slap a steak on the grill".  In this case, a reminder that Cisco bought Meraki.  With a Cisco Meraki MX67 (MX68 with PoE) you can have the best of both worlds.  The switch ports and the security.  It is also easier to manage for those that are new to Cisco.

 

After thinking the 5506-x was a replacement for the EoL 5505, I purchased one for a customer.  Never again.  Staying with the Cisco Meraki line.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: