I respectfully have to disagree...
Its all in a matter of knowing how to maneuver around the various options and the lack of youtube videos and config examples for real world configs are very challenging here, to say the lease..
This is a very simple accomplishment that will group all the ports into a logical switch and assign each port to a group.. We will be using a concept of etherchannels or port-channels as Cisco defines them... Here is the example.
NOT GROUPED GROUPED interface GigabitEthernet1/1 interface GigabitEthernet1/1 nameif outside nameif outside security-level 0 security-level 0 ip address 18.104.22.168 255.255.255.0 ip address 22.214.171.124 255.255.255.0 ! ! interface GigabitEthernet1/2 interface GigabitEthernet1/2 nameif inside no nameif security-level 100 no security-level ip address 192.168.1.1 255.255.255.0 no ip address ! ! interface GigabitEthernet1/3 interface GigabitEthernet1/3 no nameif channel-group 1 mode active no security-level no nameif no ip address no security-level ! no ip address interface GigabitEthernet1/4 ! no nameif interface GigabitEthernet1/4 no security-level channel-group 1 mode active no ip address no nameif ! no security-level interface GigabitEthernet1/5 no ip address no nameif ! no security-level interface GigabitEthernet1/5 no ip address channel-group 1 mode active ! no nameif interface GigabitEthernet1/6 no security-level no nameif no ip address no security-level ! no ip address interface GigabitEthernet1/6 ! channel-group 1 mode passive interface GigabitEthernet1/7 no nameif no nameif no security-level no security-level no ip address no ip address ! ! interface GigabitEthernet1/7 interface GigabitEthernet1/8 channel-group 1 mode passive no nameif no nameif no security-level no security-level no ip address no ip address ! ! interface Management1/1 interface GigabitEthernet1/8 management-only no nameif nameif management no security-level security-level 100 no ip address ip address 192.168.15.13 255.255.255.0 ! interface Management1/1 management-only nameif management security-level 0 ip address 192.168.15.13 255.255.255.0 ! interface Port-channel1 lacp max-bundle 8 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0
As you can see the column labeled "Grouped" will arrange all the specified ports into a LACP etherport channel group, logically creating two separate segments, much like a VLAN; however there are substantial other config items that must be configured in order for this to work successfully; however it will work and function as a L2 switch, just as described...
I will post more examples and comments as I come across issues that plague me as well...
I would suggest instead of saying the latest ASA5506-X does not support switch ports or "X" you may want to fully investigate the broad range of options available to the resource users... Lack of knowledge doesn't constitute the intended use of product support.
There is not much this robust ASA5506-X platform can not do, given, time, patience and the willingness to not rely on a point and click solution.
Our company will be glad to support any users on this platform, of course for a small fee.. Please feel free to reach out with your request and we can move forward... This is a great and rocksolid brand new product; which WILL REQUIRE relearning some basic 5505 mentality; but again.. no videos, docs or real world examples are available yet... I think this is probably the first of many to come...
Ty Carter, President
Strategic Network Consultants, Inc.
524 East 9th Street
Washington, NC 27889
Etherchannels will work when you connect the new ASA 5506 to another switch. A matter of adapt, i agree.
However, when no switch around, and you see this often in small remote offices/ soho (4-5 devices), what are you going to do?
Are you going to ask the customer to buy a switch for that??? no good.
The ASA 5505 was cheap, simple and it worked perfect.
To Cisco: If it ain't broke, don't fix it
I don’t believe you have to attach the device to another switch… The IOS will create its own grouping internally… I am going to put this to the test tomorrow…
I agree wholeheartedly it is a definite change in dynamic; but that was not the question posed here… I didn’t say I liked it any more than the next person.
We will see where this takes us.. at least this is according to TAC group.
Here is the information I got from the Partner Virtual Team Support group.
Q. We just got our first ASA 5506 and found out that we cannot configure VLAN interface on it like the 5505.
This is a big problem if we are trying to position the 5506 as a replacement for the 5505.
Can you look into when/if this feature is going to be available?
A. The ASA5506 does not have switch ports as the old ASA5506. The ASA5506 is similar to the ASA5512 and 5515 from a
Based on our internal resources, for now there are no plans to implement switch ports on the ASA5506.
Q. Can you explain why this is not a feature of the ASA 5506?
A. Because the ASA5506-X includes all routed ports, there is currently no built-in switch capabilities like the ASA5505. Each port can be use as a WAN port.
I am in a bit of a fix with this too. Some of the 5506-X links are connected to servers, PC's and printers in my case. I have been trying to find a way to get the 6 spare ports working as switchports. I have configured a Port-Channel which is up and showing ports as bundled. This appears to work only intermittently, some pings work some don't. I get arp for hosts but can't ping them so need to look at further.
I used Channel-group 1 mode on to force the Port-Channel up as I will get no lacp or pagp from anywhere and the Port-Channel interface showed as down with any other mode, as expected.
I will know more tomorrow as our customer is going to see what connectivity is like first thing.....
Not great though, already been caught out by the lack of POE, now a SOHO device will not do switchports. Maybe its not a SoHo device?
So we had a call with Cisco yesterday concerning this new 5506 and asked them some very direct questions:
Q: We currently use the 5505 as a SOHO solution using EZVPN with a pair of 5525's at the head-end. Will the 5506's work? Keep in mind that we use these as a primary means of connectivity for home users that have dynamic ip addresses.
A: Yes, if the 5506 has a static ip address it will work with the 5525 via a s2s tunnel. (not feasible for us) If they are using dynamic ip addresses, these will not work.
Then Cisco recommended we checkout the Meraki line of new stuff: meraki.cisco.com. (basically a new solution for SOHO I gathered).
Basically, we asked them about of EOL/EOS for the 5505 and they couldn't/wouldn't tell us. It basically just screws us with the investment we've made in the last year with the 5505's.
We're not happy, not happy at all.
Yeah...using LACP is not a solution, I would never try and hack that together for a production system....not to mention it won't work correctly due to LACP load balancing issues.
This lack of switch ports is doubly bad for those users who are using 5505 with switchports as a soho in a box.
You can use the 5506 using aggressive mode tunnels as a replacement for ezvpn (it's aggressive mode), but you lose the group key...I guess ikev2 is maybe an ok alternative as it uses asynchronous preshared keys.
No switch as stated means cisco can sell you another box. Especially since it has no POE.
Meraki...this means a whole new infrastructure (more sales) and it also means no POE. This effectively means Cisco doesn't have SOHO solution with built in POE anymore. This is a huge pain if you are using a 5505 to drive a phone and wireless AP...Especially if the AP is distant remote...basically, yes another thing to buy (POE injector).
Have you actually tested this with a PC connected to a channel-group1 port?
I have this setup in the lab and ran into the same issues as everyone else. We use the 5505 as a one box solution and this forces us to buy a second switch which kills our design and increases our points of failure not to mention Smartnet fees for two devices. I thought maybe your solution would work for us but I am unable to receive an address via DHCP. We use the ASA for DHCP and when I try to configure the port-channel we never receive an address. Once I remove the port-channel and use a physical interface the ASA assigns the DHCP address no problem. I'm wondering if this was a solution in theory or if it has actually been vetted.