Setup Cisco ASA 5506 to Emulate Cisco ASA 5505 Switchport VLANs

Setup Cisco ASA 5506 to Emulate Cisco ASA 5505 Switchport VLANs

 

As of Cisco ASA firmware versions 9.7.x+  (we're putting 9.8 on new deployments) - Cisco has included a base config and functionality that uses interface bridging that will emulate the ability we ~used~ to have with the Cisco 5505 units - span a VLAN across all/any available ports. (Ex. having the 'inside' across all available ports)

[FULL INFO BELOW]

It's not as spiffy as the 5505, but it'll work and save us some switches for setups with less servers than available Cisco ports.

 

From Cisco:

A new default configuration will be used for the ASA 5506-X series. The Integrated Bridging and Routing feature provides an alternative to using an external Layer 2 switch. For users replacing the ASA 5505, which includes a hardware switch, this feature lets you replace the ASA 5505 with an ASA 5506-X or other ASA model without using additional hardware.

The new default configuration includes:

  • outside interface on GigabitEthernet 1/1, IP address from DHCP
  • inside bridge group BVI 1 with GigabitEthernet ½ (inside1) through 1/8 (inside7), IP address 192.168.1.1
  • inside --> outside traffic flow
  • inside ---> inside traffic flow for member interfaces
  • (ASA 5506W-X) wifi interface on GigabitEthernet 1/9, IP address 192.168.10.1
  • (ASA 5506W-X) wifi <--> inside, wifi --> outside traffic flow
  • DHCP for clients on inside and wifi. The access point itself and all its clients use the ASA as the DHCP server.
  • Management 1/1 interface is Up, but otherwise unconfigured. The ASA FirePOWER module can then use this interface to access the ASA inside network and use the inside interface as the gateway to the Internet.
  • ASDM access—inside and wifi hosts allowed.
  • NAT—Interface PAT for all traffic from inside, wifi, and management to outside.

 

If you are upgrading, you can either erase your configuration and apply the default using the configure factory-default command, or you can manually configure a BVI and bridge group members to suit your needs. Note that to easily allow intra-bridge group communication, you need to enable the same-security-traffic permit inter-interface command (this command is already present for the ASA 5506W-X default configuration).

 

Example for Interfaces:

interface GigabitEthernet1/1

nameif Public

security-level 0

ip address 216.87.x.x 255.255.255.0

 

interface BVI1

 nameif Private

 security-level 100

 ip address 10.0.0.1 255.255.255.0

 

interface GigabitEthernet1/2

 bridge-group 1

 nameif Private_1

 security-level 100

 

interface GigabitEthernet1/3

 bridge-group 1

 nameif Private_2

 security-level 100

 

interface GigabitEthernet1/4

 bridge-group 1

 nameif Private_3

 security-level 100

 

interface GigabitEthernet1/5

 bridge-group 1

 nameif Private_4

 security-level 100

 

interface GigabitEthernet1/6

 bridge-group 1

 nameif Private_5

 security-level 100

 

interface GigabitEthernet1/7

 bridge-group 1

 nameif Private_6

 security-level 100

 

interface GigabitEthernet1/8

 bridge-group 1

 nameif Private_7

 security-level 100

 

interface Management1/1

shutdown

 

interface GigabitEthernet1/1

no shutdown

interface GigabitEthernet1/2

no shutdown

interface GigabitEthernet1/3

no shutdown

interface GigabitEthernet1/4

no shutdown

interface GigabitEthernet1/5

no shutdown

interface GigabitEthernet1/6

no shutdown

interface GigabitEthernet1/7

no shutdown

interface GigabitEthernet1/8

no shutdown

 

Was this article helpful?
1 out of 1 found this helpful

Have more questions? Contact our support instantly via Live Chat