Setup Cisco ASA 5506 to Emulate Cisco ASA 5505 Switchport VLANs
As of Cisco ASA firmware versions 9.7.x+ (we're putting 9.8 on new deployments) - Cisco has included a base config and functionality that uses interface bridging that will emulate the ability we ~used~ to have with the Cisco 5505 units - span a VLAN across all/any available ports. (Ex. having the 'inside' across all available ports)
[FULL INFO BELOW]
It's not as spiffy as the 5505, but it'll work and save us some switches for setups with less servers than available Cisco ports.
From Cisco:
A new default configuration will be used for the ASA 5506-X series. The Integrated Bridging and Routing feature provides an alternative to using an external Layer 2 switch. For users replacing the ASA 5505, which includes a hardware switch, this feature lets you replace the ASA 5505 with an ASA 5506-X or other ASA model without using additional hardware.
The new default configuration includes:
- outside interface on GigabitEthernet 1/1, IP address from DHCP
- inside bridge group BVI 1 with GigabitEthernet ½ (inside1) through 1/8 (inside7), IP address 192.168.1.1
- inside --> outside traffic flow
- inside ---> inside traffic flow for member interfaces
- (ASA 5506W-X) wifi interface on GigabitEthernet 1/9, IP address 192.168.10.1
- (ASA 5506W-X) wifi <--> inside, wifi --> outside traffic flow
- DHCP for clients on inside and wifi. The access point itself and all its clients use the ASA as the DHCP server.
- Management 1/1 interface is Up, but otherwise unconfigured. The ASA FirePOWER module can then use this interface to access the ASA inside network and use the inside interface as the gateway to the Internet.
- ASDM access—inside and wifi hosts allowed.
- NAT—Interface PAT for all traffic from inside, wifi, and management to outside.
If you are upgrading, you can either erase your configuration and apply the default using the configure factory-default command, or you can manually configure a BVI and bridge group members to suit your needs. Note that to easily allow intra-bridge group communication, you need to enable the same-security-traffic permit inter-interface command (this command is already present for the ASA 5506W-X default configuration).
Example for Interfaces:
interface GigabitEthernet1/1
nameif Public
security-level 0
ip address 216.87.x.x 255.255.255.0
interface BVI1
nameif Private
security-level 100
ip address 10.0.0.1 255.255.255.0
interface GigabitEthernet1/2
bridge-group 1
nameif Private_1
security-level 100
interface GigabitEthernet1/3
bridge-group 1
nameif Private_2
security-level 100
interface GigabitEthernet1/4
bridge-group 1
nameif Private_3
security-level 100
interface GigabitEthernet1/5
bridge-group 1
nameif Private_4
security-level 100
interface GigabitEthernet1/6
bridge-group 1
nameif Private_5
security-level 100
interface GigabitEthernet1/7
bridge-group 1
nameif Private_6
security-level 100
interface GigabitEthernet1/8
bridge-group 1
nameif Private_7
security-level 100
interface Management1/1
shutdown
interface GigabitEthernet1/1
no shutdown
interface GigabitEthernet1/2
no shutdown
interface GigabitEthernet1/3
no shutdown
interface GigabitEthernet1/4
no shutdown
interface GigabitEthernet1/5
no shutdown
interface GigabitEthernet1/6
no shutdown
interface GigabitEthernet1/7
no shutdown
interface GigabitEthernet1/8
no shutdown