Cisco RV-345P Dual WAN Gigabit PoE VPN Router Reviewed

[thiggins]

Cisco's RV-345P is the latest addition to the company's small business VPN router family.

Read on SmallNetBuilder

 

[jec6613]

Not mentioned in the review, they also offer the RV340, which has 4 LAN ports and they're rear facing (for when you already own the switch). Also, the AnyConnect client comes with two licenses for mobile clients for free - so iOS, Android and even Windows Mobile can connect without paying any additional licensing fee.

 

[System Error Message]

so basically they continued the horrible platform and with license you have to pay just for security :O ?

 

[thiggins]

so basically they continued the horrible platform and with license you have to pay just for security :O ?

Many products (eero, Norton Core, Luma) and most business-grade firewalls and UTMs require subscriptions for security features.

The AnyConnect license applies to SSL only. The other VPN forms (IPsec, PPTP, L2TP) do not require licenses.

 

[System Error Message]

Many products (eero, Norton Core, Luma) and most business-grade firewalls and UTMs require subscriptions for security features.

The AnyConnect license applies to SSL only. The other VPN forms (IPsec, PPTP, L2TP) do not require licenses.

Cisco has been doing a trend of having subscription based features for their higher end products. Seems they are bringing it to their lower end too. Thats not the only problem as you mentioned openVPN to be lacking too.

 

[jec6613]

Cisco has been doing a trend of having subscription based features for their higher end products. Seems they are bringing it to their lower end too. Thats not the only problem as you mentioned openVPN to be lacking too.

Given the choice between Cisco AnyConnect and OpenVPN, I'd take AnyConnect any day.

For Cisco, this product is positively a steal, BTW.

 

[thiggins]

Given the choice between Cisco AnyConnect and OpenVPN, I'd take AnyConnect any day.

Could you elaborate, please?

 

[System Error Message]

Given the choice between Cisco AnyConnect and OpenVPN, I'd take AnyConnect any day.

For Cisco, this product is positively a steal, BTW.

no it is not a steal. For one it does not run cisco IOS, it isnt even a true cisco product either rather a rebranded linksys product (linksys is owned by cisco and sell the same VPN routers). Go and look up the SoC, see the complaints that many have made when using vpn routers with this SoC.

If you really need a better VPN solution, grab a desktop/server, install a linux/unix based server OS and start tweaking because even todays consumer routers already do better than these VPN routers. Sure consumer routers may not have cisco anyconnect but for a small business they already provide a faster and less buggy platform assuming you get the right brand and model.

Mikrotik is more of a steal because of its flexibility compared to this rebranded vpn router and is welcomed by many poor countries. You wont see VPN routers where mikrotik thrives despite having the same markets.

I find many to make the mistake of picking a router based on its ports and port counts.

 

[jec6613]

no it is not a steal. For one it does not run cisco IOS, it isnt even a true cisco product either rather a rebranded linksys product (linksys is owned by cisco and sell the same VPN routers). Go and look up the SoC, see the complaints that many have made when using vpn routers with this SoC.

1) I know it's not IOS, but this is the first router product from Cisco to use a bunch of the code from IOS (including the AnyConnect compatibility).

2) No, Linksys is not owned by Cisco, it's owned by Belkin and has been for over four years now. Their previous products in the line were indeed rebadged Linksys, but this is the first product that isn't and is using straight Cisco code. The RV340 even has console access, comes with a standard Cisco console cable and accepts a wide variety of IOS commands.

3) So what about the SoC? Their popular 2960X switches are using SoCs that blow up in most people's products, with merchant silicon. What you pay for with Cisco isn't the hardware, it's the software. Same here.

 

[jec6613]

Could you elaborate, please?

CCNA's are easy to pick up a phone and get ahold of, so there's professional support I can have at the drop of a hat. I can also manage their clients using any MDM, even odball ones, because everyone supports Cisco. Heck, I can even bet a Symbian or Blackberry device to connect via AnyConnect. Any security holes are always patched in a timely fashion and it's routinely penetration tested.

Yes, it costs money. Yes I could make it all happen with OpenVPN. My time isn't worthless though. Being able to ping a wide variety of people I've worked with in the past and get professional help at 2 AM for the cost of a nice dinner isn't something OpenVPN comes with.

 

[System Error Message]

CCNA's are easy to pick up a phone and get ahold of, so there's professional support I can have at the drop of a hat. I can also manage their clients using any MDM, even odball ones, because everyone supports Cisco. Heck, I can even bet a Symbian or Blackberry device to connect via AnyConnect. Any security holes are always patched in a timely fashion and it's routinely penetration tested.

Yes, it costs money. Yes I could make it all happen with OpenVPN. My time isn't worthless though. Being able to ping a wide variety of people I've worked with in the past and get professional help at 2 AM for the cost of a nice dinner isn't something OpenVPN comes with.

so if its a steal, why isnt it popular in poorer countries which use mikrotik a lot? Ah you forgot hotspot . Because in poorer countries, small businesses dont bother using the router other than whats provided by the ISP. If they do need more they're gonna need the features that the cisco RV cannot provide.

This is why i bash the cisco RV. Its not just the platform that lacks some things, comes with slow CPUs and is buggy that it takes years to sort it out (ubiquiti is an example), but it lacks many things that a small business that is looking to buy a router would want. So a small business would compare a consumer router which can have 3rd party firmware, and the cisco RV and other VPN routers and will find that the easyconnect offered by cisco to not be needed and will just end up using the onboard VPN server. Most small businesses only have one office too and even the company i work with has 3 offices that we'll connect using p2p tunnels using mikrotik which mikrotik offers more in flexibility than a cisco RV or any other VPN router. We could set up our own mini BGP network for ease of routing in our p2p based tunnels which isnt an option in the cisco RV. Ofcourse i did educate them of the perils of the ISP provided routers (dlink)

 

[coxhaus]

I know my Cisco RV320 router is running quite fast for me now with the latest firmware and the processor is much slower.

 

[System Error Message]

I know my Cisco RV320 router is running quite fast for me now with the latest firmware and the processor is much slower.

its not just the performance, its the featureset too.
Lets try a scenario example, a small business has been using the ISP given router and wants to upgrade, so it compares a few solutions.
Cisco RV and other VPN routers
Configurable routers
a higher end consumer router.

Price wise the higher end consumer router isnt exactly cheap but provides good wifi too which small businesses will use rather than wiring everything up (they arent exactly good in tech). The other solutions are all cheaper but wired only. While the VPN routers dont require much expertise to set up compared to configurable routers, in poorer countries they will actually learn it up as its a cheaper solution as linux/unix/BSD based OSes are free while mikrotik and ubiquiti have cheaper solutions that do more than VPN routers. Not being knowledgeable in tech, they will pick between mikrotik, ubiquiti and VPN routers. When they look at the featureset and brand, many who are price conscious will go with mikrotik or ubiquiti while those who know cisco and nothing else will pick the cisco RV. In countries like indonesia, they will pick mikrotik due to price and will learn everything they need to by themselves whereas in the US perhaps they may not care and pay for support.

In the end however, with mikrotik you can set up a better network. To put it into a better perspective, with 3 offices each connected to each other, each having 3 or 4 segments on layers 2 and 3, by using something BGP it'd be easier for each router to know its path, less to worry about configuring routes and more on using filters to also secure internal networks. The cisco RV is advertised for this sort of role but lacks the features that actually improves on this which configurable routers have and are capable off. So in the end, other than the ease of setup and support, the cisco RV has no advantage over recent consumer routers and configurable routers. It is an old platform that was once relevant where businesses needed vpn and tunnels that werent offered by consumer routers and 3rd party firmwares at the time. This is why i applaud netgear getting out of this because they can focus on their existing products better which are more relevant whereas with cisco rv it is more of a relic for those who do not know better and still try to cling to the good old cisco name which now isnt very good. Unless you're a datacenter or internet exchange, cisco doesnt really provide solutions any better than what is already out there. Cisco's x86 based virtual servers(as in multiple VMs on real hardware) for various use and networking is still a useful product though and cisco does have good low to high end managed switches but other than that i would not recommend cisco.

So while pfsense may be bad for you now, there still exists many good solutions. At least its not dlink.

 

[sfx2000]

@thiggins - just read thru the review - something odd about the VPN numbers...

Understood that PPTP is basically for legacy site-to-site transport, but even then, the DL (G to C) says something is wrong there - UL/DL, assuming the link is symmetric should be fairly similar - my guess is packet fragmentation perhaps, or just client-side issues, as PPTP is fairly deprecated in Win10 and MacOS X.

AnyConnect (SSLVPN) should be just as fast as LT2P, so this should be investigated with Cisco...

An editorial comment below - the RV34x line is NXP (SoC) and Marvell switches, however the table indicates RealTek.

Can someone check into this?

 

[sfx2000]

no it is not a steal. For one it does not run cisco IOS, it isnt even a true cisco product either rather a rebranded linksys product (linksys is owned by cisco and sell the same VPN routers). Go and look up the SoC, see the complaints that many have made when using vpn routers with this SoC.

Check your facts - this is not rebranded Linksys gear, even when Cisco owned Linksys, the RV's were not part of the consumer lineup, it was a different team.

Cisco sold off the consumer line to belkin sometime back. Old story, retold many times...

If you really need a better VPN solution, grab a desktop/server, install a linux/unix based server OS and start tweaking because even todays consumer routers already do better than these VPN routers.

Different use case - and I would never recommend putting a consumer router in a small business - different requirements

Sure consumer routers may not have cisco anyconnect but for a small business they already provide a faster and less buggy platform assuming you get the right brand and model.

I take it that you've not used AnyConnect as an end-user or as an admin in a managed device environment - the Client is very good, and it's supported by a great team over at Cisco for bug/security fixes and OS compatibility.

Mikrotik is more of a steal because of its flexibility compared to this rebranded vpn router and is welcomed by many poor countries. You wont see VPN routers where mikrotik thrives despite having the same markets.

The only thing I can say here is reorient views - I see a lot of uTik gear in small/medium enterprise, just like the RV's... if one is in the CiscoVerse (tm), the RV is the obvious choice, if not, there's lot of other edge router appliances out there, uTik is just one of many.

Where I'm at now - we have built an SDN oriented device - basically a universal customer prem equipment - that scales from a small office all the way to HQ level (just add more CPU/MEM/etc) - little pitch from me, our Denverton based units on a 500Mb symmetric connection can do wireline speed for VPN - largely thanks to QAT and DPDK - and that's a $500 box -

Spend more money, and we can do the same on 40Gb on either MPLS or SDWAN secure links at close to layer 2 wire speed. Can do standalone if needed, but we're fully OpenStack compliant for carrier grade connectivity (let's say with XO, Verizon, ATT, Tata, etc).

I find many to make the mistake of picking a router based on its ports and port counts.

Again, different space, and different needs.

I do question the need for 16 ports on an edge router, but it makes sense for some small businesses out there maybe.

 

[System Error Message]

Check your facts - this is not rebranded Linksys gear, even when Cisco owned Linksys, the RV's were not part of the consumer lineup, it was a different team.

Cisco sold off the consumer line to belkin sometime back. Old story, retold many times...



Different use case - and I would never recommend putting a consumer router in a small business - different requirements



I take it that you've not used AnyConnect as an end-user or as an admin in a managed device environment - the Client is very good, and it's supported by a great team over at Cisco for bug/security fixes and OS compatibility.



The only thing I can say here is reorient views - I see a lot of uTik gear in small/medium enterprise, just like the RV's... if one is in the CiscoVerse (tm), the RV is the obvious choice, if not, there's lot of other edge router appliances out there, uTik is just one of many.

Where I'm at now - we have built an SDN oriented device - basically a universal customer prem equipment - that scales from a small office all the way to HQ level (just add more CPU/MEM/etc) - little pitch from me, our Denverton based units on a 500Mb symmetric connection can do wireline speed for VPN - largely thanks to QAT and DPDK - and that's a $500 box -

Spend more money, and we can do the same on 40Gb on either MPLS or SDWAN secure links at close to layer 2 wire speed. Can do standalone if needed, but we're fully OpenStack compliant for carrier grade connectivity (let's say with XO, Verizon, ATT, Tata, etc).



Again, different space, and different needs.

I do question the need for 16 ports on an edge router, but it makes sense for some small businesses out there maybe.

i have not used anyconnect no, but i've seen friends who've used it in their university networks and have had a hard time using some of cisco's VPN based software.

For example, in your business, the cisco RV cant be used because it doesnt support what you need right? What bugs me is that if i had a proper network of offices (each office having its own segmentations and security) but at the same time to share resources, the cisco RV would not be able to cope and would require a lot of configuration. Whereas using a fully configurable router like BSD or mikrotik lets you use routing protocols with it which makes it a lot more easier.

I think those 16 ports are connected to a switch which has 2Gb/s (could be 1Gb/s) to CPU. The interesting question is why doesnt that particular cisco RV have a switch management feature like cisco has for their lower end switch line? Every mikrotik routerboard that has a switch has a menu to configure the switch chip. So if one wanted to do segmentation with the cisco RV could it even be done?

I know consumer routers arent meant to be used in businesses, but the majority of the population dont know a thing about tech so they arent going to be looking and if they are looking for a router it would be because their consumer router doesnt support the features and if a recent consumer router doesnt support the required features, i doubt the cisco RV would because feature wise consumer routers have beaten VPN routers. This is what i meant about the cisco RV, its just an overglorified VPN router that cant do more than what a consumer router can and if one is looking for a router because their ISP given or consumer router doesnt have the feature, the cisco RV isnt going to help here.

The other thing is, say each office having a few segments, each segment will require its own filters so some networks may be isolated while some wont. The cisco RV isnt a fully configurable router. If cisco wants the cisco RV to be relevant, they'd first have to beat ubiquiti edgerouters as while i dont recommend ubiquiti edgerouters they are still a better choice than the cisco RV.

To be clear if i were to ever recommend a VPN router it must fit these few points
1) be fully configurable
2) Have a fast enough CPU so it can do QoS and firewall at line speed
3) have all the VPN options available with easy to set up VPNs
4) Support segmentations and custom filters
5) Sodimm RAM
6) Come with an optional subscription to a decent VPN service that doesnt spy on you (so if cisco wants to keep their same bad practice of having to pay for everything seperately, this is one it can capitalise on)
7) Encryption speed needs to be fast enough for the next few years (if currently we use AES-256, it must support AES-512 at line rate too)
8) firmware must not be buggy
9) support LAN based security features that prevent MITM, rogue DHCP servers, etc
10) non hw accelerated encryptions need to be fast too
11) support mirroring so security such as IDS/IPS can be implemented with API so the server can communicate back with the router on whether to drop traffic
12) support an external radius/hotspot server
13)support routing protocols that the cisco RV is meant for, a multi VPN multi site device with easy routing not only between the cisco RVs, but also for managed switches that may be used at the sites.

This may be asking much but the cisco RV wont be relevant until it has that soon. I dont expect it to have the level of control mikrotik has for instance, but it must be able to perform the customisation that mikrotik offers for most SMB networks that would have some kind of complicated network.

 

[thiggins]

I agree VPN results are odd. I've asked Cisco for theories why. No response so far.
Doug used Cisco configs since he could not get tunnels up on his own.

Why would SSL performance be similar to L2TP, which is IPsec based?

I'll fix the switch info.

 

[sfx2000]

I agree VPN results are odd. I've asked Cisco for theories why. No response so far.
Doug used Cisco configs since he could not get tunnels up on his own.

Why would SSL performance be similar to L2TP, which is IPsec based?

I'll fix the switch info.

Important to note - the tunnels shouldn't be that hard to set up, and Doug is an experienced network person.

Performance - check to see if DTLS (UDP/443) is being used, as TLS (TCP/443) will significantly impact performance - there's settings on both sides (client and gateway). Additionally, if TLS is used vs. DTLS, then one can reduce the tcpmss down to 1300 to reduce packet fragmentation.

SSLVPN won't be as fast as LT2P, but it can be close...

Hopefully Cisco will come back with a response.

 

[jec6613]

I do question the need for 16 ports on an edge router, but it makes sense for some small businesses out there maybe.

For a small branch office use case, I see it being quite handy. If you have a retailer with small shops (think coffee/tea shop sized, or even restaurants) the 16 port switch with PoE can make the device your sole endpoint with site to site back to your actual IT resources. It has VPN support, works on dynamic IP addresses, proper switch management, inter-VLAN ACLs, and PoE to run your WAPs, and out of the box it does site to site back to AWS and Azure so you can run those shops without a physical datacenter. It ticks all of the boxes for a lot of customers.

Interestingly, when the RV345 was announced, the RV325 was discontinued - so clearly Cisco sees your point about limited use cases, because while the RV320 and even much older 4 port routers are still in the Cisco lineup, they seem to only want to carry two 16 port models - one PoE and one without. And of course, it's not that hard to just add a switch onto a regular 4 port router. Of course, that creates the consequence where the RV340 and separate switch is a much better investment, because it will be supported by Cisco, where the RV345 will have and EOS/EOL much sooner.

 

[sfx2000]

That's a good point - the small business in retail - with VLAN suppport, one can break out the POS and the back office, keeping compliant with PCI standards...

The branch office use case - L2TP back to corp main office, AnyConnect for remote offsite users, and one can have the router and switch in one box... a bit of risk as it's a single point of failure, but the RV line tends to be fairly robust.