Growing pains with cisco rv325 and rv320... upgrade advice please

[Viperfitness1]

Hello guys and gals.. I ran onto this forum looking for solutions to my problems and read some info about other routers (MikroTik and edge routers) that seemed promising.... My company has a corporate office with five branch offices and soon to add 3 more branch offices. The corporate office has a RV325 router and all the branches have the RV320. All sites have 100/20 mbps service. The corporate office has a cisco USCS C240 M3 server that mirrors a cloud based server to control access to over a hundred doors for the customers we serve along with the customer database and a ip based video surveillance system to monitor and record activity. The current five branch offices are connected with a IPsec VPN tunnel to the corporate offices RV325. The problem I'm having is when I upgraded recently from 20/5 mbps to 100/20 mbps service at all locations, the RV325 router crashes once all VPN connections are established and the server is communicating with all doors and cameras. Also the port forwarding service on the RV325 router will no longer let me add a services to forward ports for the system either (No solution from cisco). I have to drastically backed off all video resolution and FPS to have somewhat of a working system (still slow and sketchy). I worked with cisco support for over a month for them to tell me I have exceeded the limits of the RV325 and I will need to buy a integrated service router (Queue sales reps calls). I still consider this a small business and feel like there should be better option than the cisco integrated service routers considering the price after I found this forum. Does anybody have any advise on what direction I could go? I would like a router that can handle the load I am needing and be able to handle the addition of 3 more branch offices. I also would like a router that can connect to the branch offices RV320 via VPN connection without having to buy new equipment because the branches seem to work fine with the RV320. I hope this is enough info but can provide more if needed. Thanks in advance

 

[Viperfitness1]

I also utilize the Vlan, and NAT features of the RV series routers. Each location has cisco gigabit POE switches to power the door controllers and cameras along with a local NAS for storage and wireless access points

 

[sfx2000]

Sounds like Cisco is trying point you towards a scalable solution - I would concur that you may have outgrown the devices on hand...

Might be time to sit down with a Telco provider, and see what options they have - could be cheaper in the long run...

 

[System Error Message]

you should upgrade asap, ditch all the cisco RVs as they are horrible. those router platforms with the exclusion of the ubiquiti edgerouters are all terrible regardless of brand. Not only are they horrible they dont have all vpn types available so even consumer routers have more features than them in VPN and their VPN performance for other than PPTP and L2TP/IPSEC suck as well.

My suggestion would be to use x86, if you have a core2duo at least sitting around that will work better. being a small business theres no reason to use cisco's professional stuff as it is not only expensive but also not really required.

For VPN you should consider a non VPN based router that has hardware acceleration. Mikrotik doesnt support openVPN with UDP at the moment but they have routers with hardware AES for good IPSEC performance. Ubiquiti on the other hand uses the same platform as those vpn routers but doesnt suffer from the same issues they have and have way more features and are configurable.

You can use quad core atoms or better in those small form factor PCs that have at least 2 NICs. You dont really need cisco for your routers as from what i see all they do is just do NAT, port forwarding and VPN, 3 features that even consumer routers can do now so all you need is a router thats fast enough for that. Using mikrotik, ubiquiti or even pfsense for instance will allow you to do more such as filtering, things that those horrible VPN routers wont let you do and likely with better performance.

Sitting down with your ISP would be a good option too, they could provide a dedicated line between your branches as well so you would need to add the bandwidth into consideration as well.

Currently each branch only needs to be able to handle 120Mb/s of NAT and VPN. If you need to use all 4 types of VPN commonly available the best choice is a PC based router as they could do all 4 at your current WAN speeds or even more. AES acceleration is very useful here if you plan to use AES encryption.

As for your main office that im not sure if cisco has many hardware configurations but if not it should still be capable of handling your needs as long as it is not encoding your camera feeds. that 16 cores total of intel iseries CPU with 192 GB of ram is plenty. Its best to see where the limitation by using the equivalent of a task manager on it and see where the bottleneck is if it is CPU, ram or even disk or if it is the NIC. If the limitation is the NIC than you should look at your network and see about combining ports or adding 10Gb/s to your network (SFP+ direct is currently the cheapest way for a single server).

 

[Viperfitness1]

Thanks for the replies, I really do appreciate you both for taking the time. System Error Message that is a very forward thinking look at things. I'm amazed at how much network engineering goes into a growing business (networking was not my background) but as the owner I have no choice but to lead my team in ways and ideas that are better than just opening the check book to solutions. I've read a little about pc based routers but I am going to have to do some research and testing to fully grasp this solution. I do have machines no longer in use that could be used in this way. I have relied on the cisco RV hardware way to long and watching them crash was a real eye opener for a more scalable solution. I really felt like I was being sucked into the cisco vortex until you reached out here. Thanks again

Knowledge is power. Information is liberating. Education is the premise of progress, in every society, in every family.

 

[System Error Message]

Thanks for the replies, I really do appreciate you both for taking the time. System Error Message that is a very forward thinking look at things. I'm amazed at how much network engineering goes into a growing business (networking was not my background) but as the owner I have no choice but to lead my team in ways and ideas that are better than just opening the check book to solutions. I've read a little about pc based routers but I am going to have to do some research and testing to fully grasp this solution. I do have machines no longer in use that could be used in this way. I have relied on the cisco RV hardware way to long and watching them crash was a real eye opener for a more scalable solution. I really felt like I was being sucked into the cisco vortex until you reached out here. Thanks again

Knowledge is power. Information is liberating. Education is the premise of progress, in every society, in every family.

This is something i knew from birth. This sort of knowledge should be in your blood and a quick search of the cisco rv reveals many horror stories.

If you do end up with 1Gb/s connections you may need to consider i3 or higher as a minimum for branches as they will perform vpn near those speeds. While openVPN performance is sort of an anomaly many OSes on x86 are able to use multiple cores for a single task such as a vpn tunnel for instance(with openVPN it is a matter of time before they get it multi threaded for a single tunnel). Other than overclocking you can also use inexpensive many core low power intel xeons as well. They are more expensive than cisco RVs but if you build the servers yourself its really not difficult. For example you could get cheap 1U or 2U chassis, get a good 300W 1U or 2U PSU (depending on chassis), pick up some 2nd hand components (except for drives) and load up pfsense on them. You will also need a right angled PCIe bracket/adapter for adding NICs as well. Intel server quad port NICs can be gotten for cheap 2nd hand but just make sure they are PCIe and gigabit at least. The performance you will get out of them will be really fast and in such a configuration with pfsense you can also add drives to use as cache via the transparent web proxy method and also use better firewalls and filtering. You can also get SFP+ NICs for 10Gb/s which is what such a configuration will allow as you need a x8 PCIe port minimum.

If you do buy the mini PCs for use as routers they use laptop CPUs and you are stuck with the NICs that they have. Not much of a problem as many meet the minimum hardware needed for using pfsense. Just make sure they have 2 NICs and check the CPU on intel ark that it fits what you need.

For intel at least 32nm CPUs support hardware AES on the full architectures, not sure about the intel atom architecture. Naming can be confusing so make sure to check intel ark.

The current price of your cisco server seems reasonable, You can purchase more of such from cisco assuming they cost around £2k. If you are able to build yourself for less and can set up a linux server OS than that would be better but just remember to stick to a name brand for ram. ECC ram even kingston can be considered. If it isnt ECC Ram than stick to the performance lines of good brands such as for g.skill, corsair, kingston,crucial but avoid the value rams of such brands and ram of other brands as they arent 100% stable.

 

[sfx2000]

you should upgrade asap, ditch all the cisco RVs as they are horrible.

erm - no - they're fine actually... for the end points. They work, they're secure, and they're supported... and as edge-routers/end-points, they're probably fine.

For a collector, you want a bit more... consider the remote offices, number of them, and the traffic needed - cisco is trying to point you to a solution - there are others in that space - Aruba/Juniper, and a fair amount of startups and 2nd tier folks...

My best advice though - find a VAR/Consultant that is familiar with your business tier...

 

[Trip]

My best advice though - find a VAR/Consultant that is familiar with your business tier...

^ That - 100%.

By undertaking this yourself (and/or with some of your employees), you might just be able to make a solution work, albeit with some extra frustration thrown in along the way. But right there is a bit of Business School 101. As a functioning business whose revenue relies at least in-part on this infrastructure, I would tap your referral network for the best IT/network services firm(s) you can find and have one of them handle the deployment, possibly managed service as well. View it as an investment in your business, which will return as additional top-line revenue and decreased opportunity cost by allowing you to focus on what you do best, while others handle the minutia in other areas with their expertise. Think investment on one end in exchange for growth on the other.

 

[Samir]

What you may be experiencing with the rv325 is a problem caused by the new internet connection hammering the router with ack/nak packets. There's a similar problem with the netgear fvs318 series that causes similar issues.

Simply changing the rv325 to a different brand might resolve the issue, or even something as simple as putting a managed switch in front of the rv325 to 'filter' all this packet noise. I dealt with a similar issue on my rv016 and cisco's guidance was incorrect as I discovered later after spending more money.