Next Steps from Cisco RV340

[jasonreg]

Well, after waiting (semi) patiently for about 15 months, I find myself with an RV340 which is about to lose Cisco support. My security license also expires this week and I now need to make a few decisions. To get me going, I would like to solicit some advice from the crowd. My current set-up has my ISP Router (Gigabit service with reliable 940+ Mbps access at my main PC) bridged to my RV-340. RV340 connected to Layer 3 switch which does all routing (multiple VLANs) + POE duty, then onward to wired connections (about 75 in total) and my access points (about another 50+ connections). I am really only considering what needs to be done at the RV-340 at this stage ideally.

1. How quickly should I be concerned about losing the benefits of the security license (runs Router Anti-Virus and Intrusion Detection). My current view is: "this an issue I need to fix but less urgently" - most do not run this level of protection on their routers.
2. How quickly should I be concerned with the end of software vulnerability and software maintenance support. My current view is "very". New threats show up all the time - I am less concerned with the fixing any current flaws - my system runs very well - I am quite concerned with the security aspects.
3. Any recommendations for a replacement wired router? Why?
4. Should I also replace Layer 3 switch for ease of configuration with new router?

Many thanks in advance,

 

[degrub]

Any services/machines exposed to the outside world ?

 

[jasonreg]

@degrub no not really. I will be adding a server which would need to be accessed at some point but not for a bit.

 

[Tech9]

I have replaced 3x RV345P units recently with Netgate 6100 appliances. My networks are different though, all new hardware. I don't need L3 switches, but using 2.5GbE connections instead and everything is done on the firewall. Your RV340 never did any packet inspection, especially on Gigabit. It has no hardware to do it. I would keep the L3 switch and everything attached to it as is and replace the router/firewall with something you are comfortable with and compatible with the rest of your setup. RV34x is entry-level router and moving to pfSense will have some learning involved.

 

[Christos]

I believe that in the case of a big and exploited security vulnerability, Cisco will provide a fix to this router.
At this moment it is hard to find a netgate appliance anyway, so you can wait for 6-9 months and make a resercah then.
pfSense is not hard, considering your experience with Vlans etc.

 

[sfx2000]

I believe that in the case of a big and exploited security vulnerability, Cisco will provide a fix to this router.

No - EOS is rapidly approaching - Cisco is pushing folks towards Meraki solutions...

End-of-Sale and End-of-Life Announcement for the Cisco Small Business RV340 and RV345 Series

Cisco announces the end-of-sale Cisco Small Business RV340 and RV345 Series. The last day to order the affected product(s) is October 28, 2021. Customers will continue to receive phone support from the Cisco Small Business Support Center (SBSC) as shown in Table 1 of the EoL bulletin. Table 1...

www.cisco.com

 

[coxhaus]

No - EOS is rapidly approaching - Cisco is pushing folks towards Meraki solutions...

End-of-Sale and End-of-Life Announcement for the Cisco Small Business RV340 and RV345 Series

Cisco announces the end-of-sale Cisco Small Business RV340 and RV345 Series. The last day to order the affected product(s) is October 28, 2021. Customers will continue to receive phone support from the Cisco Small Business Support Center (SBSC) as shown in Table 1 of the EoL bulletin. Table 1...

www.cisco.com

It seems to be the case. I don't think it is a direction I will go. Still waiting. Maybe they will change their mind but probably not soon enough.

 

[sfx2000]

It seems to be the case. I don't think it is a direction I will go. Still waiting. Maybe they will change their mind but probably not soon enough.

Yeah, it's an old code base, and it's only going to be more difficult to maintain it.

The Meraki small/medium enterprise gear is pretty good, and while it's a bit spendy, it's reliable and secure.

 

[jasonreg]

I do not think I will go the Meraki route. From what I can tell, they get pretty pricey with decent throughput. The base models seem to have relatively modest throughput.

 

[Miner]

Well, after waiting (semi) patiently for about 15 months, I find myself with an RV340 which is about to lose Cisco support. My security license also expires this week and I now need to make a few decisions. To get me going, I would like to solicit some advice from the crowd. My current set-up has my ISP Router (Gigabit service with reliable 940+ Mbps access at my main PC) bridged to my RV-340. RV340 connected to Layer 3 switch which does all routing (multiple VLANs) + POE duty, then onward to wired connections (about 75 in total) and my access points (about another 50+ connections). I am really only considering what needs to be done at the RV-340 at this stage ideally.

1. How quickly should I be concerned about losing the benefits of the security license (runs Router Anti-Virus and Intrusion Detection). My current view is: "this an issue I need to fix but less urgently" - most do not run this level of protection on their routers.
2. How quickly should I be concerned with the end of software vulnerability and software maintenance support. My current view is "very". New threats show up all the time - I am less concerned with the fixing any current flaws - my system runs very well - I am quite concerned with the security aspects.
3. Any recommendations for a replacement wired router? Why?
4. Should I also replace Layer 3 switch for ease of configuration with new router?

Many thanks in advance,

For your Q #1 here's a thread from 2021 where the pros and cons of the security licenses are discussed:

Cisco RV340 & RV345 – are the licensed “advanced security features” worth it?

On advice from another thread I’m posting this question here in wired routers. Cisco RV340/345 routers have optional annual licensing features, one of the two optional licenses is for “advanced security features” ... IPS, Antivirus, Web Security, App ID, and Client ID." The second license is...

www.snbforums.com

I started that thread and decided not to renew the licenses past the initial one-year "trial."

 

[jasonreg]

@Miner - thanks for posting that. I do recall seeing that thread and giving it some thought. Interesting discussion.

 

[jasonreg]

I can start a new thread if this is too far a stretch but:

Thoughts on Unifi from the group? Considering replacing the RX340 with a Dream Machine Special Edition. I am generally considering keeping my current Layer 3 Switch (SG350X) and WAPs (3 x WAP 571 in a cluster) but open to changing them also if need be. I am assuming set-up might be easier in a single environment (or maybe I am over thinking it?)

 

[Tech9]

Just continue using your RV340. EoL doesn't mean it's not secure enough. You have nice all Cisco setup.

 

[degrub]

i'm still using my RV325s, no services exposed, patched, You can put them behind the ISP router for good measure.

 

[Tech9]

I also have one RV320 still in service. It is behind 2x ISP modem/routers doing dual WAN load balancing + fail over. Works perfectly.

 

[Miner]

Agree with above, I'll keep using an RV-34x router for now. Will eventually change out but it's not a defcon-1/code red urgent emergency at this point in time.

 

[Tech9]

I have replaced RVs not because of expected system crash the day after EoL, but because it was a planned migration to different hardware covering specific requirements on both my end and my business partners end. The nature of the business doesn't allow use of EoL equipment. RV320 still in service is a home network.

 

[Christos]

Avoid opening ports and use vpn instead to access your lan. This will also protect your internal devices that may not been patched yet.

 

[jasonreg]

OK so interesting discussion. A couple of follow-on questions:

• @Tech9 – when you say EOL does not mean secure enough – how long will that last? Hypothetical I realize but you are correct, as of 28 Oct I had confidence in my network, do I have reason to be worried now? If not when?
• @degrub – I assume being behind an ISP router does not apply if the ISP router is bridged? TO be clear the flow is ISP Modem (XB8) bridged -> RV340 -> SG350X-24 -> rest of network including WAP cluster and another switch. If I reset the ISP modem will this cause any issues?
• Assuming I am paranoid and have more money than common sense, If I were to add a hardware firewall, I am assuming it would be placed between the ISP modem and the RV340? Any issues to be aware of?
• Looking at Firewalla Gold Plus, but also considering Fortigate-60F. Thoughts and other recommendations?

 

[Tech9]

when you say EOL does not mean secure enough – how long will that last?

I have said EoL equipment is not allowed in my business. I need specific security clearance certificates and I also process personal data and online payments. One of my places has biometrics scanner and a metal detector at entry/exit point. Part of updates/upgrades are mandatory, other part I have made mandatory so the IT support knows and takes appropriate actions on time. EoL is not a problem in less secure networks like home environment. This is where I still use one RV320 with no issues whatsoever. It's in a house where elderly people mostly read news and watch movies on Internet.

do I have reason to be worried now?

It depends. If you are running a professional law, accounting or doctors office - yes. Home network - don't worry about it too much.