Cisco C931-4P router

The Cisco C900 series routers are designed as fixed-configuration branch routers. Fixed-configuration, as opposed to modular, means that the hardware cannot be upgraded or expanded. It has nothing to do with fixed or unchangeable firmware configuration. One thing that the C900 series does not provide is support for SD-WAN. In this sense, they are only suitable for small enterprise-class networks where router administration is manually performed on each individual router.

While the now-discontinued RV series of Linksys-designed routers is configured via a web GUI, sometimes together with a limited CLI, the C900 series is configured via the IOS CLI, and in this sense is a series of traditional Cisco routers. Common to the C900 models is that they are all equipped with either six 1-Gbps Ethernet interfaces, or five such interfaces and one DLS/ADSL/LTE interface. This page reviews the Cisco C931-4P (Figure 1-3), which is equipped with six Ethernet interfaces.

To take advantage of the C900 capabilities, one must master a sufficient knowledge of Cisco IOS, as there is no web GUI to fall back to. Especially at the beginning, the learning curve can be pretty steep.

If, like me, you are not pursuing a formal Cisco certification and are instead interested in learning to use one of these routers in practical situations in an advanced home/small-business/small-office network, as well as experimenting for the pure pleasure of learning, one approach that may be fruitful is to concentrate your learning on general routing and switching, and to skip all the parts of typical certification curricula (e.g. IP telephony and WAN routing) that are not immediately relevant to your goals. There will always be time afterwards, if you discover a practical use for these topics and/or enjoy the challenge of acquiring a highly technical knowledge of data networks.

In spite of the slightly specialized use of the C900 routers, practice with one of these routers can go quite far in giving you this knowledge, perhaps with the adddition of a more generic Cisco ISR router and one or two Cisco managed switches or switch modules to build a home lab comparable to those used to practice for Cisco certifications. None of this equipment needs to be very modern and expensive if its main purpose is learning.

In the early 2010s, small-branch LANs in the US and EU were typically connected to the Internet with a 100 Mbps ISP subscription. As a consequence, small-branch routers did not need to be capable of a throughput faster than this. Naturally, switched intra-LAN throughput needed to be faster, and 1 Gbps Ethernet had already replaced the 100 Mbps "Fast Ethernet" by that time.

Cisco has a habit of conservatively rating the throughput of its routers, by specifying a guaranteed throughput even with all services simultaneously in use. In fact, even when only IP routing and NAT services are in use, Cisco routers sold with the "normal" license throttle down their throughput in order not to exceed their specifications. Many home and gaming routers of the late 2010s, far cheaper than Cisco equipment, were rated on IP routing and NAT alone, and a non-critical comparison of their and Cisco's numerical specifications fed the general feeling that Cisco routers were large, expensive and power-hungry dinosaurs only suitable for being locked up in corporate server rooms. The only good reason for using Cisco routers and switches at home was while studying for a Cisco network certification. Typically, this use called for replacing their noisy internal fans with more silent ones designed for desktop PCs.

The credit for breaking with the Cisco tradition of large, expensive and power-hungry routers with sluggish throughput should probably be given to Linksys-designed, Cisco-branded small-business routers like the RV320 and RV340, released in the mid-2010s. By the late 2010s, fast multi-core CPUs and dedicated switching and routing hardware were cheap enough to allow a much faster throughput in a low-cost (by Cisco standards) package.

In 2019, Cisco released the C900 series of branch routers. Their IPsec VPN throughput of 150-250 Mbps is faster than the total throughput of many earlier branch routers, and their IP routing and NAT, even when running a built-in firewall, is only limited by the 2 Gbps throughput of their twin Gigabit Ethernet WAN ports. These routers are recommended for a network containing up to 50 clients, so they are much more powerful than typical home routers.

C931-4P versus other C900 models

Architecture and internal layout

Virtually no information seems to be publicly available on the architecture and internal physical layout of C900 routers. Pictures of the internals of older routers can be found on the web, mainly in the context of replacing their fans with silent ones, and of inserting internal modules, RAM and DSPs. I found nothing at all for this series. The main reasons may be that the C900 series has no fans and no expansion slots, and that many of these routers may still be under warranty, so there is little reason for an owner to open up the case - except for curiosity.

I am quite comfortable in opening up electronic equipment, especially if assembled in a straightforward way like this one. Opening the case of this router requires the removal of 14 small screws and there is no warranty seal. Figure 4 shows the results of removing the top cover, and may well be your only chance to peek inside the case if you don't own or have access to one of these routers. Unfortunately, aside for the large heatsink and a simple switching power supply, there is not much to see. In my C931, the heatsink only cools the CPU, although it is apparently made to cool at least a second LSI chip (one is present in the right place, but does not touch the heatsink). On the right side of the PCB I can see the unused soldering pads for a third, large LSI chip.

Only four wires, two black and two yellow, connect the power supply to the PC board. If, as I suspect, this power supply provides a single 12 V DC voltage to the PC board, it should be a simple matter to use an external power supply if the internal one needs replacing. This would also allow the PC board to operate at a lower temperature.

The heatsink is attached to the case and PCB with a few screws marked with tamper-detecting dabs of paint. I don't know whether the CPU is thermally coupled to the heatsink via a thermally conductive pad or a dab of thermal paste. I stopped short of removing the heatsink, since the likely returns are not that high.

In addition to the customary stickers with serial numbers, barcodes and other information, the bottom of the case carries four rubber feet and a curious black rectangle of plastic, approximately 46 by 57 mm. This rectangle is slightly flexible in its center and appears to be the cover of an opening in the metal case. I don't know for sure what is behind this cover, but I can hazard a guess that removing the cover will reveal a connector or a set of test points that Cisco may use to service this router and/or perform final tests before rolling it off the production line and package it. Since the top side of the PC board is completely covered by the heatsink, which cannot be removed while the router is in operation, Cisco needs a different way to access the test points.

Case and mounting options

The C931-4P, sometimes referred to as ISR 931-4P in Cisco literature, is housed in a black metal case 22.9 cm wide, 24.1 cm deep and 4.3 cm high. The router can be mounted in a 19" 1 U rack slot with rack ears (according to Cisco, not supplied with the router, but mine came with rack ears in the box, and I have seen rack ears in the packages of other C900 routers). The rack ears are unusually sturdy, apparently designed for the rather long ears to resist twisting under the relatively high weight of the router (1.2 Kg), and remarkably expensive if purchased separately. They can be attached either at the front or at the rear of the router. The right Cisco part number for the rack ears for 19" wide racks is ACS-900-RM-19. Make sure not to order by mistake the rack ears for 23" wide racks, which are also available. I have seen at least three dozen pictures on the Internet, purported to show the 19" rack ears for C921-4P and C931-4P routers, but almost all these pictures are not of rack ears for the C900 series.

The router is equipped with rubber feet. In the lack of rack ears, it can be placed on a 1 U or 2 U horizontal rack shelf, preferably ventilated.

The C931-4P has no fan and is competely silent. This also means that it is dependent on air convection for its cooling. The top and sides of the router case are abundantly ventilated. When mounting a C900-series router in a 19" rack, Cisco recommends leaving at least a 1 U empty space "between routers". I take this to mean that there should be at least a 1-U empty slot both above and under the router. I tried running the C931 mounted in a rack cabinet directly above a small TP-Link POE switch with only 10 ports, and the router did get uncomfortably hot. Removing the switch detectably lowered the temperature of the C931 case. For a small router with a total of only six Ethernet ports, it does seem to use a lot of power even under a light traffic load.

Cisco also markets a set of two brackets for hanging the router under a table-top or a (deep) shelf. These brackets leave a space approximately 1 U high between router and the undersurface of the table or shelf, to allow air circulation. These brackets mount in the same screw holes in the router case used for the rack ears. With a drill press, it is easy, and far cheaper, to modify steel angles used in carpentry to hang the C931 under a table-top or shelf. I strongly suggest leaving a 4.3 cm or higher spacing between router and table-top.

The C931-4P has no provision for hanging on a vertical wall (only a few C900 models with external power supplies are equipped with wall-hanging holes). All the above recommendations for mounting this router apply also to the C921-4P.

The C931-4P with rack ears is relatively heavy, and the deep case places quite some twisting strain on the rack ears. This router should be mounted in a relatively strong rack enclosure. At the same time, the remarkably high amount of heat generated by the electronics (the power supply is by far the hottest region within the router case) prevents it from being mounted in a small, completely enclosed cabinet.

Connectors and controls

The panel of the C931-4P that Cisco calls back panel carries four LAN 1 Gbps Ethernet ports, two WAN 1 Gbps Ethernet ports, an RJ-45 console (serial) port, a USB 2.0 socket (in spite of its blue color, apparently it is not USB 3.0), power switch, recessed reset switch, VPN LED, and a screw for grounding the chassis. This is the panel that carries all data connections and LED indicators, and the panel that I find natural to mount at the front of the rack. Nonetheless, I will simply follow the Cisco terminology and continue to call this the back panel.

The only practical consequence of Cisco calling this the back panel is that, with this panel facing forward, the "Cisco" logo on top of the case is upside down. It did occur to me that this "problem" could be solved by re-attaching the top panel after rotating it half a turn. However, the screw holes don't match.

On the front panel is only a grounded mains connector. This is the side that I find natural to mount toward the rear of a rack, facing toward a wall. The router has no USB console port, so there is no need to install the Cisco USB driver on a computer.

The C931-4P is equipped with an internal power supply, like most C900 models. A few C900 models introduced in later years have an external power supply (12 V DC 30 W). I guess this is a way for Cisco to save on manufacturing costs and outsource their "brick" type power supplies from Chinese companies. If one of these power supplies breaks down, hopefully it will just stop working instead of frying the router, and a replacement power supply is easy to find. In my experience, external power supplies are the parts of network equipment and computer peripherals most likely to need replacing after a few months to a few years.

C931-4P vs. other C900 models

The C931-4P and C921-4P are externally identical, but the C931-4P provides a higher encrypted throughput (see below). Aside from this difference, which is probably due to a more powerful hardware-assisted encryption/decryption, the two models appear to be functionally identical.

Aside for being equipped with a WAN port of a type other than Ethernet, which probably has a different throughput, other C900 models have declared specifications identical to the C921-4P.

Expandability

The C900 series is self-contained and not expandable. The C931 is internally equipped with 2 GByte flash and 1 GByte DRAM.

Cisco support and firmware

The C931-4P was introduced in 2019 and is still marketed by Cisco at the time of writing. Therefore, it is still supported with firmware updates. So-called promotional bundles with C900 routers were discontinued in 2022, but not the routers themselves. Firmware updates that only correct functionality bugs or add new features are available exclusively to users who own a current Cisco service contract, which might be more expensive than the router itself.

Cisco states that firmware updates that correct known security vulnerabilities are available for free, even in the lack of a service contract. However, the experience of users trying to obtain from Cisco this type of free support for their routers, as reported on Cisco user bulletin boards, clearly shows that Cisco is actively discouraging users from doing so by making the process as difficult, frustrating, and time-consuming as possible. For example, the user has first to wade through the numerous release notes of firmware to find out which one fulfils the criteria for a free upgrade, then to call Cisco support on the phone, quote to the letter the exact Cisco statement entitling them to a free upgrade for their specific router, quote exactly where this statement is published on the Cisco web site, and finally specify the exact release version that complies with the free upgrade policy. Some users report being shuffled from one support person to another during the same call, and having to repeat the whole procedure all over multiple times.

I should not be surprised to hear that large numbers of Cisco routers, theoretically entitled to free updates, are being run without such updates, in order to avoid going through the hassle of the upgrade procedure. Time is one item in short demand among systems administrators, and wasting a couple of hours being harassed by multiple Cisco support personnel actively trying to keep me from obtaining the free updates that Cisco is officially offering for free is not high on my to-do list. The alternative of buying newer and more expensive routers and an even more expensive yearly support contract does of course sound like an easy money-maker to Cisco's highest management ranks, but is simply not an option for many small businesses still using these routers, and for students running old routers with gaping security holes in CCNA home labs connected to the Internet. The thousands of second-hand Cisco routers still on the market are the least likely to be regularly updated.

Am I the only one who sees how Cisco's arrogant disregard for "small" customers is self-defeating in the long run? Cisco's management obviously doesn't. These customers are likely to look at other brands for replacing their aging Cisco equipment, and former CCNA/CCNP students may be less likely to recommend Cisco purchases to their employers, given their past experiences with Cisco's attitudes.

Specifications

The specifications and capabilities of the C900 routers are listed here.

The C931-4P and C921-4P are externally identical, but the C931-4P provides a higher VPN throughput (250 Mbps vs. 150 Mbps). In fact, the C931-4P has the highest VPN throughput within the C900 series. As a result, the C931-4P commands a higher price, both new and second-hand. Aside from this difference, probably due to a more powerful hardware-assisted cryptography engine, and possibly to a more powerful CPU, the two models appear to be functionally identical. Both models provide a non-encrypted bidirectional throughput of 2 Gbps even when using the built-in firewall, limited only by the throughput of the 1 Gbps Ethernet interfaces.

Configuration

Configuration of the C931-4P is discussed here.

Second-hand value

On the second-hand market, the C931-4P commands a higher price than the C921-4P. I found an eBay seller with a few new-in-box C931-4Ps with IP Base and Security licenses at 550 € apiece, which became 700 € immediately after I ordered mine. More than two months after I bought mine, the remaining C931s offered by this seller are still unsold at the new price, unsurprisingly. Other sellers have even more unrealistic prices, like two German sellers offering, week after week, month after month, new C931s at 1,785 and 2,082 €, respectively. "New" means nothing in terms of warranty, since these units are industrial surplus and most likely were sold to an industrial customer by Cisco. As such, warranty claims from a new owner of a still-sealed C900 purchased on eBay will not be recognized by Cisco.

A second-hand C921 or C927 can be found for as low as 280 €. If you do not need the higher VPN throughput of the C931, the C921 is a more cost-effective alternative. It is possible, however, that the C921 uses a scaled-down architecture lacking some capabilities of the C931 (in addition to the lower VPN throughput). The C921, for example, has been reported to lack VLANs, while the C931 has a limited implementation of VLANs.

Summary

The Cisco C931-4P router, also known as ISR 931-4P, is a branch router with dual 1 Gbps WAN ports offering 250 Mbps IPsec VPN throughput, and non-encrypted throughput limited only by the 1 Gbps speed of its Ethernet ports. It is configured via Cisco IOS, and seems to be less common that other C900 models on the second-hand market.

On paper, Cisco provides free firmware updates that correct security vulnerabilities (not other bug types) of these routers, but actively discourages such free updates by making them as difficult, frustrating and time-consuming as possible to obtain for users who cannot afford a paid service contract.