The Reserved IP feature is an add-on to SIG-based subscriptions and not yet available to all Cisco Umbrella customers. To get access to this feature, contact your Cisco Umbrella representative.
Reserved IP is a single-tenant IP address deployed to an Umbrella data center that is mapped to a customer’s web traffic. This provides a unique egress or source, IP address that is not shared with other Umbrella SIG customers.
- Remote Browser Isolation
- Reserved IP Surrender
- Maximum Sessions
As reserved IP addresses are deployed on a per DC basis, customers require a reserved IP in each data center they forward their web traffic to. Currently, Reserved IP does not support Anycast; therefore, customers should use IPsec tunnels to connect their networks to Umbrella for reliable use of their reserved IP(s). For roaming computers, a client VPN should be used to forward web traffic to a network where an IPsec tunnel has been established to an Umbrella datacenter provisioned with a reserved IP.
Anycast will be supported by Reserved IP in a future iteration.
In the Activity Search report, there are three new filters in Advanced Search:
- Umbrella Egress IP Type: A selection list of either Shared or Reserved.
- Umbrella Egress IP Address: The field accepts specific egress IPs.
- Umbrella Egress Data Center: A selection list of available Umbrella data centers.
When a reserved IP is deployed to a data center, there is no more configuration required. Any web traffic from the customer forwarded to the provisioned data center will use the reserved IP for all of the customer’s web traffic.
Remote Browser Isolation (RBI) is currently not supported by Reserved IP. Applications or services which require a reserved IP should not be isolated.
When a customer surrenders one or more reserved IPs back to Cisco, the reserved IP(s) will become available to other customers for provisioning. For more information, see Cisco Umbrella Terms of Agreement.
Port exhaustion is not likely to occur due to the way web traffic is mapped through a reserved IP. However, if port exhaustion does occur then the session will be dropped, and the client is likely to retry. Due to the ephemeral nature of Ethernet, it is likely that a port will become available upon retry.
Determine the maximum sessions available in a given instance using the following formula:
Maximum sessions = sIP x sP x dIP x dP x nP
sIP (Source IP): Use 1 for a single reserved IP address.
sP (Source Ports): We do not restrict ports; use the full port range of 65,536 potential source ports.
dIP (Destination IPs): Total number of destination IPs clients will establish a session with.
To determine the greatest number of sessions supported, use the total possible number of public IPv4 addresses 3,706,452,992.
To determine the fewest number of sessions supported, use 1. This will emulate an FQDN that only supports a single IP address, and all clients are establishing a session with the same FQDN.
dP (Destination Ports): As above, no restrictions; use 65,536 destination ports.
nP (Number of Protocols): TCP and/or UDP. Currently, Umbrella only supports TCP, use 1.
Updated about a month ago