Reserved IP
The Reserved IP feature is an add-on to SIG-based subscriptions and not yet available to all Cisco Umbrella customers. To access this feature, contact your Cisco Umbrella representative.
A reserved IP is a single-tenant IP address deployed to a predetermined region of Umbrella data centers. Each region will have a minimum of two data centers, and each data center will have its own reserved IP address that Umbrella maps as a single source IP address for your web traffic. This provides your traffic with a unique source IP address not shared with any other Umbrella customers. Using a reserved IP address makes it easier to register your traffic for allow lists maintained by internet sites and services. See Region of Data Centers for the full list.
Reserved IP for the Roaming Use Case may not be available in all Umbrella packages. Please contact support or your sales representative for more information on availability and pricing.
Umbrella supports reserved IP addresses only for SIG deployments that connect to a data center through two traffic acquisition methods: IPsec tunnels or anycast-based methods.
- Where the traffic acquisition method is through IPsec tunnels, using a reserved IP address affects only the source IP for your traffic exiting the data center. It does not affect the IP address you use to establish the IPsec tunnel between your network and the data center.
- Where the traffic acquisition method is anycast (i.e. Secure Client, PAC file, explicit proxy, or proxy-chaining), data center's within a region may offload traffic to other data centers within the same region to prevent a single center from becoming overloaded. Ingress control is a mechanism that allows anycast-based methods to communicate with the data centers to see which one has your reserved IP.
Note: The Reserved IP feature does not currently support TCP-based anycast.
Table of Contents
- Deployment
- Reporting
- Configuration
- Remote Browser Isolation
- Reserved IP Surrender
- Exhaustion
- Maximum Sessions
- Troubleshooting
- Region of Data Centers
Deployment
Reserved IP addresses are assigned by Cisco staff once an order has been received.
- Cisco requires a reserved IP for each data center within the region to which a customer will forward their traffic.
- Using a reserved IP address affects only the source IP for your traffic exiting the data center.
- Each region will have a minimum of two data centers.
- Reserved IP supports two traffic acquisition methods: IPsec tunnels and anycast-based methods (i.e. Secure Client, PAC file, explicit proxy, and proxy-chaining).
- Reserved IP does not support TCP-based anycast. TCP-based anycast is used by Secure Client when DNS-based anycast method fails, and in explicit proxy, PAC file, and proxy-chaining scenarios where Umbrella DNS is not deployed.
- Only one reserved IP will be provisioned if a data center is overlapping in different regions. For example, US East and Central Latin America regions both include the Miami Data Center. You will only get one reserved IP address, not two.
- Cisco does not support reserving contiguous IP addresses.
- Reserved IP addresses are not transferable between other data centers.
Reporting
In the Activity Search report, there are two filters associated with the Reserved IP feature in Advanced Search:
- Umbrella Egress IP Type: A selection list of either Shared or Reserved.
- Umbrella Egress Data Center: A selection list of available Umbrella data centers.
To filter by Egress IP Address, use the IP Address filter field.
Configuration
When reserved IP's are deployed to a region of data centers, there is no more configuration required. Any web traffic from the customer forwarded to the provisioned region of data centers will use the reserved IP's for all of the customer’s web traffic.
Remote Browser Isolation
Remote Browser Isolation (RBI) is currently not supported by Reserved IP. Applications or services which require a reserved IP address should not be isolated.
Reserved IP Surrender
When a customer surrenders one or more reserved IPs back to Cisco, the reserved IP(s) will become available to other customers for provisioning. Reserved IP addresses are not transferable from one region to another. For more information, see Cisco Umbrella Terms of Agreement.
Port Exhaustion
Port exhaustion is not likely to occur due to the way Umbrella maps traffic through a reserved IP address. However, if port exhaustion does occur, the session is dropped and the client is likely to retry. Due to the ephemeral nature of Ethernet connections, it is likely that a port will be available on retry.
Maximum Sessions
Determine the maximum sessions available in a given instance using the following formula:
Maximum sessions = sIP x sP x dIP x dP x nP
sIP (Source IP): Use 1 for a single reserved IP address.
sP (Source Ports): We do not restrict ports; use the full port range of 65,536 potential source ports.
dIP (Destination IPs): Total number of destination IPs clients will establish a session with.
To determine the greatest number of sessions supported, use the total possible number of public IPv4 addresses 3,706,452,992.
To determine the fewest number of sessions supported, use 1. This will emulate an FQDN that only supports a single IP address, and all clients are establishing a session with the same FQDN.
dP (Destination Ports): As above, no restrictions; use 65,536 destination ports.
nP (Number of Protocols): TCP and/or UDP. Currently, Umbrella only supports TCP, use 1.
Troubleshooting
If your traffic is not getting a Reserved IP applied, check the following steps below:
- Ensure that the destination is not going through a policy with remote browser isolation.
- Ensure that the destination is HTTP or HTTPS on TCP port 80 or 443. Certain trusted domains, such as Cisco and specific Microsoft Windows Update domains, and non-web traffic are excluded from Reserved IP due to special handling.
- Look in the Activity Search report to make sure it is showing up as a Web transaction, and that it is egressing through the region of data centers where your IP is provisioned.
- Some 'find my IP' sites will look for the original IP in the proxy headers (XFF) and will show that IP instead of the reserved IP. The Activity Search report is a more reliable indicator.
- Microsoft Update traffic is excluded from Reserved IP due to special handling of these destinations.
- Make sure you are connected to the region of data centers where your reserved IP's are provisioned.
Region of Data Centers
| Region | Data Center List |
|---|---|
| US-East | Ashburn, VA, US Atlanta, GA, US New York, NY, US Miami, FL, US Reston, VA, US |
| US-Central | Chicago, IL, US Dallas, TX, US Denver, CO, US Minneapolis, MN, US |
| US-West | Los Angeles, CA, US Santa Clara, CA, US |
| CA-All | Toronto, ON, CA Vancouver BC, CA |
| C-LA-All | Miami, FL, US Querétaro, MX |
| BR-All | Rio de Janeiro, BR São Paulo, BR |
| EU-North | Amsterdam, NL Copenhagen, DK Stockholm, SE |
| EU-South | Paris, FR Prague, CZ Madrid, ES Marseille, FR Milan, IT |
| EU-West | Amsterdam, NL Frankfurt, DE London, UK |
| UK & I | Dublin, IE Frankfurt, DE London, UK Manchester, UK |
| ME-All | Amsterdam, NL Dubai, AE |
| AF-All | Cape Town, ZA Johannesburg, ZA |
| AS-JP | Osaka, JP Singapore, SG Tokyo, JP |
| AS-East | Hong Kong, CN Singapore, SG Tokyo, JP |
| AS-West | Chennai, IN Mumbai, IN |
| AU-All | Melbourne, AU Sydney, AU |
SWG Data Centers < Reserved IP > Reserved IP Supplemental Terms
Updated 5 months ago