Reserved IP


The Reserved IP feature is an add-on to SIG-based subscriptions and not yet available to all Cisco Umbrella customers. To access this feature, contact your Cisco Umbrella representative.

A reserved IP is a single-tenant IP address deployed to an Umbrella data center that Umbrella maps as a single source IP address for your web traffic. This provides your traffic with a unique source IP address not shared with other Umbrella customers. Using a reserved IP address make it easier to register your traffic for allow lists maintained by internet sites and services, since Umbrella maps all your web traffic to a unique and predictable source IP address.

Using a reserved IP address affects only the source IP for your traffic exiting the data center. It does not affect the IP address you use to establish the IPsec tunnel between your network and the data center.

Note: Umbrella supports reserved IP addresses only for SIG deployments that connect to a data center through an IPsec tunnel. The Reserved IP feature does not currently support explicit proxy or anycast-based methods (PAC file/AnyConnect/Secure Client).

Table of Contents


Reserved IP addresses are assigned by Cisco staff once an order has been received.

  • Cisco requires that you reserve at least two IP addresses, each at a different data center, so you can have a backup should problems occur with your primary data center.
  • Reserved IP addresses are deployed on a per-data center basis; Cisco requires a reserved IP for each data center to which a customer will forward their traffic.
  • Cisco does not support reserving contiguous IP addresses.
  • Reserved IP addresses are not transferable between data centers.


In the Activity Search report, there are two filters associated with the Reserved IP feature in Advanced Search:

  • Umbrella Egress IP Type: A selection list of either Shared or Reserved.
  • Umbrella Egress Data Center: A selection list of available Umbrella data centers.

To filter by Egress IP Address, use the IP Address filter field.


When a reserved IP is deployed to a data center, there is no more configuration required. Any web traffic from the customer forwarded to the provisioned data center will use the reserved IP for all of the customer’s web traffic.

Remote Browser Isolation

Remote Browser Isolation (RBI) is currently not supported by Reserved IP. Applications or services which require a reserved IP address should not be isolated.

Reserved IP Surrender

When a customer surrenders one or more reserved IPs back to Cisco, the reserved IP(s) will become available to other customers for provisioning. Reserved IP addresses are not transferable from one data center to another. For more information, see Cisco Umbrella Terms of Agreement.

Port Exhaustion

Port exhaustion is not likely to occur due to the way Umbrella maps traffic through a reserved IP address. However, if port exhaustion does occur, the session is dropped and the client is likely to retry. Due to the ephemeral nature of Ethernet connections, it is likely that a port will be available on retry.

Maximum Sessions

Determine the maximum sessions available in a given instance using the following formula:

Maximum sessions = sIP x sP x dIP x dP x nP

sIP (Source IP): Use 1 for a single reserved IP address.
sP (Source Ports): We do not restrict ports; use the full port range of 65,536 potential source ports.
dIP (Destination IPs): Total number of destination IPs clients will establish a session with.
To determine the greatest number of sessions supported, use the total possible number of public IPv4 addresses 3,706,452,992.
To determine the fewest number of sessions supported, use 1. This will emulate an FQDN that only supports a single IP address, and all clients are establishing a session with the same FQDN.
dP (Destination Ports): As above, no restrictions; use 65,536 destination ports.
nP (Number of Protocols): TCP and/or UDP. Currently, Umbrella only supports TCP, use 1.


If your traffic is not getting a Reserved IP applied, check the following steps below:

  • Ensure that the destination is not going through a policy with remote browser isolation.
  • Ensure that the destination is HTTP or HTTPS on TCP port 80 or 443. Websites loaded over QUIC will not have reserved IP applied.
  • Look in the Activity Search report to make sure it is showing up as a Web transaction, and that it is egressing through the data center where your IP is provisioned.
    • Some 'find my IP' sites will look for the original IP in the proxy headers (XFF) and will show that IP instead of the reserved IP. The Activity Search report is a more reliable indicator.
  • Microsoft Update traffic is excluded from Reserved IP due to special handling of these destinations.
  • Make sure you are connected to the data center where your Reserved IP is provisioned.

SWG Data Centers < Reserved IP > Reserved IP Supplemental Terms