Reserved IP


The Reserved IP feature is an add-on to SIG-based subscriptions and not yet available to all Cisco Umbrella customers. To access this feature, contact your Cisco Umbrella representative.

A reserved IP is a single-tenant IP address deployed to an Umbrella data center that Umbrella maps as a single source IP address for your web traffic. This provides your traffic with a unique source IP address not shared with other Umbrella customers. Using a reserved IP address make it easier to register your traffic for allow lists maintained by internet sites and services, since Umbrella maps all your web traffic to a unique and predictable source IP address.

Using a reserved IP address affects only the source IP for your traffic exiting the data center. It does not affect the IP address you use to establish the IPsec tunnel between your network and the data center.

Note: Umbrella supports reserved IP addresses only for SIG deployments that connect to a data center through an IPsec tunnel. The Reserved IP feature does not currently support explicit proxy or anycast-based methods (PAC file/AnyConnect/Secure Client).

Table of Contents


Reserved IP addresses are assigned by Cisco staff once an order has been received.

  • Cisco requires that you reserve at least two IP addresses, each at a different data center, so you can have a backup should problems occur with your primary data center.
  • Reserved IP addresses are deployed on a per-data center basis; Cisco requires a reserved IP for each data center to which a customer will forward their traffic.
  • Cisco does not support reserving contiguous IP addresses.
  • Reserved IP addresses are not transferable between data centers.


In the Activity Search report, there are two filters associated with the Reserved IP feature in Advanced Search:

  • Umbrella Egress IP Type: A selection list of either Shared or Reserved.
  • Umbrella Egress Data Center: A selection list of available Umbrella data centers.

To filter by Egress IP Address, use the IP Address filter field.


When a reserved IP is deployed to a data center, there is no more configuration required. Any web traffic from the customer forwarded to the provisioned data center will use the reserved IP for all of the customer’s web traffic.

Remote Browser Isolation

Remote Browser Isolation (RBI) is currently not supported by Reserved IP. Applications or services which require a reserved IP address should not be isolated.

Reserved IP Surrender

When a customer surrenders one or more reserved IPs back to Cisco, the reserved IP(s) will become available to other customers for provisioning. Reserved IP addresses are not transferable from one data center to another. For more information, see Cisco Umbrella Terms of Agreement.

Port Exhaustion

Port exhaustion is not likely to occur due to the way Umbrella maps traffic through a reserved IP address. However, if port exhaustion does occur, the session is dropped and the client is likely to retry. Due to the ephemeral nature of Ethernet connections, it is likely that a port will be available on retry.

Maximum Sessions

Determine the maximum sessions available in a given instance using the following formula:

Maximum sessions = sIP x sP x dIP x dP x nP

sIP (Source IP): Use 1 for a single reserved IP address.
sP (Source Ports): We do not restrict ports; use the full port range of 65,536 potential source ports.
dIP (Destination IPs): Total number of destination IPs clients will establish a session with.
To determine the greatest number of sessions supported, use the total possible number of public IPv4 addresses 3,706,452,992.
To determine the fewest number of sessions supported, use 1. This will emulate an FQDN that only supports a single IP address, and all clients are establishing a session with the same FQDN.
dP (Destination Ports): As above, no restrictions; use 65,536 destination ports.
nP (Number of Protocols): TCP and/or UDP. Currently, Umbrella only supports TCP, use 1.

SWG Data Centers < Reserved IP > Reserved IP Supplemental Terms