Skip to main content

 

Cisco Meraki Documentation

Cisco Secure Connect Reserved IP

This article outlines the Reserved IP feature in Cisco Secure Connect, which provides a unique IP address for outbound traffic. It explains the requirements, limitations, and management processes through the Umbrella dashboard, ensuring consistency in the IP Scheme for security and inbound connections.

What is Reserved IP?

Internet traffic exiting the Cisco Secure Connect cloud goes through a Network Address Translation (NAT) process. Each traffic flow is dynamically mapped to an IP address from shared pool of IP addresses. Note that private application traffic transiting through Secure Connect cloud between your physical or private cloud sites does not go through Secure Connect NAT process.  By default, your traffic will get an IP address that is shared with other customers.  Furthermore, traffic flows from your organization will not necessarily be assigned to the same address.  This makes it not feasible to implement IP address-based allowlists with your SaaS-based applications and services.

A reserved IP address is a single-tenant IP address that is statically assigned to your internet-bound web traffic for a given data center. This provides your traffic with a unique egress source IP address not shared with other Secure Connect or Umbrella customers.

Reserved IP is an add-on feature to your Secure Connect subscription . The IP address is assigned by Cisco. Cisco is responsible for the provisioning of the service. There is no end-user configuration of this feature.  To request this feature, please contact your Cisco representative.

Guidelines for Implementation

With reserved IP, there are a few implementation guidelines to note.

  1. Reserved IP is purchased by "region".  A region will have two or more data centers.  (See below for list of regions and data centers.)  A single reserved IP address is assigned to each data center in the region.  (See the Secure Connect ordering guide for instructions purchasing reserved IP.) 
  2. Using a reserved IP address affects only the source IP for your traffic exiting the Secure Connect data center.
  3. Only web traffic (HTTP and HTTPS) going through the Secure Web Gateway (SWG) will egress via reserved IP. QUIC traffic will not egress with a Reserved IP address.  
  4. Only one reserved IP will be provisioned if a data center is overlapping in different regions. For example, EU-West and UK &I regions both include the Frankfurt, DE data center. You will only get one reserved IP address, not two.

Reserved IP Regions

Americas

Region Data Center Location (Data Center Name)
US-East Ashburn, VA, US  (ASH1)
Atlanta, GA, US  (ATL1)
New York, NY, US  (NYC1)
Miami, FL, US  (MIA1)
US-Central Chicago, IL, US  (CHI1)
Dallas, TX, US. (DFW1)
Denver, CO, US. (DEN1)
Minneapolis, MN, US. (MIN1)
US-West Los Angeles, CA, US (LAX1)
Santa Clara, CA, US  (PAO1)
CA-ALL Toronto, ON, CA (YYZ1)
Vancouver BC, CA (YVR1)
BR-ALL Rio de Janeiro, BR  (RIO1)
São Paulo, BR  (SAO1)

Europe

Region Data Center Location (Data Center Name)
EU-North Copenhagen, DK
Stockholm, SE
EU-South Paris, FR. (CDG1)
Madrid, ES  (MAD1)
Marseille, FR  (MRS1)
Milan, IT. (MIL1)
EU-West Frankfurt, DE. (FRA1)
London, UK. (LON1)
AF-ALL Cape Town, ZA  (CPT1)
Johannesburg, ZA. (JNB1)

Asia

Region Data Center Location (Data Center Name)
AS-JP Singapore, SG  (SIN1)
Tokyo, JP  (NRT1)
AS-West Chennai, IN  (CHE2)
Mumbai, IN  (MUM2)
AU-ALL Melbourne, AU  (MEL1)
Sydney, AU  (SYD1)

Guidelines for Testing and Troubleshooting

When testing reserved IP, the activity reporting capabilities in the Umbrella dashboard, as well as third-party websites can be used to verify that your traffic is using the reserved IP address issued to you. 

Umbrella Reporting Tools

The Umbrella dashboard has the capability to show you immense details of your internet bound traffic including the egress source IP address.  Below are the steps to access that information.

  1. Accessing the Umbrella Activity Search page:
    1. From the Secure Connect dashboard go to Secure Connect > Overview > click on total requests in top right of Security card.

1 Meraki Dashboard - Total Request Link.png

  1. From the Umbrella Dashboard go to Reports > Core Reports > Activity Search

2 Umbrella - Activity Search.png

  1. If you are using multiple data centers, you may want to filter on a specific data center.  To do that, from the Activity Search page, click on Advanced pull down menu option in the search window.

3 Search Bar - Advanced.png

  1. Under Umbrella Egress Data Center select data center(s) with reserved IP address(es).

4 Advanced Search - Egress 2.png

  1. From here, you have the option to view the egress source IP address for a single event in the dashboard or export the report to view a series events to a CSV file.

Viewing a Single Event

  1. In the Activity Search table, click More Actions “...” at the end of any row and select View Full Details.

5 View Details - Blur.png

  1. Scroll down the Full Details panel to “Umbrella Egress IP Address”. This should be reserved IP address for that data center.  For a reserved IP address, there will be a notation next to the IP address indicating it is a reserved IP address.

6 Full Details Panel - Blurred.png

Viewing Multiple Events

  1. Due to the possibility of substantial amounts of entries, it is recommend that you limit the time range. In the top right corner click on “LAST 24 HOURS” and select “Custom range...”. Select desired time range.

7 Last 24 Hours.png

  1. In the top right corner click on “Export CSV”.

8 Export to CSV.png

  1. Download the file and open it on your device.
  2. Below is a example of the CSV view in Microsoft Excel. The IP address(es) in the column “Umbrella Egress IP Address” should be your reserved IP address(es) for selected data center(s).  (See the "Exceptions" section below to understand when the reserved IP address is not used.)  Unlike with the single event view, there is no field that indicates the egress address is a reserved IP address.

9 CSV File - Blurred.png

Exceptions

Sites and Services Excluded from Reserved IP

Not all traffic will use the reserved IP address for various technical reason.  Websites loaded over QUIC will not have reserved IP applied. QUIC can usually be disable in your browser setting.  In addition, some trusted domains and services have been excluded from using the reserved IP address for performance interoperability reasons.  Below is a partial list of those domains and services.

  • :Microsoft domains
    • update.microsoft.com
    • windowsupdate.com
    • wustat.windows.com
    • download.microsoft.com
    • ntservicepack.microsoft.com
  • Select domains from the following services:
    • Apple
    • Cisco Duo
    • Cisco Webex
    • Invafresh (formerly Invatron)
    • Skype
    • Trellix (legacy FireEye subnets)
    • Whatsapp

Resources

You can find more information on reserved IP at: