Skip to main content
Cisco Meraki Documentation

Cisco Secure Connect Reserved IP

  1. Last updated
  2. Save as PDF

What is Reserved IP?

Internet traffic exiting the Cisco Secure Connect cloud goes through a Network Address Translation (NAT) process. Each traffic flow is dynamically mapped to an IP address from shared pool of IP addresses. (Note that private application traffic transiting through Secure Connect cloud between your physical or private cloud sites goes not go through Secure Connect NAT process.  By default, your traffic will get an IP address that is shared with other customers.  Furthermore, traffic flows from your organization will not necessary be assigned to the same address.  This makes it not feasible to implement IP address-based allowlists (whitelists) with your SaaS-based applications and services.

A reserved IP address is a single-tenant IP address that is statically assigned to your internet-bound web traffic for a given data center. This provides your traffic with a unique egress source IP address not shared with other Secure Connect or Umbrella customers.

Reserved IP is an add-on feature to your Secure Connect subscription . The IP address is assigned by Cisco. Cisco is responsible for the provisioning of the service. There is no end-user configuration of this feature.    To request this feature, please contact your Cisco  representative.

Guidelines for Implementation

With Reserved IP, there are a few implementation guidelines to note.

1.     A reserved IP addressed is assigned to single data center.  Customers must order a minimum of 2 IP addresses, one for the primary data center and one for the secondary DC in a data center pair. All of the Secure Connect Data Centers  are supported pending approval. 

3.     To ensure consistent operations in a failover scenario, the same policies should be configured for both Reserved IP addresses.

4.     Currently, Reserved IP does not support Anycast routing.  Anycast routing is an IP network addressing scheme that allows multiple servers to share the same IP address. This enables multiple physical destination servers to be logically identified by a single IP address.  By default, the Cisco Secure Client VPN client application will use Anycast to select the closest Secure Connect data center.  If that data center does not have a Reserved IP address, then the client's internet bound traffic will be mapped to an IP address out of the shared pool.  The workaround is to have the end-user manually select a data center where a Reserved IP address has been provisioned, or during Remote Access configuration admin should only select the data centers with Reserved IP address provisioned.

5.     Only web traffic (HTTP and HTTPS) will egress via Reserved IP.

Guidelines for Testing and Troubleshooting

When testing Reserved IP, the activity reporting capabilities in the Umbrella dashboard, as well as third-party websites can be used to verify that your traffic is using the Reserved IP address issued to you. 

Umbrella Reporting Tools

The Umbrella dashboard has the capability to show you immense details of your internet bound traffic including the egress source IP address.  Below are the steps to access that information.

  1. Accessing the Umbrella Activity Search page:
    1. From the Secure Connect dashboard go to Secure Connect > Overview > click on total requests in top right of Security card.

1 Meraki Dashboard - Total Request Link.png

  1. From the Umbrella Dashboard go to Reports > Core Reports > Activity Search

2 Umbrella - Activity Search.png

  1. If you are using multiple data centers, you may want to filter on a specific data center.  To do that, from the Activity Search page, click on Advanced pull down menu option in the search window.

3 Search Bar - Advanced.png

  1. Under Umbrella Egress Data Center select data center(s) with Reserved IP address(es).

4 Advanced Search - Egress 2.png

  1. From here, you have the option to view the egress source IP address for a single event in the dashboard or export the report to view a series events to a CSV file.

Viewing a Single Event

  1. In the Activity Search table, click More Actions “...” at the end of any row and select View Full Details.

5 View Details - Blur.png

  1. Scroll down the Full Details panel to “Umbrella Egress IP Address”. This should be Reserved IP address for that data center.  For a Reserved IP address, there will be a notation next to the IP address indicating it is a Reserved IP address.

6 Full Details Panel - Blurred.png

Viewing Multiple Events

  1. Due to the possibility of substantial amounts of entries, it is recommend that you limit the time range. In the top right corner click on “LAST 24 HOURS” and select “Custom range...”. Select desired time range.

7 Last 24 Hours.png

  1. In the top right corner click on “Export CSV”.

8 Export to CSV.png

  1. Download the file and open it on your device.
  2. Below is a example of the CSV view in Microsoft Excel. The IP address(es) in the column “Umbrella Egress IP Address” should be your Reserved IP address(es) for selected data center(s).  (See the "Exceptions" section below to understand when the Reserved IP address is not used.)  Unlike with the single event view, there is no field that indicates the egress address is a Reserved IP address.

9 CSV File - Blurred.png

Exceptions

Sites Excluded from Reserved IP

Not all traffic will use the Reserved IP address.  For performance reasons, traffic to select websites will not use a reserved IP address. (See the list of URLs below.)

  • update.microsoft.com
  • windowsupdate.com
  • wustat.windows.com
  • download.microsoft.com
  • ntservicepack.microsoft.com

Resources

You can find more information on Reserved IP at:

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Reference
  2. Tags
    This page has no tags.