Firewall Rules: Device and network requirements
Alert: Cisco has made the end-of-life (EOL) announcement for the Cisco Edge Device Manager (EDM).
Note: In the onboarding process: This procedure comes after Supported network devices and firmware.
Supported browsers
Use the latest version of a supported web browser to access the admin console.
| Browser | Supported version |
|---|---|
| Chrome | Latest |
| Firefox | Latest |
| Microsoft Edge | Latest |
DHCP and DNS requirements
- Devices on your network must be able to connect to your IoT OD cloud cluster at either https://us.ciscoiot.com/ or https://eu.ciscoiot.com/.
- The network that the device connects to for uplink traffic must provide:
- A DHCP address to the device.
- Default route and DNS server information. Domain Name System (DNS) server information: eu.ciscoiot.com/.
- The DNS must be able to resolve public names with private IP addresses such as eu-int.ciscoiot.com and us-int.ciscoiot.com. If not, the gateway is not able to register to IoT OD.
Network ports and protocols
The following TCP/UDP network ports and IP protocols must be opened on the network firewall to allow the edge devices to communicate with Cisco IoT OD.
We recommend using a Dynamic Domain Name Service (DDNS) firewall, where possible.
Note: When you set up IoT OD cloud for a new organization, depending on your access, you can go to either https://us.ciscoiot.com/ or https://eu.ciscoiot.com/ to create an account. These two links represent IP address clusters established for the Cisco IoT Cloud. Each cluster has nine IP addresses. The complete list of IP addresses for each cluster is listed in this table.
| Port | Protocol | Destination | Description |
|---|---|---|---|
| 53 | UDP | IP of assigned DNS Server | The network device must have access to DNS resolution service. |
| 80 443 |
TCP | devicehelper.cisco.com Address: 18.205.166.131 Address: 52.203.231.173 Address: 34.192.246.10 Address: 18.205.127.81 Address: 52.205.197.159 Address: 18.205.167.7 |
PnP server over HTTP. |
| 123 | UDP | NTP Server | Network Time Protocol (NTP). |
| 443 | TCP | The complete list of IP addresses for each cluster. US Cluster: https://us.ciscoiot.com Address: 34.208.194.240 54.149.83.252 44.240.60.228 52.41.249.164 35.84.105.79 44.239.87.207 52.13.236.221 35.82.65.56 44.233.50.219 EU Cluster: https://eu.ciscoiot.com Address: 52.48.70.216 34.248.53.167 52.214.211.181 54.78.150.189 52.18.172.175 99.80.35.117 52.17.112.150 34.251.125.44 34.241.227.241 |
PnP server over HTTP. HTTPS connection to access IoT OD and for devices to register via PnP. |
| 500 | UDP | Tunnel concentrator for US Cluster: Name: csr0-us2.ciscoiot.com Address: 54.245.70.139 54.187.131.85 52.39.234.97 52.34.122.129 52.27.193.59 44.239.137.75 44.237.110.33 44.235.125.13 35.167.152.230 34.223.219.13 54.224.202.22 52.207.52.55 44.209.244.205 44.209.198.16 44.209.143.153 35.153.65.44 Tunnel concentrator for EU Cluster: Name: csr0-eu1.ciscoiot.com Address: 54.72.71.96 63.34.30.209 54.77.100.108 54.73.253.223 54.247.101.242 52.50.162.161 52.208.112.150 34.255.218.146 34.252.7.240 34.246.19.78 18.158.234.244 18.198.170.210 3.125.67.40 3.125.90.50 3.73.216.210 52.29.58.218 |
Bidirectional access is required for the Internet Security Association and Key Management Protocol (ISAKMP) / Internet Key Exchange (IKE). |
| 4500 | UDP | Tunnel concentrator for US Cluster: Name: csr0-us2.ciscoiot.com Address: 54.245.70.139 54.187.131.85 52.39.234.97 52.34.122.129 52.27.193.59 44.239.137.75 44.237.110.33 44.235.125.13 35.167.152.230 34.223.219.13 54.224.202.22 52.207.52.55 44.209.244.205 44.209.198.16 44.209.143.153 35.153.65.44 Tunnel concentrator for EU Cluster: Name: csr0-eu1.ciscoiot.com Address: 54.72.71.96 63.34.30.209 54.77.100.108 54.73.253.223 54.247.101.242 52.50.162.161 52.208.112.150 34.255.218.146 34.252.7.240 34.246.19.78 18.158.234.244 18.198.170.210 3.125.67.40 3.125.90.50 3.73.216.210 52.29.58.218 |
Bidirectional access is required for IPSec NAT Traversal. |
Note:
- These settings are subject to change and will need to be updated in future releases.
- If the IP address being used in the WAN IP SLA is outside the firewall, it must be allowed to get through the firewall.
Configuring an IR829 device for IoT OD with a static uplink IP address
DHCP is widely used to provide network parameters for network equipment, but there are still situations where static IPs are being used in the Industrial IoT space. The following information explains how to deal with a static IP address and still use PnP Connect and IoT OD.
Prerequisites
Cisco PnP expects the network device to receive an IP address to start the PnP process. This is typically provided by DHCP. You have to manually provision DHCP parameters. In IoT OD, all templates are expecting the uplink Ethernet interface to use DHCP. That is true for the bootstrap that will need to be modified. It is also true for the configuration that needs to be changed. These changes deviate from recommended best practices for templates and devices and can cause maintenance events to be more tedious and manually intensive over the long term. You will need:
- IP address of the network device to be used
- Network of the device to be used
- Default device for the network where the device will be installed
- DNS IP address that you know will work in this location
Getting PnP to work with static IPs on an IR829 device
- PnP only starts when there is no startup config. In this case, we want to use a static IP and therefore we need a config.
- PnP becomes part of the config after the static IP configuration.
- We want the ability to factory reset the device in case of an issue. If an issue arises, the device comes back with the same static IP address even after a factory reset.
On the IR829 device, you can create a configuration file flash:router-confg that loads before PnP starts to run. In this case, we want to prevent PnP from starting automatically. Instead we want to configure the uplink interface and configure PnP profile manually in the config. You can create this configuration on a computer and upload it to the device because this device is brand new.
From a Cisco exec prompt, type this command sequence:
tclsh
puts [open "flash:router-confg" w+]{
ip name-server 8.8.8.8
vlan 10
interface vlan 10
ip address 192.168.2.100 255.255.255.0
no shut
ip route 0.0.0.0.0.0.0.0 192.168.2.1
int gi1
switch access vlan 10
ntp server ntp.pool.org
pnp profile pnp_cco_profile
transport https host devicehelper.cisco.com port 443
do-exec write memory
tclquit
Note: Make sure you change the values: 8.8.8.8, 192.168.2.100 255.255.255.0, 0.0.0.0.0.0.0.0 192.168.2.1 for the print to match your network. You will need those values later.
Your device now boots with this fixed (static) IP and starts the PnP process. This also happens even if the device is factory reset. For the device to stop using that static IP address, remove the file flash:router-confg and reset the device with “pnpa service reset”.
Modifying IoT OD bootstrap template
Edit the bootstrap in the configuration group for this device. In the bootstrap template, we assume that DHCP is being used as an uplink, which causes the device to island if we let that happen. Modify the bootstrap using Freemarker “variables” that can be entered in IoT OD:
WAN static IP -> ${far.ipaddrProperty1}
WAN netmask -> ${far.ipaddrProperty2}
default gateway -> ${far.ipaddrProperty3}
To make this work in the bootstrap template, make the changes in the table below.
| Replace this | With this |
|---|---|
| int Vlan 10 ip address dhcp |
int Vlan 10 ip address ${far.ipaddrProperty1} ${far.ipaddrProperty2} |
| ip route 0.0.0.0 0.0.0.0 ${ether_if} dhcp ip route ${herip} 255.255.255.255 ${ether_if} dhcp |
ip route 0.0.0.0 0.0.0.0 ${far.ipaddrProperty3} ip route ${herip} 255.255.255.255 ${far.ipaddrProperty3} |
| action 34 cli command "ip route $newip 255.255.255.255 ${ether_if} dhcp" action 36 cli command "no ip route $herip 255.255.255.255 ${ether_if} dhcp" |
action 34 cli command "ip route $newip 255.255.255.255 ${far.ipaddrProperty3}" action 36 cli command "no ip route $herip 255.255.255.255 ${far.ipaddrProperty3}" |
Modifying IoT OD configuration template
The eCVD configuration also assumes that DHCP is being used on the uplink interface which causes issues with S2S VPN (Virtual Private Network) and potentially other areas.
To make this work in the configuration template, make the changes in the table below.
| Replace this | With this |
|---|---|
| ip route ${herIpAddress} 255.255.255.255 ${ether_if} dhcp | ip route ${herIpAddress} 255.255.255.255 ${far.ipaddrProperty3} |
| ip route ${backupHerIpAddress} 255.255.255.255 ${ether_if} dhcp | ip route ${backupHerIpAddress} 255.255.255.255 ${far.ipaddrProperty3} |
| action 027 file puts fd "ip route 0.0.0.0 0.0.0.0 ${ether_if} DHCP" action 028 file puts fd "ip route 8.8.8.8 255.255.255.255 ${ether_if} DHCP" action 029 file puts fd "ip route 1.1.1.1 255.255.255.255 ${ether_if} DHCP" |
action 027 file puts fd "ip route 0.0.0.0 0.0.0.0 ${far.ipaddrProperty3}" action 028 file puts fd "ip route 8.8.8.8 255.255.255.255 ${far.ipaddrProperty3}" action 029 file puts fd "ip route 1.1.1.1 255.255.255.255 ${far.ipaddrProperty3}" |
Configuring the variables in IoT Operations Dashboard
In Cisco IoT OD, when you edit a specific device configuration, edit the static IP address, netmask, and default device.
These values can match the one in the initial configuration, but you can also initially start with a given static IP and switch to another static IP address when the bootstrap configuration is pushed.
Refer to Modifying the IoT OD bootstrap template for the meaning of each of the three parameters.
Supported device interfaces for onboarding
The following interfaces are supported for IoT OD PnP onboarding using the default-configuration template. Only these supported interfaces provide monitoring data in the Operations Dashboard page and in the device details Monitoring tab (Inventory > device > Monitoring).
Note: Currently, dual active/active LTE or failover of management tunnel is not supported on IR800 and IR1800 devices.
| Platform | Ethernet WAN | Cellular |
|---|---|---|
| IR807 | FastEthernet0 | Cellular0 |
| IR809 | GigabitEthernet0 | Cellular0 |
| IR829-LTE (single modem) | LAN (over SVI): GigabitEthernet 1 | Cellular0, Cellular0/0 |
| IR829-2LTE (dual modem) | LAN (over SVI): GigabitEthernet 1 | Cellular0/0, Cellular1/0 |
| IR1101 | GigabitEthernet0/0/0 | Cellular0/1/0, Cellular0/3/0, Cellular0/4/0 |
| IR1800 | GigabitEthernet0/0/0 | Cellular0/4/0, Cellular0/5/0 |
Cellular requirements
For network devices that use cellular for the WAN connection:
- Verify that the device has a Cisco-approved antenna, and that it can receive a signal from the network.
- Refer to the installation guide for your network device model and the Cisco Industrial Router Antenna Guide for more information.
- Cellular connections also require a SIM card and APN provided by your cellular carrier. Ask your cellular provider for assistance.
- If using a private APN, obtain the configuration details for
- manual configuration.
Latest supported eCVD template versions
The following configuration template updates are available and supported for this release.
Standard Config groups:
- IR829 - 2.05
- AP803 - 1.84
- IR1101 - 2.10
- IR1800 - 2.86
Legacy Config groups:
- IR829 - 2.05
- AP803 - 1.84
- IR1101 - 2.10
- IR1800 - 2.86
Existing tenants will reflect the correct and latest eCVD version with the latest changes.
Next step
Go to Get Started with Operations Dashboard, Step 3: Cloud infrastructure and Operations Dashboard readiness.