# Firewall Rules: Device and network requirements

**Alert: Cisco has made the [end-of-life (EOL) announcement](https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/iot-operations-dashboard/edge-device-manager-service-on-iot-operations-dashboard-eol.html?emailclick=CNSemail) for the Cisco Edge Device Manager (EDM).**

>**Note**: In the onboarding process: This procedure comes after [Supported network devices and firmware](../edge_manager/device_supported.md).

## Supported browsers

Use the latest version of a supported web browser to access the admin console.

| **Browser** | **Supported version** |
|-------------|-----------------------|
| Chrome      | Latest                |
| Firefox      | Latest                |
| Microsoft Edge    | Latest         |


## DHCP and DNS requirements

* Devices on your network must be able to connect to your IoT OD cloud cluster at either https://us.ciscoiot.com/ or https://eu.ciscoiot.com/.
* The network that the device connects to for uplink traffic must provide:
    * A DHCP address to the device.
    * Default route and DNS server information. Domain Name System (DNS) server information: [eu.ciscoiot.com/](https://eu.ciscoiot.com).
    * The DNS must be able to resolve public names with private IP addresses such as eu-int.ciscoiot.com and us-int.ciscoiot.com. If not, the gateway is not able to register to IoT OD.

## Network ports and protocols

The following TCP/UDP network ports and IP protocols must be opened on the network firewall to allow the edge devices to communicate with Cisco IoT OD.

We recommend using a Dynamic Domain Name Service (DDNS) firewall, where possible.

>**Note**: When you set up IoT OD cloud for a new organization, depending on your access, you can go to either https://us.ciscoiot.com/ or https://eu.ciscoiot.com/  to create an account. These two links represent IP address clusters established for the Cisco IoT Cloud. Each cluster has nine IP addresses. The complete list of IP addresses for each cluster is listed in this table.

| **Port** | **Protocol** |**Destination** | **Description**  |
|----------|--------------|-------|----------------|
| 53   | UDP    | IP of assigned DNS Server  | The network device must have access to DNS resolution service.  |
| 80<br>443   | TCP    | devicehelper.cisco.com<br><br>Address:  18.205.166.131<br>Address: 52.203.231.173<br>Address: 34.192.246.10<br>Address: 18.205.127.81<br>Address: 52.205.197.159<br>Address: 18.205.167.7  | PnP server over HTTP.  |
| 123      | UDP   | NTP Server  | Network Time Protocol (NTP). |
| 443   | TCP    | The complete list of IP addresses for each cluster.<br>US Cluster: [https://us.ciscoiot.com](http://us.ciscoiot.com)<br>Address:<br>34.208.194.240<br>54.149.83.252<br>44.240.60.228<br>52.41.249.164<br>35.84.105.79<br>44.239.87.207<br>52.13.236.221<br>35.82.65.56<br>44.233.50.219<br><br>EU Cluster: [https://eu.ciscoiot.com](http://eu.ciscoiot.com)<br>Address:<br>52.48.70.216<br>34.248.53.167<br>52.214.211.181<br>54.78.150.189<br>52.18.172.175<br>99.80.35.117<br>52.17.112.150<br>34.251.125.44<br>34.241.227.241|PnP server over HTTP.<br><br>HTTPS connection to access IoT OD and for devices to register via PnP.  |
| 500      | UDP    |Tunnel concentrator for US Cluster: <br>Name: csr0-us2.ciscoiot.com <br>Address:<br>54.245.70.139<br>54.187.131.85<br>52.39.234.97<br>52.34.122.129<br>52.27.193.59<br>44.239.137.75<br>44.237.110.33<br>44.235.125.13<br>35.167.152.230<br>34.223.219.13<br>54.224.202.22<br>52.207.52.55<br>44.209.244.205<br>44.209.198.16<br>44.209.143.153<br>35.153.65.44<br><br>Tunnel concentrator for EU Cluster:<br>Name: csr0-eu1.ciscoiot.com <br>Address:<br>54.72.71.96<br>63.34.30.209<br>54.77.100.108<br>54.73.253.223<br>54.247.101.242<br>52.50.162.161<br>52.208.112.150<br>34.255.218.146<br>34.252.7.240<br>34.246.19.78<br>18.158.234.244<br>18.198.170.210<br>3.125.67.40<br>3.125.90.50<br>3.73.216.210<br>52.29.58.218 | Bidirectional access is required for the Internet Security Association and Key Management Protocol (ISAKMP) / Internet Key Exchange (IKE). |
| 4500     | UDP     | Tunnel concentrator for US Cluster: <br>Name: csr0-us2.ciscoiot.com <br>Address:<br>54.245.70.139<br>54.187.131.85<br>52.39.234.97<br>52.34.122.129<br>52.27.193.59<br>44.239.137.75<br>44.237.110.33<br>44.235.125.13<br>35.167.152.230<br>34.223.219.13<br>54.224.202.22<br>52.207.52.55<br>44.209.244.205<br>44.209.198.16<br>44.209.143.153<br>35.153.65.44<br><br>Tunnel concentrator for EU Cluster:<br>Name: csr0-eu1.ciscoiot.com<br>Address:<br>54.72.71.96<br>63.34.30.209<br>54.77.100.108<br>54.73.253.223<br>54.247.101.242<br>52.50.162.161<br>52.208.112.150<br>34.255.218.146<br>34.252.7.240<br>34.246.19.78<br>18.158.234.244<br>18.198.170.210<br>3.125.67.40<br>3.125.90.50<br>3.73.216.210<br>52.29.58.218| Bidirectional access is required for IPSec NAT Traversal. |

<blockquote class="note info">

**Note:** 
1. These settings are subject to change and will need to be updated in future releases.
2. If the IP address being used in the WAN IP SLA is outside the firewall, it must be allowed to get through the firewall.

</blockquote>













<!--## Configuring an IR1100 device for IoT OD with a static uplink IP address

While DHCP is widely used to provide network parameters for network equipment, there are still some situations where static IPs are being used in the Industrial IoT space. The following information explains how to deal with a static IP address and still use PnP Connect and IoT Operations Dashboard (OD).

### Prerequisites

Cisco PnP expects the network device to receive an IP address to start the PnP process. This is typically provided by DHCP. You have to manually provision DHCP parameters. In IoT OD, all templates are expecting the uplink Ethernet interface to use DHCP. That is true for the bootstrap that will need to be modified. It is also true for the configuration that needs to be changed. These changes deviate from recommended best practices for templates and devices and can cause maintenance events to be more tedious and manually intensive over the long term. You will need:
1. IP address of the network device to be used
2. Network of the device to be used
3. Default device for the network where the device will be installed
4. DNS IP address that you know will work in this location

Since the device will connect to the Internet through Ethernet in your organization, check the firewall of your organization to make sure the required network ports and protocols are open for the device to reach IoT OD. The TCP/UDP network ports and IP protocols must be opened on your network firewall to allow the edge devices to communicate with Cisco IoT OD. Where possible, we recommend using a Dynamic Domain Name Service (DDNS) firewall Please check the requirements of ports and protocols above.

 ### Getting PnP to work with static IP addresses

* PnP only starts when there is no startup configuration. In this case, we want to use a static IP, so we need a configuration.
* PnP becomes part of the configuration after the static IP configuration.
* We want the ability to factory reset the device in case of an issue. If an issue arises, the device comes back with the same static IP address, even after a factory reset.

On the IR1100 device, you can create a configuration file flash:router-confg that loads before PnP starts to run. In this case, we want to prevent PnP from starting automatically. Instead, we want to configure the uplink interface and configure the PnP profile manually in the configuration.

> **TIP**: You can create this configuration on a computer and copy and paste it to the device because this device is new.

From privileged EXEC mode, type this command sequence:

```
tclsh
puts  [open  "flash:router-confg"  w+]  {
  
ip name-server 8.8.8.8

interface  GigabitEthernet0/0/0
ip  address 192.168.1.60   255.255.255.0
no  shut
ip  route 0.0.0.0   0.0.0.0   GigabitEthernet0/0/0   192.168.1.254 

ntp  server  ntp.pool.org
pnp  profile  pnp_cco_profile
transport  https  host  devicehelper.cisco.com  port  443
do-exec  write  memory
}
tclquit
```

Make sure you change the following values for the print to match your network. You will need those values later:
* 8.8.8.8
* 192.168.1.60 255.255.255.0
* 192.168.1.254

Another option is to create this file in a text file and copy it to the device through USB or a TFTP server.

Your device now boots with this fixed (static) IP and starts the PnP process. This also happens even if the device is factory reset. For the device to stop using that static IP address, remove the file flash:router-confg and reset the device with “pnpa service reset”.

### Creating a configuration group

When creating a configuration group and assigning the template, select the Group Type: Legacy and template with version “eCVD-IR1101-V2-02”.

<img src="/graphics/edge_device/ed_config_create_group_01.png" alt="Create Config Group" width="300" height="500">


### Modifying the IoT OD bootstrap template

Edit the bootstrap in the configuration group for this device. In the bootstrap template, we assume that DHCP is being used as an uplink, which causes the device to island if we let that happen. Modify the bootstrap using Freemarker “variables” that can be entered in IoT OD.

>**Note**: To comment out/Remove a line, use <#-- code to be removed --> <!--signs

| **Bootstrap Changes** | **Add** |
|----------|--------------|
| Add these to bootstrap:  |  * WAN static IP >  ${far.ipaddrProperty1}<br> * WAN netmask >  ${far.ipaddrProperty2}<br> * default gateway >  ${far.ipaddrProperty3}  |

<img src="/graphics/edge_device/ed_config_modify_bootstrap_01.png" alt="Modify Bootstrap 01" width="500" height="200">


Modify the bootstrap template as shown below.

| **Bootstrap Changes** | **Comment / Remove** |
|----------|--------------|
|   Comment/Remove this:  |  <#-- ip route 0.0.0.0 0.0.0.0 ${ether_if} dhcp -->   |<!--
|   Comment/Remove this:  |  <#-- ip route ${herip} 255.255.255.255 ${ether_if} dhcp -->  |<!--

<img src="/graphics/edge_device/ed_config_modify_bootstrap_02.png" alt="Modify Bootstrap 02" width="700" height="100">


| **Bootstrap Changes** | **Replace** |
|----------|--------------|
|   Replace this:  |  With this:   |
|   action  180      cli command "ip route $newip 255.255.255.255 ${ether_if} dhcp"  |  action  180      cli command "ip route $newip 255.255.255.255 ${ether_if} ${far.ipaddrProperty3}"  |
|   action  190      cli command "no ip route $herip 255.255.255.255 ${ether_if} dhcp"  |  action  190      cli command "no ip route $herip 255.255.255.255 ${ether_if} ${far.ipaddrProperty3}"  |

![Bootstrap Configuration 03](/graphics/edge_device/ed_config_modify_bootstrap_03.png)

### Modifying the IoT OD configuration template

The eCVD configuration also assumes that DHCP is being used on the uplink interface. This can cause issues with S2S Virtual Private Network (VPN) and potentially other areas. Modify the configuration template as shown below. This will enable the client route track via EEM, since config causes Registration failure. Comment out this section to prevent it from affecting the static IP setting of the Gig0/0/0 interface.

| **Configuration Template Changes** | **Replace** |
|----------|--------------|
|   Replace this:  |  With this:   |
|   ip route 0.0.0.0 0.0.0.0 ${priorityIfNameTable[p]} dhcp ${70+p}  |  ip route 0.0.0.0 0.0.0.0 ${priorityIfNameTable[p]} ${far.ipaddrProperty3} ${70+p}  |
|   ip route ${ipslaDestIPaddress[p]} 255.255.255.255 dhcp  |  ip route ${ipslaDestIPaddress[p]} 255.255.255.255 ${far.ipaddrProperty3}  |


![Bootstrap Configuration 04](/graphics/edge_device/ed_config_modify_bootstrap_04.png)

| **Configuration Template Changes** | **Comment / Remove** |
|----------|--------------|
|   Comment / Remove this:  |<#--<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<#assign eventAppName = priorityIfNameTable[p]?replace(" ", "_")><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;event manager applet client_route_track_${eventAppName}<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;event timer watchdog time 60<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;action 1 cli command "en"<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;action 2 cli command "show cgna profile name cg-nms-register \| i disabled"<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;action 3 string match "*Profile disabled*" "$_cli_result"<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;action 4 if $_string_result eq "0"<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;action 5  exit<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;action 6 end<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;action 7.0 cli command "conf t"<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;action 7.1 cli command "interface ${priorityIfNameTable[p]}"<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;action 7.2 cli command "ip address dhcp"<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;action 7.3 cli command "exit"<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;action 8.0 cli command "no event manager applet client_route_track_${eventAppName}"<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;action 8.1 cli command "exit"<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;action 9.0 cli command "write mem"<br>--> |


<!--<img src="/graphics/edge_device/ed_config_modify_bootstrap_05.png" alt="Modify Bootstrap 05" width="800" height="350">


<!--| **Configuration Template Changes** | **Replace** |
|----------|--------------|
|   Replace this:  |  With this:   |
|  action 2.2 cli command "no ip route $herip 255.255.255.255 ${ether_if} dhcp"  |  action 2.2 cli command "no ip route $herip 255.255.255.255 ${ether_if} ${far.ipaddrProperty3}"  |
|  action 2.2 cli command "no ip route $herip 255.255.255.255 ${ether_if} ${far.ipaddrProperty3}"  |  action 4.${m} cli command "ip route ${herip} 255.255.255.255 ${modifyTunnelList[m]} ${far.ipaddrProperty3} ${m+40}"  |


| **Configuration Template Changes** | **Add** |
|----------|--------------|
|  ADD this line in continue after replacing above lines  |  action 4.${m+1} cli command "interface ${ether_if}"  |
|  ADD this line in continue after replacing above lines  |  action 4.${m+2} cli command "ip address ${far.ipaddrProperty1} ${far.ipaddrProperty2}"  |

![Bootstrap Configuration 06](/graphics/edge_device/ed_config_modify_bootstrap_06.png)


![Bootstrap Configuration 07](/graphics/edge_device/ed_config_modify_bootstrap_07.png)

### Configuring the variables in IoT OD

In Cisco IoT OD, when you edit a specific device configuration, edit the static IP address, netmask, and default network device. These values can match the one in the initial configuration, but you can also start with a given static IP and switch to another static IP address when the bootstrap configuration is pushed. Refer to **Modifying the IoT OD bootstrap template** above for the meaning of each of the three parameters. 

To edit a specific device, see [Edit a specific network device configuration](/configuration/device_config_edit.md). 

1. Click **Configuration > Groups**.
2. Select a group listed by its name or use Search. 
3. Click **Edit Group**.
4. To modify the device configuration settings, click the **Configurations** tab. 


<img src="/graphics/edge_device/ed_config_modify_bootstrap_08.png" alt="Modify Bootstrap 08" width="800" height="350">


Assign the correct values for the following variables:

* IP address property 1: IP Address
* IP address property 2: Subnet mask
* IP address property 2: Default Gateway -->









## Configuring an IR829 device for IoT OD with a static uplink IP address
DHCP is widely used to provide network parameters for network equipment, but there are still situations where static IPs are being used in the Industrial IoT space. The following information explains how to deal with a static IP address and still use PnP Connect and IoT OD.

### Prerequisites

Cisco PnP expects the network device to receive an IP address to start the PnP process. This is typically provided by DHCP. You have to manually provision DHCP parameters. In IoT OD, all templates are expecting the uplink Ethernet interface to use DHCP. That is true for the bootstrap that will need to be modified. It is also true for the configuration that needs to be changed. These changes deviate from recommended best practices for templates and devices and can cause maintenance events to be more tedious and manually intensive over the long term. You will need:

1. IP address of the network device to be used
2. Network of the device to be used
3. Default device for the network where the device will be installed
4. DNS IP address that you know will work in this location

### Getting PnP to work with static IPs on an IR829 device

* PnP only starts when there is no startup config. In this case, we want to use a static IP and therefore we need a config.
* PnP becomes part of the config after the static IP configuration. 
* We want the ability to factory reset the device in case of an issue. If an issue arises, the device comes back with the same static IP address even after a factory reset.

On the IR829 device, you can create a configuration file flash:router-confg that loads before PnP starts to run. In this case, we want to **prevent** PnP from starting automatically. Instead we want to configure the uplink interface and configure PnP profile manually in the config. You can create this configuration on a computer and upload it to the device because this device is brand new.

From a Cisco exec prompt, type this command sequence:

```
tclsh
puts [open "flash:router-confg" w+]{
ip name-server 8.8.8.8
vlan 10
interface vlan 10
   ip address 192.168.2.100 255.255.255.0
   no shut   
 ip route 0.0.0.0.0.0.0.0 192.168.2.1   
int gi1   
  switch access vlan 10
ntp server ntp.pool.org
pnp profile pnp_cco_profile
  transport https host devicehelper.cisco.com port 443
do-exec write memory
tclquit
```

>**Note**: Make sure you change the values: 8.8.8.8, 192.168.2.100 255.255.255.0, 0.0.0.0.0.0.0.0 192.168.2.1 for the print to match your network. You will need those values later.

Your device now boots with this fixed (static) IP and starts the PnP process. This also happens even if the device is factory reset. For the device to stop using that static IP address, remove the file flash:router-confg and reset the device with “pnpa service reset”.

### Modifying IoT OD bootstrap template

Edit the bootstrap in the configuration group for this device. In the bootstrap template, we assume that DHCP is being used as an uplink, which causes the device to island if we let that happen. Modify the bootstrap using Freemarker “variables” that can be entered in IoT OD:

**WAN static IP -> ${far.ipaddrProperty1}**

**WAN netmask -> ${far.ipaddrProperty2}**

**default gateway -> ${far.ipaddrProperty3}**

To make this work in the bootstrap template, make the changes in the table below.

| **Replace this** | **With this** |
|-------------|-----------------------|
| int Vlan 10<br>ip address dhcp      | int Vlan 10<br>ip address ${far.ipaddrProperty1} ${far.ipaddrProperty2}                |
|  ip route 0.0.0.0 0.0.0.0 ${ether_if} dhcp<br> ip route ${herip} 255.255.255.255 ${ether_if} dhcp     |  ip route 0.0.0.0 0.0.0.0 ${far.ipaddrProperty3}<br>ip route ${herip} 255.255.255.255 ${far.ipaddrProperty3}               |
| action 34   cli command "ip route $newip 255.255.255.255 ${ether_if} dhcp"<br>action 36   cli command "no ip route $herip 255.255.255.255 ${ether_if} dhcp"      | action 34   cli command "ip route $newip 255.255.255.255 ${far.ipaddrProperty3}"<br>action 36   cli command "no ip route $herip 255.255.255.255 ${far.ipaddrProperty3}"                |

### Modifying IoT OD configuration template

The eCVD configuration also assumes that DHCP is being used on the uplink interface which causes issues with S2S VPN (Virtual Private Network) and potentially other areas.

To make this work in the configuration template, make the changes in the table below.

 | **Replace this** | **With this** |
|-------------|-----------------------|
|  ip route ${herIpAddress}  255.255.255.255 ${ether_if} dhcp      | ip route ${herIpAddress}  255.255.255.255 ${far.ipaddrProperty3}                |
|  ip route ${backupHerIpAddress} 255.255.255.255 ${ether_if} dhcp    |  ip route ${backupHerIpAddress} 255.255.255.255 ${far.ipaddrProperty3}|
| action 027  file puts fd "ip route 0.0.0.0 0.0.0.0 ${ether_if} DHCP"<br><br>action 028  file puts fd "ip route 8.8.8.8 255.255.255.255 ${ether_if} DHCP"<br>action 029  file puts fd "ip route 1.1.1.1 255.255.255.255 ${ether_if} DHCP"      | action 027  file puts fd "ip route 0.0.0.0 0.0.0.0 ${far.ipaddrProperty3}"<br><br>action 028  file puts fd "ip route 8.8.8.8 255.255.255.255 ${far.ipaddrProperty3}"<br>action 029  file puts fd "ip route 1.1.1.1 255.255.255.255 ${far.ipaddrProperty3}"|

### Configuring the variables in IoT Operations Dashboard
In Cisco IoT OD, when you edit a specific device configuration, edit the static IP address, netmask, and default device.

These values can match the one in the initial configuration, but you can also initially start with a given static IP and switch to another static IP address when the bootstrap configuration is pushed.

Refer to Modifying the IoT OD bootstrap template for the meaning of each of the three parameters.

<img src="/graphics/edge_device//device-network-reqs-01.png" alt="Edit Device Specific Config" width="800" height="350">


## Supported device interfaces for onboarding
The following interfaces are supported for IoT OD PnP onboarding using the default-configuration template. Only these supported interfaces provide monitoring data in the Operations Dashboard page and in the device details **Monitoring** tab (**Inventory > device > Monitoring**).

**Note**: Currently, dual active/active LTE or failover of management tunnel is not supported on IR800 and IR1800 devices.

| Platform                | Ethernet WAN                                              | Cellular                  |
|-------------------------|-----------------------------------------------------------|---------------------------|
| IR807                   | FastEthernet0                                             | Cellular0                 |
| IR809                   | GigabitEthernet0                                          | Cellular0                 |
| IR829-LTE (single modem)  | LAN (over SVI): GigabitEthernet 1   |   Cellular0, Cellular0/0          |
| IR829-2LTE (dual modem) | LAN (over SVI): GigabitEthernet 1 |   Cellular0/0,  Cellular1/0    |
| IR1101                  | GigabitEthernet0/0/0         | Cellular0/1/0, Cellular0/3/0, Cellular0/4/0            |
| IR1800                  | GigabitEthernet0/0/0         | Cellular0/4/0, Cellular0/5/0

## Cellular requirements

For network devices that use cellular for the WAN connection:

* Verify that the device has a Cisco-approved antenna, and that it can receive a signal from the network.
  * Refer to the installation guide for your network device model and the Cisco Industrial Router Antenna Guide for more information.
* Cellular connections also require a SIM card and APN provided by your cellular carrier. Ask your cellular provider for assistance.
* If using a private APN, obtain the configuration details for
* manual configuration.

## Latest supported eCVD template versions 

The following configuration template updates are available and supported for this release.

Standard Config groups:

* IR829 - 2.05
* AP803 - 1.84
* IR1101 - 2.10
* IR1800 - 2.86


Legacy Config groups:

* IR829 - 2.05
* AP803 - 1.84
* IR1101 - 2.10
* IR1800 - 2.86

Existing tenants will reflect the correct and latest eCVD version with the latest changes.

# Next step

Go to [Get Started with Operations Dashboard](/overview_iot/get_started.md), **Step 3: Cloud infrastructure and Operations Dashboard readiness**.