Enterprise Threat Protector (ETP) includes a default location for unidentified IP addresses. This location applies to roaming users or users who are usually remote and make DNS requests from unexpected IP addresses. The Unidentified IPs location is not configured with any IP address or CIDRs. You also cannot edit this location.
From the Locations page, you can add, edit, and delete locations. You can also select whether to allow or block traffic from the Unidentified IPs location.
ETP also allows you to define sub-locations. Sub-locations are associated with locations. They represent different virtual local area networks (VLANs) in your network that are routed to the Internet with the same IP address as the parent location. You can assign a different policy to a location and its sub-locations, allowing you to define granular access to segments of your network.
When creating a location, remember:
- You must provide the public IP address of your Active Directory or other local DNS server that is used to communicate with ETP.
- You cannot assign a location IP address to other ETP locations in your network.
- You cannot configure a location with an IP address that is claimed or used by another organization. If you believe your organization owns an IP address that you cannot configure as a location, contact Akamai Support.
- For a location, ETP currently supports a maximum CIDR block of /16 for IPv4 and /48 for IPv6.
- A location configuration requires a policy assignment. If you do not assign a policy to the location, the location is automatically assigned to the default policy. You can assign the same policy to multiple locations or you can create different policies for locations in your network.
- You can configure sub-locations with IPv4 in the private address space (RFC 1918) and with IPv6 as long as they use site-local (fec0::/10) and unique local addresses (fc00::/7).
- Multiple sub-locations can use the same IP address as long as they are associated with different locations.
- If a sub-location consumes too many resources, for example, as a result of too many connections, a rate limit is triggered on the sub-location. The rate limit may also be triggered on the parent location and other associated sub-locations to avoid latency issues or service interruption. To resolve this issue, you can configure the sub-location as a location with a new public IP address. This ensures that the rate limit is applied only to the new location and it’s not applied to the original location or the other sub-locations.
- If you do not assign a policy to a sub-location, the policy of the parent location is automatically assigned.
- If there is a conflict between the policy that’s assigned to a location and sub-location, the policy action for the location takes precedence only when it applies the bypass or block action to a domain.
- You cannot assign a sub-location when you’re configuring or managing a policy. You can only assign a policy to a sub-location when you create or manage a sub-location on the Locations page.
When you create, modify, or delete a location or sub-location, you must deploy these updates to the ETP network. Changes to location settings, as well as other configuration settings such as policies or custom lists, are captured in the Pending Changes window for you to review. After you click the deploy button, the deploy operation typically completes in 20-30 seconds.
An enterprise can add a maximum of 7,000 CIDR entries for locations or sub-locations. If your organization needs to add more CIDR entries, contact your Akamai representative.