Internal Networks allows to you manage your Umbrella policy for subnets of computers based on the internal IP addresses of your network.
After an Umbrella Virtual Appliance (VA) has been deployed, an Internal Networks identity can be configured. To set this up, drop one of our lightweight VAs into your network, direct your DNS traffic through it, and start mapping your network based on specific internal IP addresses and/or subnets.
The purpose of the Internal Networks identity is to define a subnet that's non-routable (or RFC1918 compliant) as an identity you can apply policy to. To create an Internal Networks identity, define a subnet that's non-routable (or RFC 1918 compliant) as an identity you can apply policy to. For example, if your Internal Network is defined as 192.168.0/24, any computer, tablet or device with an IP on that subnet would receive the filtering policy defined for it whenever it made a request to access the Internet.
From there you can begin to build multiples sites if you have more than one physical location or if you have more than one Internal Network to configure.
The Umbrella VA will have your DNS traffic pointed to it for this configuration and anything identified as coming from the networks you've defined will have the policies applied.
These steps assume you have set up a VA. If you have not yet done so, provision VAs before you continue. For more information, see the Virtual Appliance Setup Guide.
You should be provisioning at least one VA per site, but you can have multiple subnets per site if necessary.
For more information about whether you should be using sites in your network, see Sites and Internal Networks.
- Navigate to Deployments > Configuration > Sites and Active Directory.
By default, the VA will be assigned to the Default Site, or no Site at all.
- If you would like to add a second Site for a second VA, you can change the site for the VA by adding a new site.
- Once you've set your first site up, navigate to Deployments > Configuration > Internal Networks and click Add.
- You'll be asked to name your network and provide a valid subnet. In this case, we've picked a /24 subnet, so the final octet of the IP will be .0
- Click Save.
Note: If you are unable to save your changes, it may be because the Cisco Umbrella Internal Networks setup does not allow an invalid range to be configured. The basic principle is that the final octet of your IP range should match the mask for that range. More information about subnet masks, as well as tools, are easily available from many third-party websites.
You can assign an individual Internal Network policy to a single IP address or to an entire DHCP scope that's already been configured for your network.
Internal Networks identities are assigned to policies through the Site identities.
Once you've selected the site that contains your Internal Networks, you can begin to select the parts of the policy to apply to these computers.
For more information on creating policies, see Create and Apply Policies.
Individual Umbrella sites should be configured as if they were complete deployments. So, for each Umbrella site:
- Follow the previous steps of this guide again, and after each sub-step to verify that the component has synced or reported to the dashboard, assign the component to a site by clicking its name and selecting an existing site or creating a new site.
- You may also rename the default or any existing sites.
"Sites” in Umbrella refer to separate different locations or networks, which do not have a direct connection to another of your locations or networks.
Utilizing different sites results in a segregated Internal Networks environment. For example, different "sites" means that each location must have a minimum of one VA.
You should use Umbrella sites when the following is true:
- There is 150ms or more of latency between two locations
- Your locations communicate between a NAT device, which causes the internal IP address of an end machine to be lost.
Updated 7 months ago