The Cisco Umbrella integration enables a cloud-based security service by inspecting the Domain Name System (DNS) query that is sent to the enterprise DNS server through the Cisco 4000 Series or 1100 Series Integrated Services Routers (ISR). The security administrator configures Umbrella policies to either allow or deny traffic towards the fully qualified domain name (FQDN).
The Cisco 4000 Series or 1100 Series ISR acts as a DNS forwarder on the network edge, transparently intercepts DNS traffic, and forwards the DNS queries to the Cisco Umbrella cloud. This feature is available on Cisco IOS XE Denali 16.3 and later releases.
Note: Automatic policy assignment is based on tags. ISR tags are represented in the Umbrella dashboard as Network Devices. If an Umbrella policy name exactly matches a tag, the ISR tag is automatically assigned to the Umbrella policy. Otherwise, all new tags are covered by the Umbrella default policy until they are manually added to another policy. You can assign policies to network devices in the Umbrella dashboard or through the Umbrella Network Devices and Policies API.
Note: The ISR 4K and ISR 1100 integration with Umbrella requires the Legacy Network Devices API token. To create your token, log in to Umbrella for your organization and follow these steps:
- In Umbrella, navigate to Admin > API Keys and click Create.
- Select Umbrella Legacy Network Devices and click Create.
- Expand Umbrella Legacy Network Devices, copy Your Token.
- Click To keep it secure, ... check box and then click Close.
To generate a new token, click Refresh for your current token.
Note: For more information on ISR G2, see ISR G2 – Configuration Guide. You can configure our DNS servers with an ISR G2, but there is no integration with Umbrella.
16.6.1 was released to General Availability in late July 2017. Features have changed and improvements to the internal mapping of IPs have been made. There are significant differences between the command line interfaces. If you are running version 16.6.1, see Release Notes for Cisco 4000 Series ISRs, Cisco IOS XE Everest 16.6 .
Support for the ISR 1100 Series was made available in February 2018. DNSCrypt on the ISR 1100 requires a minimum software version: 16.6.3, 16.7.2, or 16.8.1. The integration for the ISR 1100 is exactly the same as with the 4000 series and should be followed according to the steps for the 4000 series.
For information about the full integration guide, see Security Configuration Guide: Cisco Umbrella Integration On Cisco 4000 Series ISRs.
Integration for ISR 4K and ISR 1100 – Security Configuration Guide > Wireless LAN Controller Integration
Updated about a month ago