The Cisco Umbrella integration enables a cloud-based security service by inspecting the Domain Name System (DNS) query that is sent to the enterprise DNS server through the Cisco 4000 Series or 1100 Series Integrated Services Routers (ISR). The security administrator configures Umbrella policies to either allow or deny traffic towards the fully qualified domain name (FQDN). Cisco 4000 Series or 1100 Series ISR acts as a DNS forwarder on the network edge, transparently intercepts DNS traffic, and forwards the DNS queries to the Cisco Umbrella cloud. This feature is available on Cisco IOS XE Denali 16.3 and later releases.
Note: Automatic policy assignment based on tag - ISR tags are represented in the Umbrella dashboard as Network Devices. ISR tags can automatically be assigned to Umbrella policies if there is a pre-existing Umbrella policy named exactly the same as the tag. Otherwise, all new tags are covered by the Umbrella default policy until they are manually added to another policy. Policy assignment can be done in the UI or via API.
Note: The ISR 4K and ISR 1100 integration with Umbrella requires the Legacy Network Devices API token. To create your token, log in to Umbrella for your organization and follow these steps:
- In Umbrella, navigate to Admin > API Keys and click Create.
- Select Umbrella Legacy Network Devices and click Create.
- Expand Umbrella Legacy Network Devices, copy Your Token.
- Click To keep it secure, ... check box and then click Close.
To generate a new token, click Refresh for your current token.
Note: Looking for information on the ISR G2? See ISR G2 – Configuration Guide. You can configure our DNS servers with an ISR G2, but there is no integration with Umbrella.
16.6.1 was released to General Availability in late July 2017. Features have changed and improvements to the internal mapping of IPs have been made. There are significant differences between the command line interfaces; thus, if you are running 16.6.1, see Release Notes for Cisco 4000 Series ISRs, Cisco IOS XE Everest 16.6 .
Support for the ISR 1100 Series was made available in February 2018. DNSCrypt on the ISR 1100 requires minimum software version: 16.6.3, 16.7.2, or 16.8.1. The integration for the ISR 1100 is exactly the same as with the 4000 series and should be followed according to the steps for the 4000 series.
The full integration guide can be found in Security Configuration Guide: Cisco Umbrella Integration On Cisco 4000 Series ISRs.
Integration for ISR 4K – Security Configuration Guide > Wireless LAN Controller Integration
Updated about a month ago