The Cisco Umbrella integration enables a cloud-based security service by inspecting the Domain Name System (DNS) query that is sent to the enterprise DNS server through the Cisco Catalyst 9200 or Catalyst 9300 network switch. The security administrator configures Umbrella policies to either allow or deny traffic towards the fully qualified domain name (FQDN). Cisco Catalyst 9200 or Catalyst 9300 switch acts as a DNS forwarder, transparently intercepts DNS traffic, and forwards the DNS queries to the Cisco Umbrella cloud. This feature is available on Cisco IOS XE Amsterdam 17.1.x and later releases.
Before you configure the Cisco Umbrella integration feature on the Cisco Catalyst 9200 or Catalyst 9300 switch, ensure that you have the following:
- The Cisco Catalyst 9200 or Catalyst 9300 switch runs the Cisco IOS XE Amsterdam 17.1.x software image or later.
- The Cisco Catalyst 9200 or Catalyst 9300 switch must have a DNA Advantage or higher license to enable Umbrella.
- A valid Cisco Umbrella subscription license.
The following network requirements must be met:
- For initial registration, the interface configured as “umbrella out” must be able to access api.opendns.com over port 443 in order to complete initial registration.
- TCP and UDP on port 53 (DNS) to 220.127.116.11 and 18.104.22.168—the Cisco Umbrella public DNS resolvers.
The 17.1 release includes support for internal IP visibility for DNS queries; however, support for AD user visibility is not included. This support will be introduced in a future release.
For more information, see:
- Security Configuration Guide, Cisco IOS XE Amsterdam 17.1.x (Catalyst 9200 Switches)
- Security Configuration Guide, Cisco IOS XE Amsterdam 17.1.x (Catalyst 9300 Switches).
Integration for RV-series Routers < Cisco Catalyst 9200 and Catalyst 9300 Switches
Updated 9 months ago