Internal Networks allows to you manage your DNS policy for subnets of computers based on the internal IP addresses of your network.
After an Umbrella virtual appliance (VA) has been deployed, an Internal Networks identity can be configured. To set this up, drop one of our lightweight VAs into your network, direct your DNS traffic through it, and start mapping your network based on specific internal IP addresses and/or subnets.
The purpose of the Internal Networks identity is to define a subnet that's non-routable (or RFC1918 compliant) as an identity to which you can apply a policy. To create an Internal Networks identity, define a subnet that's non-routable (or RFC 1918 compliant) as an identity to which you can apply a policy. For example, if your Internal Network is defined as 192.168.0/24, any computer, tablet or device with an IP on that subnet would receive the filtering policy defined for it whenever it requested to access the Internet.
From there you can begin to build multiples sites if you have more than one physical location or if you have more than one Internal Network to configure.
The Umbrella VA will have your DNS traffic pointed to it for this configuration and anything identified as coming from the networks you've defined will have the policies applied.
These steps assume you have set up a VA. If you have not yet done so, provision VAs before you continue. For more information, see the Virtual Appliance Setup Guide.
You should be provisioning at least one VA per site, but you can have multiple subnets per site if necessary.
For more information about whether you should be using sites in your network, see Sites and Internal Networks.
- Navigate to Deployments > Configuration > Sites and Active Directory.
By default, the VA will be assigned to the default site or no site at all.
- If you would like to add a second site for a second VA, you can change the site for the VA by adding a new site.
- Once you've set your first site up, navigate to Deployments > Configuration > Internal Networks and click Add.
- Name your network and provide a valid subnet.
- Click Save.
Note: If you are unable to save your changes, it may be because the Cisco Umbrella Internal Networks setup does not allow an invalid range to be configured. The basic principle is that the final octet of your IP range should match the mask for that range. More information about subnet masks, as well as tools, are easily available from many third-party websites.
You can assign an individual Internal Network DNS policy to a single IP address or to an entire DHCP scope that's already been configured for your network.
Policies are assigned to the site, not to the Internal Network. The Internal Network is also assigned to a site. By default, the Internal Network you've configured is assigned to the default site. You can change this by assigning the identity for your site to a new policy. Alternately, you can create a unique policy for the identity for your site by drilling down through the sites.
Once you've selected the site that contains your Internal Networks, you can begin to select the parts of the DNS policy to apply to these computers.
For more information about DNS policies, see Manage DNS Policies.
Individual Umbrella sites should be configured as if they were complete deployments. So, for each Umbrella site:
- Follow the previous steps of this guide again, and after each sub-step to verify that the component has synced or reported to the dashboard, assign the component to a site by clicking its name and selecting an existing site or creating a new site.
- You may also rename the default or any existing sites.
"Sites” in Umbrella refer to separate different locations or networks, which do not have a direct connection to another of your locations or networks.
Utilizing different sites results in a segregated Internal Networks environment. For example, different "sites" means that each location must have a minimum of one VA.
You should use Umbrella sites when the following is true:
- There is 150ms or more of latency between two locations
- Your locations communicate between a NAT device, which causes the internal IP address of an end machine to be lost.
Updated 2 months ago