Skip to main content
Viptela is now part of Cisco.
Support
Product Documentation
Viptela Documentation

Using Umbrella DNS Security

For DNS-layer security, you can configure a vEdge router to act as a DNS forwarder to Cisco Umbrella. Umbrella is a cloud-delivered service for provisioning secure and compliant guest Wi-Fi.

You configure Umbrella DNS security with a centralized data policy. You create the policy on a vSmart controller, and it is pushed to the vEdge routers. This policy ensures that the router enables DNS-level security for all end points, both controlled and uncontrolled, in your branch environment through Cisco Umbrella by transparently intercepting DNS queries and forwarding them to Umbrella DNS.

In order to apply the DNS redirect policies to Umbrella, you must first register the public IP addresses of the remote sites on Umbrella portal, under the Identities ► Network option.

CLI Configuration Procedure

The following high-level steps show the minimum policy components required to redirect DNS traffic to Cisco Umbrella:

  1. Create one or more lists of overlay network sites to which the centralized data policy is to be applied (in an apply-policy command):
    vSmart(config)# policy​
    vSmart(config-policy)# lists site-list list-name
    vSmart(config-lists)# site-id site-id

    The list can contain as many site IDs as necessary. Include one site-id command for each site ID. For contiguous site IDs, you can specify a range of numbers separated with a dash (–).
  2. Create lists of VPNs to which to apply the Umbrella DNS redirect policy (in a policy data-policy command):
    vSmart(config)# policy lists
    vSmart(config-lists)# vpn-list list-name
    vSmart(config-lists)# vpn vpn-id
  3. Create a data policy instance and associate it with a list of VPNs:
    vSmart(config)# policy data-policy policy-name
    vSmart
    (config-data-policy)# vpn-list list-name
  4. Create one match–action pair sequence:
    vSmart(config-vpn-list)# sequence number1
    The match–action pairs are evaluated in order, by sequence number, starting with the lowest numbered pair and ending when the route matches the conditions in one of the pairs. Or if no match occurs, the default action is taken (either rejecting the route or accepting it as is).
  5. Configure a match condition to process DNS requests to be forwarded to Umbrella:
    vSmart(config-sequence1)# match dns request
  6. Configure the DNS redirect action, specifying the IP address of the Umbrella DNS service, either 208.67.222.222 or 208.67.220.220:
    vSmart(config-sequence1)# action accept redirect-dns ip-address
  7. Create a second match–action pair sequence:
    vSmart(config-vpn-list)# sequence number2
  8. Configure a match condition to process DNS responses from the Umbrella service:
    vSmart(config-sequence2)# match dns response
  9. Configure the redirect DNS host so that the DNS response can be correctly forwarded back to the service VPN:
    vSmart(config-sequence2)# action accept redirect-dns host
  10. Apply the policy to a list of sites in the overlay network:
    vSmart(config)# apply-policy site-list list-name data-policy policy-name (from-service | from-tunnel)

Structural Components of Policy Configuration for Umbrella DNS

Below are the structural components required to configure DNS traffic redirection to Cisco Umbrella. You configure this policy on a vSmart controller. The components related to configuring umbrella DNS are explained in the sections below. For an explanation of the data policy components that are not specifically related to DNS traffic redirection, see Configuring Centralized Data Policy.

policy
  lists
    site-list list-name 
      site-id site-id 
    vpn-list list-name 
      vpn-id vpn-id 
 data-policy policy-name 
   vpn-list list-name 
     sequence number 
       match
         dns (request | response)
       action accept
         count counter-name
         log
         redirect-dns (ip-address | host)
     default-action
       (accept | drop)
apply-policy 
  site-list list-name data-policy policy-name (from-service | from-tunnel)

Lists

A data policy for configuring a DNS forwarder to Cisco Umbrella uses the following types of lists to group related items. You configure these lists under the policy lists command hierarchy on vSmart controllers.

List Type

Description

Command

Sites

List of one or more site identifiers in the overlay network. To configure multiple sites in a single list, include multiple site-id options, specifying one site number in each option.You can specify a single site identifier (such as site-id 1) or a range of site identifiers (such as site-id 1-10).

site-list list-name
  site-id site-id

VPNs

List of one or more VPNs in the overlay network. To configure multiple VPNs in a single list, include multiple vpn options, specifying one VPN number in each option. You can specify a single VPN identifier (such as vpn-id 1) or a range of VPN identifiers (such as vpn-id 1-10).

vpn-list list-name
  vpn vpn-id

In the vSmart controller configuration, you can create multiple iterations of each type of list. For example, it is common to create multiple site lists and multiple VPN lists so that you can apply data policy to different sites and different customer VPNs across the network.

When you create multiple iterations of a type of list (for example, when you create multiple VPN lists), you can include the same values or overlapping values in more than one of these list. You can do this either on purpose, to meet the design needs of your network, or you can do this accidentally, which might occur when you use ranges to specify values. (You can use ranges to specify data prefixes, site identifiers, and VPNs.) Here are two examples of lists that are configured with ranges and that contain overlapping values:

  • vpn-list list-1 vpn 1-10
    vpn-list list-2 vpn 6-8
  • site-list list-1 site 1-10
    site-list list-2 site 5-15

When you configure data policies that contain lists with overlapping values, or when you apply data policies, you must ensure that the lists included in the policies, or included when applying the policies, do not contain overlapping values. To do this, you must manually audit your configurations. The software performs no validation on the contents of lists, on the data policies themselves, or on how the policies are applied to ensure that there are no overlapping values.

If you configure or apply data policies that contain lists with overlapping values to the same site, one policy is applied and the others are ignored. Which policy is applied is a function of the internal behavior of Viptela software when it processes the configuration. This decision is not under user control, so the outcome is not predictable.

VPN Lists

Each data policy instance is associated with a VPN list. You configure VPN lists with the policy data-policy vpn-list command. The VPN list you specify must be one that you created with a policy lists vpn-list​ command.

Sequences

Within each VPN list, a data policy contains sequences of match–action pairs. The sequences are numbered to set the order in which data traffic is analyzed by the match–action pairs in the policy. You configure sequences with the policy data-policy vpn-list sequence command.

A sequence in a policy can contain one match command and one action command. Therefore, to configure a DNS forwarder to Cisco Umbrella, you must configure a pair of sequences, one for processing DNS requests to be forwarded to Cisco Umbrella and the second to process DNS responses from Cisco Umbrella.

Match Parameters

For a data policy for configuring a DNS forwarder to Cisco Umbrella, you must configure the following two match conditions. You configure the match parameters with the match command under the policy data-policy vpn-list sequence command hierarchy on vSmart controllers.

Description

Command

Value or Range

DNS requests to be forwarded to Cisco Umbrella

dns request

DNS responses from Cisco Umbrella

dns response

Action Parameters

When data traffic matches the match parameters, the specified action is applied to it. You configure the action parameters with the action command under the policy data-policy vpn-list sequence command hierarchy on vSmart controllers.

For a centralized data policy that configure a vEdge router to act as a DNS forwarder to Cisco Umbrella, configure the following actions. You can configure other actions, as described in Configuring Centralized Data Policy.

Description

Command

Value or Range

Redirect DNS requests to a Cisco Umbrella server. Specify this action for a dns request match condition.

redirect-dns ip-address

IP address of a Cisco Umbrella server, either 208.67.222.222 or 208.67.220.220.

Process DNS responses from a Cisco Umbrella server. Specify this action for a dns response match condition.

redirect-dns host

Forward the responses to the requesting service VPN.

Default Action

If a data packet being evaluated does not match any of the match conditions in a policy, a default action is applied. By default, the data packet is dropped. To modify this behavior, include the policy data-policy vpn-list default-action accept command.

Apply a Policy

For the centralized data policy to take effect so that the vEdge router can act as a DNS forwarder to Cisco Umbrella, you apply it to a list of sites in the overlay network. Because the policy configures the router to both forward packets to and receive packets from a Cisco Umbrella awecwe, specify the all option:

vSmart(config)# apply-policy site-list list-name data-policy policy-name (from-service | from-tunnel)

Example Configuration

The following example shows a data policy that enables Umbrella DNS security and that counts DNS traffic:

vSmart# show running-config policy    
policy
 data-policy umbrella_dns
  vpn-list vpn_1
   sequence 1
    match
     dns          request
    !
    action accept
     count umbrella_traffic_outbound
     redirect-dns 208.67.220.220
    !
   !
  !
  sequence 2
    match
     dns          response
    !
    action accept
     count umbrella_traffic_inbound
     redirect-dns host
    !
   !
 lists
  vpn-list vpn_1
   vpn 1
  !
  site-list vedge1
   site-id 500
  !
 !
!
vSmart# show running-config apply-policy
apply-policy
  site-list vedge1 data-policy umbrella_dns from-service

Additional Information

Configuring Centralized Data Policy

  • Was this article helpful?