Home > Wireless LAN > Other Topics > Integrating Cisco Umbrella with Meraki MR Networks

Integrating Cisco Umbrella with Meraki MR Networks

Overview 

Integrating the Meraki Dashboard and Umbrella DNS allows clients connected to Meraki Access Points to have their DNS traffic filtered through Cisco's Umbrella DNS service. Umbrella DNS filtering can also be configured to apply to wireless clients that have been assigned to a Group Policy from the Meraki Dashboard.

 

This integration allows Administrators to easily apply and modify DNS-based filtering rules to multiple groups of clients on their network by simply assigning a filtering policy to a specific SSID or Group Policy. Once assigned, all DNS requests from clients under that policy will be automatically redirected to Cisco's Umbrella DNS service where it will be checked against the appropriate policy configured for the Network Device (Meraki SSID or Group Policy) in the Umbrella dashboard.

 

NOTE: Please contact Meraki Support to have this feature enabled. This feature requires an early-release MR26.0 firmware version that can be enabled with Meraki support assistance. This feature is not currently available for networks containing MR26 access points.

 

Umbrella_DNS_v2.png

 

Configuring Umbrella DNS Integration

Linking the Meraki and Umbrella Dashboards 

Integrating Umbrella DNS with a Meraki Network is a simple process that requires only a few steps to get set up. For Umbrella filtering policies to be applied successfully, the Meraki and Umbrella Dashboards must first be linked via the Umbrella Network Devices API Key. Once the Dashboards have been linked, then Umbrella policies can be properly assigned to the appropriate Meraki SSID or Group Policy.

Generating the Umbrella API Key 

Before linking the two dashboards, the Umbrella API Key and associated Secret must first be created on the Umbrella Dashboard. This can be done from the Umbrella Dashboard by selecting Settings > API Keys. If there is no existing key available for the Umbrella Network Devices, select the blue and white plus sign (+) at the top left of the page. (Highligted in the picture below) 'Umbrella Network Devices' should be selected by default, if not select it and click 'Create.' 

Once the key has been generated copy both the Key and the Secret so they can be entered on the Meraki Dashboard. Be sure to save the Secret in a safe location as it will only ever be shown once. If the 'Umbrella Network Devices' API Key and Secret have already been generated use the existing API Key and Secret.

NOTE: Make sure when generating and copying the API Key that the 'Umbrella Network Devices' key is used, not the 'Legacy Network Devices' key.

WARNING: The Umbrella Dashboard will only display the API Secret when it is first generated, make sure that you've saved both the Key and Secret before closing the page.

Umbrella API Key - edited2.png

Applying the Umbrella API Key to a Meraki Network 

Once the Umbrella API Key and Secret have been generated they need to be added to the Meraki Dashboard to properly link the Meraki Network and the Umbrella Dashboard. This is done by going to the Network-wide > Configure > General page. Once there, scroll down to the bottom of the page and click 'New Credentials' under the 'Cisco Umbrella account' header. Then paste the Umbrella API Key and Secret in the appropriate fields and click 'Save Changes.'

Once this information has been saved the Meraki and Umbrella Dashboards should now be properly linked, allowing Umbrella policies to be applied to Meraki SSIDs or Group Policies within the current Meraki Network. 

NOTE: Umbrella integration is linked on a per-Network basis to the Meraki Dashboard, so the Umbrella API Key and Secret must be entered on every Meraki Network that requires Umbrella integration. Additionally, the Umbrella Network Devices API can be linked on a template network so that children networks bound to the template can leverage the same policies easily. Meraki networks that are cloned will also retain the API key for easy linking. 

Meraki API Entry.png

Unlinking a Meraki Network and Cisco Umbrella

Once the Meraki and Umbrella Dashboards have been linked successfully the currently linked API Key will be displayed at the bottom of the Network-wide > Configure > General page. There is also a checkbox to delete the link between the selected Meraki Network and the Umbrella Dashboard.

To unlink a Meraki Network from Umbrella simply check the 'Delete linked account' box and select 'Save Changes' on the Meraki Dashboard. Deleting this link between accounts will clear any objects in the Umbrella Dashboard that were sourced from this Network in addition to any Umbrella Policies applied to SSIDs or Group Policies in the Network.

Screen Shot 2018-08-15 at 8.53.46 AM.png

Linking and Applying an Umbrella Policy

Linking an SSID or Group Policy to an Umbrella Policy is extremely straightforward once the Dashboards have been linked. When a Meraki SSID or Group Policy is linked to Umbrella, a unique Device ID is generated for that Meraki object. An Umbrella policy is then linked to that device ID on the Umbrella Dashboard. This device ID is included in any DNS traffic sent to Umbrella and used to specify which Umbrella Policy that traffic should be checked against.

NOTE: These Meraki objects can be viewed on the Umbrella Dashboard by going to Identities > Network Devices. Umbrella Network Devices are automatically created when linking a Meraki SSID or Group Policy and use the following naming format: '<SSID/Group Policy>__<Network name>_-_wireless 

Linking an SSID or Group Policy to Umbrella 

  • Linking an SSID - Linking an SSID to Umbrella is done from Wireless > Configure > Firewall & Traffic Shaping, under the Block Applications and Content Categories header. Simply select 'Link Umbrella Policies' on the appropriate SSID and the Meraki Dashboard will automatically create the appropriate Network Device on the Umbrella Dashboard and apply the Default Policy to the SSID.
  • Linking a Group Policy - Linking a Group Policy is done from the Network-wide > Configure > Group Policies page. Select the Group policy that should be linked and then select 'Link Umbrella Policies' located under the Layer 7 Firewall rules. The Meraki Dashboard will then automatically create the appropriate Network Device on the Umbrella Dashboard and apply the Default Policy to the Group Policy.

NOTE: Group Policies must be set to use Custom SSID Firewall & Shaping Rules to link an Umbrella Policy.

NOTE: If creating a new Group Policy then the policy must first be saved before it can be linked to Umbrella.

Link Policy to SSID.png 

The Umbrella/MR integration is currently supported for all client addressing types found under the Access Control page.

Applying an Umbrella Policy to an SSID or Group Policy

After linking an SSID or Group Policy to Umbrella the Default policy is automatically applied. To apply a different Umbrella Policy simply select the appropriate Umbrella Policy from the dropdown on the Firewall & Traffic Shaping page for SSIDs, or from the Group Policy details page for Group Policies, then select 'Save' at the bottom of the page.

If the Umbrella policy does not yet exist then it must first be created from the Umbrella Dashboard. This can be done by navigating to Policies > Policy List on the Umbrella Dashboard and following through with the necessary policy creation steps. Once the policy has been created it can now be applied to the appropriate Meraki SSID or Group Policy from the Meraki Dashboard.

Post Linking SSID.png

NOTE: The order that policies are listed in Umbrella is important! This can be viewed by logging into the Umbrella Dashboard and navigating to Policies > Policy list. Once an SSID/Group Policy is linked, it will inherit the Default Policy, which will by default, be the last policy in Umbrella's ordered list. This shows in the Meraki Dashboard as Default Policy (indirectly applied) because the Umbrella policy was not actually selected from the Meraki Dashboard. If, for example, an admin were to assign a policy to an SSID (Network Device) in the Umbrella Dashboard, that change would be reflected in the Meraki Dashboard and the policy would also as show as indirectly applied

 

Once a policy is assigned to a Network Device (SSID/Group Policy), any policies below the one selected for the Network Device will not be matched on. The policy list in Umbrella is read in a top-down order and once a match is found for the Device ID, no other policies will be evaluated. More information here: https://deployment-umbrella.readme.i...icy-precedence

Removing an Umbrella Policy from an SSID or Group Policy

To remove an Umbrella Policy from an SSID or Group Policy navigate to the Wireless > Configure > Firewall & Traffic Shaping page for SSIDs or the  Network-wide > Group Policies > Group Policy details page for the appropriate Group Policy. Under the currently applied policy click 'Disconnect from Cisco Umbrella' followed by 'Yes' in the confirmation popup. 

WARNING: Disconnecting an SSID or Group Policy from Umbrella will delete the associated Object from the Umbrella Dashboard and unlink any policies applied to that SSID or Group Policy in the Meraki Dashboard. 

Remove Policy.png

DNS Traffic Flow

This section of the article describes in detail the expected traffic flow of DNS traffic from clients after an SSID or Group Policy has been successfully linked to an Umbrella filtering policy.

  1. Client sends a DNS Query
  2. Meraki intercepts the DNS query and attaches an identifier to the DNS query to identify what Umbrella Policy this request should be checked against.
  3. Meraki then encrypts the DNS query using DNSCrypt, source NAT's the packet to the MR management IP and redirects it to the appropriate Umbrella endpoint
  4. After arriving at the Umbrella endpoint the DNS query is decrypted and checked against the appropriate Umbrella Policy (based on the attached Identifier) to determine if it should be allowed or not.
  5. If the request is allowed then Umbrella will return an encrypted DNS response with the appropriate IP.
  6. If the request should be blocked then Umbrella will return an encrypted DNS response pointing to the Umbrella Block Page.

NOTE: DNSCrypt Compatibility

Access points that do not support 802.11ac, such as the MR18, will still be able to utilize Umbrella DNS services but do not support the use of DNSCrypt when communicating back to the Umbrella servers. All access points that are capable of 802.11ac or better fully support the use of DNSCrypt with Umbrella DNS.

NOTE: HTTPS Blocking

Just like Meraki's Content Filtering, blocked requests for HTTPS content will not load the Umbrella Blocked page correctly. Instead, users will simply be presented with a generic 'Webpage is not Available' error. 

 NOTE: Cisco Umbrella has 2 potential endpoints that Meraki will send DNS traffic to: 208.67.222.222/32 and 208.67.220.220/32. Make sure that bi-directional UDP 443 to both of these addresses is allowed on any upstream devices. 

DNS Exclusion 

When an SSID is configured in Bridge Mode the option to configure DNS Exclusion will be available under the Policy selection dropdown menu. This allows Administrators to specify domains that should be excluded from Umbrella filtering. DNS requests for excluded domains will not be redirected to Umbrella and will instead be forwarded to the DNS server specified by the client. This is extremely useful for preventing DNS requests for local resources from being redirected to Umbrella and instead allowing them to reach internal DNS servers to resolve correctly. The MR will automatically add the .local domain to be excluded from Umbrella redirection by default.

Domain exclusion is not available for configuration on Group Policies that are linked to Umbrella policies. The domain exclusions for Group Policies will adhere to the configuration of the SSID. For example, if 'Employee' SSID is excluding 'meraki.com' from Umbrella lookups, and a client connects with an assigned Group Policy linked to a another Umbrella policy, then 'meraki.com' will still be excluded from DNS lookups sourced from that client.

Troubleshooting 

General Troubleshooting Steps

  • Ensure that the Umbrella and Meraki Dashboards are properly linked via API from Network-wide > General (Section 2.1)
  • Ensure that the SSID/Group Policy has been linked to Umbrella in the Meraki Dashboard and has a Policy applied from either Wireless > Firewall & Traffic Shaping or Network-wide > Group Polices respectively. (Section 2.3.1 & 2.3.2)
  • Ensure that the appropriate Identity exists under Identities > Network Devices on the Umbrella Dashboard (Section 2.3)
  • Ensure that the correct Policy is assigned to the correct Network Device in the Umbrella Dashboard from Policies > Policy List
  • Ensure that bi-directional UDP 443 traffic is allowed to the Umbrella endpoints - 208.67.222.222/32 and 208.67.220.220/32 (Section 3)
Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 6877

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community