Due to the default Meraki Auto-VPN design, all VPN hubs in an organization will automatically tunnel to other hubs in an organization. This means when the UMB-SIG hubs are deployed below all other hubs in the organization will automatically tunnel to SIG and all traffic routed to Umbrella (due of the default BGP route that gets propagated from these hubs). If you DO NOT want your other hubs to automatically connect to Umbrella SIG please reach out to your Meraki SE to have this auto hub to hub connectivity disabled for your organization.
Once a UMB-SIG deployment has been created following the steps below use only the delete button on the Cloud On-Ramp page to delete the deployment. DO NOT manually delete the network tunnel from the Umbrella dashboard or remove the UMB-SIG node from it's Meraki network under the Security & SD-WAN > Appliance Status page
Umbrella SIG (Secure Internet Gateway) is a cloud-based security solution designed for branch offices. This article outlines how to configure the Umbrella SIG (UMB-SIG) auto-vpn solution between the Umbrella dashboard and a Meraki MX Security and SD-WAN device. Umbrella's SIG provides centralized management for security so network administrators do not have to separately manage security settings for each branch. All internet-bound traffic will be forwarded to Umbrella SIG through an auto-vpn tunnel to the UMB-SIG device in the Umbrella cloud for inspection and filtering.
If network administrators desire a cloud managed security solution to alleviate the inconvenience of separately managing security settings at each branch location, Umbrella SIG is the perfect solution.
Umbrella SIG offers security features such as:
- DNS Policies
- Firewall Policies
- Web Policies
- HTTPS Inspection
Please visit Umbrella's documentation for a comprehensive guide to Umbrella SIG features.
- The Umbrella SIG Essentials package is required. Please visit Umbrella for more package information
- A UMB-SIG device running MX 15.37+ firmware is required
- UMB-SIG is a new Meraki product deployed in the Umbrella cloud which terminates Meraki SD-WAN (auto-vpn) tunnels inside Umbrella
- The branch Meraki MX requires MX 14+ firmware, on which users are able to configure the auto-vpn tunnel to the UMB-SIG device running in the Umbrella cloud
Each Meraki organization is currently limited to two UMB-SIG deployments (4 UMB-SIG nodes) per organization. Please reach out to your Meraki SE to increase this limit.
In addition to the above, each UMB-SIG node is currently limited to 250 auto-vpn tunnels and is currently limited to 250Mbps of bandwidth per UMB-SIG node.
To establish an auto-vpn tunnel to Umbrella, configurations must be made on both Umbrella Dashboard and Meraki Dashboard. The required configurations on the Umbrella dashboard will be made by the Meraki dashboard once Umbrella API keys are added to Meraki.
Create Umbrella Management API Key
In the Umbrella dashboard, navigate to Admin > API Keys > Click on Create
Choose Umbrella Management > Click on Create
Copy your management API Key and Secret to a secure location then check the box that reads To keep it secure, we only display your key's secret once. For future reference, copy this secret and keep it in a safe place. Tick this box to acknowledge this and click Close.
Add Umbrella Management API Key to Meraki Dashboard
After creating your Umbrella Management API key and secret above, you now need to add this to the Meraki dashboard.
In the Meraki dashboard, navigate to Organization > Cloud On-Ramp. On the Configuration tab click Connect to Cisco Umbrella on the Umbrella tile
In the window that opens, enter the management API key and secret created above.
Once the API key and secret have been added above, click Next.
At this point the Meraki dashboard will query your Umbrella organization to ensure you have SIG licensing applied to the org. If SIG licensing is applied, you will be able to continue with the below deployment.
Deploying the Umbrella SIG (UMB-SIG) Connector
Once the above configuration has been added successfully you will be able to proceed with deploying the Umbrella SIG auto-vpn connector device (UMB-SIG).
The UMB-SIG device does not require any additional licensing and is included as part of your MX licensing purchase (as long as you have SIG licensing on the Umbrella dashboard).
To deploy the SIG connector click on the Deploy button in the Umbrella tile.
In the window that opens, give your deployment a Name. This will be the name of the UMB-SIG network that get created in your Meraki organization. Next, choose a Primary Datacenter and Secondary Datacenter where you want to connect your branch sites to in order to access SIG.
Click continue to execute the deployment.
Deployment Status Codes
Once your deployment is complete, you will see a similar tile like this on the deployments tab of the Cloud On-Ramp page.
A correctly deployed SD-WAN connector will display a status of "deployed" for both of the connectors. Please see the following other error messages that could also be shown:
The UMB-SIG network was created in the Meraki dashboard and a UMB-SIG device added to it
Means the created step above executed successfully and a network tunnel was created in your linked Umbrella dashboard under Deloyments > Network Tunnels
Means the created and tunneled steps above completed successfully and the UMB-SIG connector was instantiated inside the Umbrella cloud. You should see the node checking in to dashboard within 5-10 minutes after the deployment is complete.
Potential error codes include the following:
Invalid API credentials
Message: Umbrella API Error. Code: 401. Error: Invalid authentication credentials
Wrong API Key type
Reason: You provided a network device API key instead of a management API key
Message: Umbrella API Error. Code: 403. Error:
No SIG licensing
Reason: By default two UMB-SIG deployments are allowed per organization. Trying to create a third deployment will result in this error.
Message: This organization has no available licenses for UMB-SIG
Name has already been taken
Reason: Duplicate deployment name and DC selection entered (same deployment name can be used if different pair of DC’s are used).
Message: Validation failed: Name has already been taken
Umbrella tunnel limit reached
Reason: The limit for the amount of network tunnels you can create in your Umbrella org has been reached. Please reach out to your Umbrella SE to inquire about increasing this limit.
No available SIG licenses
Reason: The linked Umbrella organization does not have any available SIG licensing
Message: This organization has no available licenses for UMB-SIG
As part of the above deployment, not only will two UMB-SIG devices (a primary and secondary) be created in your Meraki organization, these two devices will also be configured with the following:
- Site to Site VPN enabled as a HUB
- BGP enabled and an Umbrella peer (169.254.0.9) configured (a peer with ASN 36692 represents Umbrella as this is their ASN)
The following sections outline some validation steps that can be taken within the Meraki dashboard as well as with real client traffic to verify connectivity to Umbrella SIG is working as expected.
UMB-SIG Devices Online
The first thing to check post-deployment is to ensure both of the UMB-SIG devices created are online and checking in to dashboard. As part of the above deployment you will notice two new networks created in your Meraki organization. These networks will be in the following format (based on the input provided above)
<deployment name>-<Primary DC name>
<deployment name>-<Secondary DC Name>
Navigate to the Security & SD-WAN > Appliance Status page to confirm both devices are online and healthy.
It may take between 3-5 minutes for the UMB-SIG devices to be online and healthy in the Meraki dashboard
Umbrella Tunnel Endpoint Created
Next, we can confirm that a network tunnel was created in our Umbrella dashboard. Within the Umbrella dashboard navigate to Deployments > Core Identities > Network Tunnels.
Here you will find two new tunnels created, one with the serial number of the primary UMB-SIG device and the other with the serial number of the secondary UMB-SIG device. Once the tunnel has been fully established it will show here as active with a green checkmark.
We can confirm that our tunnel to SIG and associated routing is successfully established by looking at the UMB-SIG and branch MX routing table.
In the UMB-SIG device navigate to Security & SD-WAN > Route Table (click on view new version in the upper right if not already on the new version of the route table).
In the route table you should now see a 0.0.0.0/0 eBGP default route to our Umbrella BGP peer (next hop should be a 169.254.0.9 IP) and it should be in a green/healthy state.
On our branch MX we can also check the same route table and ensure this default route has propagated to the spokes via iBGP (the next hope will show up as a 6.X.X.X IP. This is expected).
To validate traffic is flowing through Umbrella SIG you can use the following Umbrella test site:
The external IP field below shows you the public IP where your traffic egresses to the internet and the page offers a link to the Umbrella dashboard and policies that are acting on your traffic.
To validate traffic being sent to over the auto-vpn tunnel to SIG vs traffic not being sent over the tunnel we can connect to a network on a VLAN that is participating in the VPN and one that is not to observe the difference.
For this test we used the below configuration where the Default VLAN1 is not participating in VPN and the SIG VLAN 10 is participating. This configuration can be viewed under Security & SD-WAN > Site-to-site VPN.
Using a Wireless capable MX68CW two SSIDs were created. One on VLAN 1 and the other on VLAN 10.
When a device connects to the SSID SIG1, it receives an IP on VLAN10.
When the device accesses the Internet, the traffic will have a NAT address from Umbrella (an IP in the 184.108.40.206/16 subnet means it is exiting Umbrella).
When a device connects to the SSID DIA, it receives an IP on VLAN1.
When the device accesses the Internet, the traffic will have a NAT address from the MX Internet Interface.
Migrating from SIG IPSEC Tunnels to SD-WAN Tunnels
If you do not require SD-WAN/auto-vpn connectivity to Umbrella SI, you can also connect with a standard IPSEC tunnel from any MX appliance. To do so, follow this KB.
If you have already deployed IPSEC tunnels to SIG and wish to migrate to SD-WAN tunnels follow the below steps for a seamless migration:
- On the Meraki dashboard deploy the UMB-SIG connectors following the steps above.
- On the Umbrella dashboard add the two new network tunnels created by the on-ramp in step 1 to any required security policies
- On the Meraki dashboard, point all of your spoke MX sites to the new UMB-SIG connectors (if you did not choose the "protect all spokes" option in step 1)
- Once the auto-vpn tunnels to the UMB-SIG connectors are established delete the IPSEC tunnels under the site-to-site VPN settings page
- (optional) If using the SD-WAN Plus license, define any VPN exclusions for traffic you wish to exit locally instead of being tunneled to SIG.
DNS Policy Consideration
The extension of SD-WAN to Umbrella will default all traffic that is not routed to other sites in the Auto-VPN topology with more specific routes to the connector in Umbrella. This include all DNS traffic.
When you establish tunnels to the Cisco Umbrella head end to use the cloud-delivered firewall, DNS traffic should be bypassed to ensure that DNS Layer Enforcement is not impacted.
When DNS traffic gets routed in tunnels, the traffic will go through all services in the service chain in the cloud-delivered firewall, undergo Network Address Translation (NAT), and then go to the Umbrella Resolvers with the cloud-delivered firewall's public IP address. In that situation, Umbrella Resolvers will not be able to apply DNS-based policies as the source IP will not match your organization.
To ensure that DNS Layer security is not impacted by the cloud-delivered firewall, traffic for destination port 53 to IP address 220.127.116.11 and 18.104.22.168 should be bypassed.
If your organization is currently leveraging or plans to implement Umbrella DNS policies that are using Meraki Networks by Public IP address as Identities in these policies, one of the following 3 actions will need to be taken:
1. Contact Umbrella Support.
More information on bypassing DNS traffic can be found here:
Please contact Umbrella support for more details and remediation options.
2. Umbrella API integration for DNS policies in Meraki Dashboard
If your organization has not yet implemented DNS protection for your Meraki sites, another option is to configure the API integration for Umbrella DNS policies in the Meraki Dashboard. This method will use network devices as the identity to apply policy to as opposed to using the public IP address from the Meraki Site. Given the nature of how this integration works, it also prevents users from circumventing Umbrella DNS policies by changing their DNS resolver configuration on their end user system.
Details on how to perform this integration and the configuration options for it are available at these two links:
3. Configure L3 VPN exclusion for the Umbrella Resolver IP addresses in Meraki Dashboard
- Navigate to Security & SD-WAN > Site-to-Site VPN
- If the site is configured as a Spoke ensure that the two Umbrella SIG Connectors are configured as Hubs and that they do not have the Default route option checked.
- If the site is configured as a Hub ensure that the two Umbrella SIG Connectors are configured as Exit Hubs.
- Navigate to Security & SD-WAN > SD-WAN & traffic shaping
- Scroll down to Local Internet breakout > VPN exclusion rules and click Add +
- Under Customer expressions, Select protocol DNS.
- For the Destination, input the Umbrella resolver IP address 22.214.171.124/32 and click add expression
- Repeat for IP address 126.96.36.199