Skip to content

Week 3 Day 1: Umbrella SD-WAN Integration

Overview: SD-WAN + Umbrella SASE Architecture

BRANCH SITE TRAFFIC FLOW WITH UMBRELLA:

User Device
SD-WAN WAN Edge (ISR 1100)
    ├─── Corporate Traffic (10.252.0.0/16) ──► MPLS ──► Data Center
    ├─── Azure VNet Traffic ──────────────────► IPsec ──► Azure Virtual WAN
    └─── Internet / SaaS Traffic ─────────────► DIA ──► Umbrella SIG ──► Internet
                                              ┌───────────────┴───────────────┐
                                              │ DNS Security  │ Cloud Firewall │
                                              │ SWG (HTTP/S)  │ CASB          │
                                              └───────────────────────────────┘

Step 1: Get Umbrella API Credentials

# Log into Umbrella Dashboard (admin.umbrella.com)

## Navigate: Admin → API Keys → Generate


## Required credentials:

## - Umbrella Organization ID

## - Management API Key + Secret

## - Network Device API Key + Secret

Step 2: Integrate Umbrella with vManage

Navigate: Administration → Cloud Services → Umbrella

Organization ID: <UMBRELLA_ORG_ID>
API Key: <UMBRELLA_API_KEY>
API Secret: <UMBRELLA_API_SECRET>

Enable:
  ✅ DNS Security
  ✅ Secure Web Gateway (SWG)
  ✅ Cloud Firewall
  ✅ CASB

Step 3: Configure Umbrella Tunnel in vManage

Navigate: Configuration → Cloud OnRamp for Colocation → Add Colo

Provider: Cisco Umbrella
Region: Multiple (auto-selected by proximity)

Umbrella PoP Mapping:
  APAC-India sites → Singapore PoP (Primary) / Mumbai PoP (Secondary)
  EMEA sites       → London PoP (Primary) / Frankfurt PoP (Secondary)
  Americas sites   → New York PoP (Primary) / Ashburn PoP (Secondary)

Week 3 Day 2: DIA Policy and DNS Security

WAN Edge: Umbrella DNS Configuration

Apply to all branch site device templates:

Device Template → DNS Configuration:

Primary DNS:  208.67.222.222   (Umbrella)
Secondary DNS: 208.67.220.220   (Umbrella)

DNS Security: Enabled
  Redirect queries to: Umbrella DNS
  Umbrella Registration: Auto (via API)

IOS-XE Configuration (ISR 1100 — Bangalore branch):

! ============================================================================
! UMBRELLA DNS SECURITY CONFIGURATION
! Platform: ISR 1100-4G (Bangalore Branch)
! ============================================================================

hostname BLR-BR-01

! Register device with Umbrella
umbrella organization-id <UMBRELLA_ORG_ID>
umbrella token <UMBRELLA_REGISTRATION_TOKEN>

! DNS policy — redirect all DNS to Umbrella
umbrella policy local-domain-bypass
 add domain internal.abhavtech.com     ! Bypass Umbrella for internal domain
 add domain 10.in-addr.arpa            ! Bypass reverse lookup for internal IPs
 add domain 252.10.in-addr.arpa

! Apply Umbrella DNS globally
ip domain-name abhavtech.com
ip name-server 208.67.222.222          ! Umbrella primary
ip name-server 208.67.220.220          ! Umbrella secondary

! Redirect all user DNS queries through Umbrella
ip dns server                          ! Enable local DNS forwarder
ip dns primary abhavtech.com soa 300   ! SOA for internal domains
ip dns forwarding

! Umbrella DNS policy (intercept and redirect)
parameter-map type umbrella global
 token <UMBRELLA_DEVICE_TOKEN>
 dnscrypt                              ! Enable DNSCrypt (encrypted DNS)
 udp-timeout 5
 resolver ipv4 208.67.222.222 port 5353

! Apply to LAN-facing interface
interface GigabitEthernet0/0/1
 description LAN-ACCESS
 umbrella in use-local-any             ! Apply Umbrella DNS inspection inbound
!

Configure Umbrella DNS Security Policy

In Umbrella Dashboard (admin.umbrella.com):

Navigate: Policies → DNS Policies → New Policy

Policy Name: Abhavtech-Branch-DNS-Security

Security Settings:
  ✅ Block Malware (high confidence)
  ✅ Block Phishing (all categories)
  ✅ Block Command & Control (C2) callbacks
  ✅ Block Newly Seen Domains (14 days)
  ✅ Block Dynamic DNS providers
  ✅ DNS Tunneling detection: Block

Content Filtering:
  Block:
    ✅ Adult Content
    ✅ Gambling
    ✅ Peer-to-Peer / Torrents
    ✅ Anonymous Proxies and VPNs
    ✅ Cryptomining

  Allow:
    ✅ Business and Economy
    ✅ IT and Internet
    ✅ Cloud Storage (Microsoft OneDrive, Google Drive)
    ✅ Email (Outlook, Gmail)

Bypass for (allow without inspection):
  - *.abhavtech.com (internal)
  - *.cisco.com (trusted vendor)
  - *.microsoft.com (O365 — already via ExpressRoute)

Apply to: All Abhavtech networks (via SD-WAN registration)

Week 3 Day 3: Secure Web Gateway Configuration

Umbrella SWG Policy

Navigate: Policies → Web Policies → New Policy

Policy Name: Abhavtech-SWG-Policy

SSL/TLS Inspection:
  ✅ Enable SSL decryption and inspection
  Bypass SSL inspection for:
    - *.microsoft.com (O365 / Azure — handled separately)
    - *.cisco.com
    - *.banking domains (financial institutions)
    - Certificate pinned apps

URL Filtering:
  Block:
    - Malicious URLs (high confidence)
    - Phishing URLs
    - Command and Control

  Allow (no inspection):
    - Whitelist: office365.com, sharepoint.com, outlook.com
    - Whitelist: salesforce.com, servicenow.com, workday.com
    - Whitelist: webex.com, cisco.com

Application Visibility & Control (AVC):
  Monitor:
    - Shadow IT detection (unauthorized cloud apps)
    - Data upload monitoring (>100MB triggers alert)
  Block:
    - Unauthorized file sharing (Dropbox personal, WeTransfer)
    - Tor and anonymizers
    - Cryptomining pools

CASB:
  ✅ Enable Microsoft 365 activity monitoring
  ✅ Enable Salesforce activity monitoring
  Alerts:
    - Bulk data download (>500 files/hour)
    - Admin privilege escalation
    - External sharing of sensitive documents

Umbrella SIG Tunnel from Hub Sites

Hub sites use IPsec tunnel to Umbrella for centralized inspection:

! ============================================================================
! UMBRELLA SIG TUNNEL CONFIGURATION
! Platform: C8500-12X Hub Site (Mumbai)
! ============================================================================

hostname MUM-HUB-01

! Umbrella SIG IPsec tunnel (Primary PoP: Singapore)
crypto ikev2 keyring UMBRELLA-KEYRING
 peer umbrella-singapore
  address 146.112.67.8    ! Umbrella Singapore PoP IP
  pre-shared-key <UMBRELLA_PSK>
 peer umbrella-singapore-backup
  address 146.112.68.8    ! Umbrella Singapore PoP backup
  pre-shared-key <UMBRELLA_PSK>

crypto ikev2 proposal UMBRELLA-IKE-PROPOSAL
 encryption aes-cbc-256
 integrity sha256
 group 14

crypto ikev2 profile UMBRELLA-IKE-PROFILE
 match identity remote address 146.112.67.8
 identity local key-id mum-hub-01-abhavtech
 authentication remote pre-share
 authentication local pre-share
 keyring local UMBRELLA-KEYRING
 lifetime 28800

crypto ipsec transform-set UMBRELLA-TS esp-aes 256 esp-sha256-hmac
 mode tunnel

crypto ipsec profile UMBRELLA-IPSEC-PROFILE
 set transform-set UMBRELLA-TS
 set ikev2-profile UMBRELLA-IKE-PROFILE

! Tunnel interface to Umbrella SIG
interface Tunnel300
 description UMBRELLA-SIG-PRIMARY
 ip address 10.99.0.1 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/0/4    ! Internet DIA interface
 tunnel mode ipsec ipv4
 tunnel destination 146.112.67.8
 tunnel protection ipsec profile UMBRELLA-IPSEC-PROFILE
 no shutdown

interface Tunnel301
 description UMBRELLA-SIG-BACKUP
 ip address 10.99.0.5 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/0/4
 tunnel mode ipsec ipv4
 tunnel destination 146.112.68.8
 tunnel protection ipsec profile UMBRELLA-IPSEC-PROFILE
 no shutdown

! Route internet-bound traffic through Umbrella SIG tunnel
ip route 0.0.0.0 0.0.0.0 Tunnel300 10   ! Primary
ip route 0.0.0.0 0.0.0.0 Tunnel301 20   ! Backup

! Bypass Umbrella for known-good Azure/O365 (handled by ExpressRoute)
ip route 52.96.0.0 255.252.0.0 TenGigabitEthernet0/0/2.4001  ! Exchange via ER
ip route 52.112.0.0 255.252.0.0 TenGigabitEthernet0/0/2.4001 ! Teams via ER

Week 3 Day 4: Branch SASE Policy Activation

vManage: Apply SASE Policies to Branch Templates

Navigate: Configuration → Templates → Device Templates

Select branch device template and add:

Umbrella DNS: Enabled
  Token: Auto-provisioned via vManage-Umbrella integration
  Local Domain Bypass: internal.abhavtech.com, 252.10.in-addr.arpa

Umbrella SIG:
  Mode: Direct (branch sends traffic directly to Umbrella PoP)
  Primary PoP: auto (nearest Umbrella PoP by geography)
  Backup PoP: auto

Traffic Steering for SASE:
  Internet-bound traffic → Umbrella SIG (via DIA)
  Internal traffic → MPLS (bypass Umbrella)
  Azure/O365 → ExpressRoute (bypass Umbrella — handled separately)

Branch ISR IOS-XE Configuration for SASE:

! ============================================================================
! BANGALORE BRANCH — UMBRELLA SASE CONFIGURATION
! Platform: ISR 1100-4G
! ============================================================================

hostname BLR-BR-01

! Umbrella registration
umbrella organization-id <ORG_ID>
umbrella token <TOKEN>

! DNS inspection — redirect all user DNS through Umbrella
parameter-map type inspect global
 alert on

parameter-map type umbrella global
 token <UMBRELLA_DEVICE_TOKEN>
 dnscrypt
 udp-timeout 5

! Apply DNS inspection to LAN interface
interface GigabitEthernet0/0/1
 description BLR-LAN-ACCESS
 ip address 192.168.50.1 255.255.255.0
 umbrella in use-local-any

! Policy: Direct internet to Umbrella SIG, corporate to MPLS
ip access-list extended CORPORATE-TRAFFIC
 permit ip any 10.252.0.0 0.0.255.255
 permit ip any 10.100.0.0 0.0.255.255
 permit ip any 10.101.0.0 0.0.255.255

ip access-list extended INTERNET-TRAFFIC
 deny ip any 10.0.0.0 0.255.255.255
 permit ip any any

! Route-map: Send internet traffic to DIA → Umbrella
route-map SASE-STEERING permit 10
 match ip address INTERNET-TRAFFIC
 set interface GigabitEthernet0/0/0   ! WAN DIA interface

! PBR on LAN interface
interface GigabitEthernet0/0/1
 ip policy route-map SASE-STEERING

Week 4: INTEGRATION, QoS, and PRODUCTION