Week 3 Day 1: Umbrella SD-WAN Integration¶
Overview: SD-WAN + Umbrella SASE Architecture¶
BRANCH SITE TRAFFIC FLOW WITH UMBRELLA:
User Device
│
▼
SD-WAN WAN Edge (ISR 1100)
│
├─── Corporate Traffic (10.252.0.0/16) ──► MPLS ──► Data Center
│
├─── Azure VNet Traffic ──────────────────► IPsec ──► Azure Virtual WAN
│
└─── Internet / SaaS Traffic ─────────────► DIA ──► Umbrella SIG ──► Internet
│
┌───────────────┴───────────────┐
│ DNS Security │ Cloud Firewall │
│ SWG (HTTP/S) │ CASB │
└───────────────────────────────┘
Step 1: Get Umbrella API Credentials¶
# Log into Umbrella Dashboard (admin.umbrella.com)
## Navigate: Admin → API Keys → Generate
## Required credentials:
## - Umbrella Organization ID
## - Management API Key + Secret
## - Network Device API Key + Secret
Step 2: Integrate Umbrella with vManage¶
Navigate: Administration → Cloud Services → Umbrella
Organization ID: <UMBRELLA_ORG_ID>
API Key: <UMBRELLA_API_KEY>
API Secret: <UMBRELLA_API_SECRET>
Enable:
✅ DNS Security
✅ Secure Web Gateway (SWG)
✅ Cloud Firewall
✅ CASB
Step 3: Configure Umbrella Tunnel in vManage¶
Navigate: Configuration → Cloud OnRamp for Colocation → Add Colo
Provider: Cisco Umbrella
Region: Multiple (auto-selected by proximity)
Umbrella PoP Mapping:
APAC-India sites → Singapore PoP (Primary) / Mumbai PoP (Secondary)
EMEA sites → London PoP (Primary) / Frankfurt PoP (Secondary)
Americas sites → New York PoP (Primary) / Ashburn PoP (Secondary)
Week 3 Day 2: DIA Policy and DNS Security¶
WAN Edge: Umbrella DNS Configuration¶
Apply to all branch site device templates:
Device Template → DNS Configuration:
Primary DNS: 208.67.222.222 (Umbrella)
Secondary DNS: 208.67.220.220 (Umbrella)
DNS Security: Enabled
Redirect queries to: Umbrella DNS
Umbrella Registration: Auto (via API)
IOS-XE Configuration (ISR 1100 — Bangalore branch):
! ============================================================================
! UMBRELLA DNS SECURITY CONFIGURATION
! Platform: ISR 1100-4G (Bangalore Branch)
! ============================================================================
hostname BLR-BR-01
! Register device with Umbrella
umbrella organization-id <UMBRELLA_ORG_ID>
umbrella token <UMBRELLA_REGISTRATION_TOKEN>
! DNS policy — redirect all DNS to Umbrella
umbrella policy local-domain-bypass
add domain internal.abhavtech.com ! Bypass Umbrella for internal domain
add domain 10.in-addr.arpa ! Bypass reverse lookup for internal IPs
add domain 252.10.in-addr.arpa
! Apply Umbrella DNS globally
ip domain-name abhavtech.com
ip name-server 208.67.222.222 ! Umbrella primary
ip name-server 208.67.220.220 ! Umbrella secondary
! Redirect all user DNS queries through Umbrella
ip dns server ! Enable local DNS forwarder
ip dns primary abhavtech.com soa 300 ! SOA for internal domains
ip dns forwarding
! Umbrella DNS policy (intercept and redirect)
parameter-map type umbrella global
token <UMBRELLA_DEVICE_TOKEN>
dnscrypt ! Enable DNSCrypt (encrypted DNS)
udp-timeout 5
resolver ipv4 208.67.222.222 port 5353
! Apply to LAN-facing interface
interface GigabitEthernet0/0/1
description LAN-ACCESS
umbrella in use-local-any ! Apply Umbrella DNS inspection inbound
!
Configure Umbrella DNS Security Policy¶
In Umbrella Dashboard (admin.umbrella.com):
Navigate: Policies → DNS Policies → New Policy
Policy Name: Abhavtech-Branch-DNS-Security
Security Settings:
✅ Block Malware (high confidence)
✅ Block Phishing (all categories)
✅ Block Command & Control (C2) callbacks
✅ Block Newly Seen Domains (14 days)
✅ Block Dynamic DNS providers
✅ DNS Tunneling detection: Block
Content Filtering:
Block:
✅ Adult Content
✅ Gambling
✅ Peer-to-Peer / Torrents
✅ Anonymous Proxies and VPNs
✅ Cryptomining
Allow:
✅ Business and Economy
✅ IT and Internet
✅ Cloud Storage (Microsoft OneDrive, Google Drive)
✅ Email (Outlook, Gmail)
Bypass for (allow without inspection):
- *.abhavtech.com (internal)
- *.cisco.com (trusted vendor)
- *.microsoft.com (O365 — already via ExpressRoute)
Apply to: All Abhavtech networks (via SD-WAN registration)
Week 3 Day 3: Secure Web Gateway Configuration¶
Umbrella SWG Policy¶
Navigate: Policies → Web Policies → New Policy
Policy Name: Abhavtech-SWG-Policy
SSL/TLS Inspection:
✅ Enable SSL decryption and inspection
Bypass SSL inspection for:
- *.microsoft.com (O365 / Azure — handled separately)
- *.cisco.com
- *.banking domains (financial institutions)
- Certificate pinned apps
URL Filtering:
Block:
- Malicious URLs (high confidence)
- Phishing URLs
- Command and Control
Allow (no inspection):
- Whitelist: office365.com, sharepoint.com, outlook.com
- Whitelist: salesforce.com, servicenow.com, workday.com
- Whitelist: webex.com, cisco.com
Application Visibility & Control (AVC):
Monitor:
- Shadow IT detection (unauthorized cloud apps)
- Data upload monitoring (>100MB triggers alert)
Block:
- Unauthorized file sharing (Dropbox personal, WeTransfer)
- Tor and anonymizers
- Cryptomining pools
CASB:
✅ Enable Microsoft 365 activity monitoring
✅ Enable Salesforce activity monitoring
Alerts:
- Bulk data download (>500 files/hour)
- Admin privilege escalation
- External sharing of sensitive documents
Umbrella SIG Tunnel from Hub Sites¶
Hub sites use IPsec tunnel to Umbrella for centralized inspection:
! ============================================================================
! UMBRELLA SIG TUNNEL CONFIGURATION
! Platform: C8500-12X Hub Site (Mumbai)
! ============================================================================
hostname MUM-HUB-01
! Umbrella SIG IPsec tunnel (Primary PoP: Singapore)
crypto ikev2 keyring UMBRELLA-KEYRING
peer umbrella-singapore
address 146.112.67.8 ! Umbrella Singapore PoP IP
pre-shared-key <UMBRELLA_PSK>
peer umbrella-singapore-backup
address 146.112.68.8 ! Umbrella Singapore PoP backup
pre-shared-key <UMBRELLA_PSK>
crypto ikev2 proposal UMBRELLA-IKE-PROPOSAL
encryption aes-cbc-256
integrity sha256
group 14
crypto ikev2 profile UMBRELLA-IKE-PROFILE
match identity remote address 146.112.67.8
identity local key-id mum-hub-01-abhavtech
authentication remote pre-share
authentication local pre-share
keyring local UMBRELLA-KEYRING
lifetime 28800
crypto ipsec transform-set UMBRELLA-TS esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec profile UMBRELLA-IPSEC-PROFILE
set transform-set UMBRELLA-TS
set ikev2-profile UMBRELLA-IKE-PROFILE
! Tunnel interface to Umbrella SIG
interface Tunnel300
description UMBRELLA-SIG-PRIMARY
ip address 10.99.0.1 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0/4 ! Internet DIA interface
tunnel mode ipsec ipv4
tunnel destination 146.112.67.8
tunnel protection ipsec profile UMBRELLA-IPSEC-PROFILE
no shutdown
interface Tunnel301
description UMBRELLA-SIG-BACKUP
ip address 10.99.0.5 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0/4
tunnel mode ipsec ipv4
tunnel destination 146.112.68.8
tunnel protection ipsec profile UMBRELLA-IPSEC-PROFILE
no shutdown
! Route internet-bound traffic through Umbrella SIG tunnel
ip route 0.0.0.0 0.0.0.0 Tunnel300 10 ! Primary
ip route 0.0.0.0 0.0.0.0 Tunnel301 20 ! Backup
! Bypass Umbrella for known-good Azure/O365 (handled by ExpressRoute)
ip route 52.96.0.0 255.252.0.0 TenGigabitEthernet0/0/2.4001 ! Exchange via ER
ip route 52.112.0.0 255.252.0.0 TenGigabitEthernet0/0/2.4001 ! Teams via ER
Week 3 Day 4: Branch SASE Policy Activation¶
vManage: Apply SASE Policies to Branch Templates¶
Navigate: Configuration → Templates → Device Templates
Select branch device template and add:
Umbrella DNS: Enabled
Token: Auto-provisioned via vManage-Umbrella integration
Local Domain Bypass: internal.abhavtech.com, 252.10.in-addr.arpa
Umbrella SIG:
Mode: Direct (branch sends traffic directly to Umbrella PoP)
Primary PoP: auto (nearest Umbrella PoP by geography)
Backup PoP: auto
Traffic Steering for SASE:
Internet-bound traffic → Umbrella SIG (via DIA)
Internal traffic → MPLS (bypass Umbrella)
Azure/O365 → ExpressRoute (bypass Umbrella — handled separately)
Branch ISR IOS-XE Configuration for SASE:
! ============================================================================
! BANGALORE BRANCH — UMBRELLA SASE CONFIGURATION
! Platform: ISR 1100-4G
! ============================================================================
hostname BLR-BR-01
! Umbrella registration
umbrella organization-id <ORG_ID>
umbrella token <TOKEN>
! DNS inspection — redirect all user DNS through Umbrella
parameter-map type inspect global
alert on
parameter-map type umbrella global
token <UMBRELLA_DEVICE_TOKEN>
dnscrypt
udp-timeout 5
! Apply DNS inspection to LAN interface
interface GigabitEthernet0/0/1
description BLR-LAN-ACCESS
ip address 192.168.50.1 255.255.255.0
umbrella in use-local-any
! Policy: Direct internet to Umbrella SIG, corporate to MPLS
ip access-list extended CORPORATE-TRAFFIC
permit ip any 10.252.0.0 0.0.255.255
permit ip any 10.100.0.0 0.0.255.255
permit ip any 10.101.0.0 0.0.255.255
ip access-list extended INTERNET-TRAFFIC
deny ip any 10.0.0.0 0.255.255.255
permit ip any any
! Route-map: Send internet traffic to DIA → Umbrella
route-map SASE-STEERING permit 10
match ip address INTERNET-TRAFFIC
set interface GigabitEthernet0/0/0 ! WAN DIA interface
! PBR on LAN interface
interface GigabitEthernet0/0/1
ip policy route-map SASE-STEERING