Meraki

Community

Umbrella Integration Question

Solved
Willrockhopper
Here to help
2 hours ago
2 hours ago

Umbrella Integration Question

I'm currently testing Cisco Umbrella integration with a couple of our Meraki networks and want to clarify one thing.

 

If I use the API key integration to apply the Umbrella policies at the MX and MR levels, do I still need to manually update the MX WAN uplink DNS addresses to the Umbrella ones, or this is only designed for non-Cisco devices which can't be integrated via API.

 

Basically I'm just not sure if the devices on the network will have their DNS routed through Umbrella if I don't manually change the MX's primary DNS addresses if that makes sense.

 

Labels:
0 Kudos
1 Accepted Solution
RWelch
Kind of a big deal
Kind of a big deal
2 hours ago
2 hours ago

Without manually updating the MX WAN uplink, Meraki intercepts the DNS query and attaches an identifier to identify which Umbrella policy this request should be checked against.

Ensure that bi-directional UDP 443 traffic is allowed to the Umbrella endpoint of 208.67.220.220/32.

Manually Integrating Cisco Umbrella with Meraki Networks 

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

4 Replies 4
RWelch
Kind of a big deal
Kind of a big deal
2 hours ago
2 hours ago

Without manually updating the MX WAN uplink, Meraki intercepts the DNS query and attaches an identifier to identify which Umbrella policy this request should be checked against.

Ensure that bi-directional UDP 443 traffic is allowed to the Umbrella endpoint of 208.67.220.220/32.

Manually Integrating Cisco Umbrella with Meraki Networks 

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
RWelch
Kind of a big deal
Kind of a big deal
an hour ago
an hour ago

UmbrellaIntegration.png

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
Willrockhopper
Here to help
57m ago
57m ago

Great, thanks!

 

I don't suppose there'd be any advantage to doing it the traditional way by specifying the WAN IP and manually adding the Umbrella DNS servers like you would for a non-Cisco router?

 

0 Kudos
In response to Willrockhopper
RWelch
Kind of a big deal
Kind of a big deal
43m ago
43m ago

There is generally no advantage to manually specifying Umbrella DNS servers on the MX WAN uplink when you have already integrated Umbrella via API and are applying policies at the MX/MR level. With API integration, Meraki devices use their identity to enforce Umbrella policies, and DNS traffic is automatically routed and protected according to those policies.
 
Manual DNS configuration is only necessary for non-Cisco devices or networks that cannot use API integration. For Meraki MX/MR with API integration, manual DNS configuration does not provide additional security or policy enforcement benefits, and the integration is designed to prevent users from bypassing Umbrella by changing their DNS settings locally.
If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.