Guest WiFi with MR only and Umbrella

whistleblower
Getting noticed

Guest WiFi with MR only and Umbrella

Hi,

 

I´d like to ask you some questions about the following solution scenario:

the requisition is, to setup a Guest-WiFi with some MR`s where the SSIDs would be configured in Bridge-Mode where the DHCP-Server is located on an Upstream Router...

To get some Content/URL-Filtering I think of using the Cisco Umbrella Solution which could be integrated in/with the Merkai Dashboard.

In that typical network level Umbrella deployment, pointing DNS to Umbrella alone may not be sufficient to enforce Umbrella protections. Savvy users may attempt to bypass Umbrella by changing the DNS settings on their machines, so the question for me is, if it`s possible to use the integrated MR Firewall configuration to lock down the users on the Guest-Network to prevent any other DNS service from being used to bypass Umbrella settings and protection (e.g. with an ACL-entry "deny udp any any eq 53")?

I`ve read through the following documentation -> https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/SSID_Modes_for_Client_IP_Assignme...

 

but I don`t understand the marked area... how can/does the MR restrict that traffic, if it`s send to the Clients LAN Standard-Gateway (which would be the Upstream Router)?

whistleblower_0-1590131371383.png

 

probably someone has already done a deployment which is similar or could tell me if the design approach is suggested at all 🙂

4 REPLIES 4
antonis_sp
Building a reputation

Meraki and Umbrella integration goes beyond simply directing users to Umbrellas DNS servers. You will not need to block access to other DNS services, as this is done by the MR itself.
You can read more below.
https://documentation.meraki.com/MR/Other_Topics/Manually_Integrating_Cisco_Umbrella_with_Meraki_Net...

It works really well. With MR only or with MX.

 

However, if you do not to go into that deep of an integration (or using other DNS servers for filtering) you could simply block other DNS servers on the firewall).

antonis_sp_0-1590160035715.png

 

some more questions about it...

 

the DNS Traffic-Flow:

whistleblower_0-1590312497592.png

question to Step 2.) does that mean, that it doesn't matter which one or whether a DNS server is assigned in the IP parameters of the DHCP server to the client? or do they already have to be the one`s used from umbrella resolvers?

for my technical understanding of how and on what basis does this interception works and make sure that all DNS-Querys would be intercepted - e.g. "any traffic with a destination port UDP/53"...?!

because the MR source NAT's the packet to his management IP and redirects it to the appropriate Umbrella endpoint == the AP acts like some sort of DNS-Proxy, correct?! Is there a possibilty to see which client/real LAN IP-Adressis has open sessions to the Umbrella Resolver as well?
Probably when using the Security Center to view MR DNS Events = are here the MR Management IP`s or the real Client IP-Adresses shown?

maybe someone here who can help or inform?

cmr
Kind of a big deal
Kind of a big deal

All DNS queries are captured, identified as being from that client on that AP and encrypted.  They are then checked and an unencrypted IP is returned to the client that will either take them to the intended site or a block page.  Step 2 is simply about how the DNS packet is wrapped so the information can be returned.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels