Meraki

Community

Can I exclude a SSID from Cisco Umbrella Policy?

DMLUX1
Here to help
‎Oct 9 2024 11:29 AM
‎Oct 9 2024 11:29 AM

Can I exclude a SSID from Cisco Umbrella Policy?

We have Cisco umbrella integrated with our Meraki firewalls.    My question is can we exclude guest SSIDs using Meraki DHCP?     

0 Kudos
7 Replies 7
DarrenOC
Kind of a big deal
Kind of a big deal
‎Oct 9 2024 12:16 PM
‎Oct 9 2024 12:16 PM

Hi @DMLUX1 , this document should help:

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Manually_Integrating_...)

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
In response to DarrenOC
DMLUX1
Here to help
‎Oct 9 2024 12:22 PM
‎Oct 9 2024 12:22 PM

This document does a good job explaining how to add an umbrella,  my question is how can it be excluded from SSIDs.    Once it is added firewall it covers everything.  

0 Kudos
In response to DMLUX1
cmr
Kind of a big deal
Kind of a big deal
‎Oct 9 2024 4:03 PM
‎Oct 9 2024 4:03 PM

If you are adding it to the MX, you can exclude the subnet.

 

1) ensure AP management IP addresses are in their own subnet, separate from all other traffic.

2) exclude that subnet from umbrella, as per the documentation linked to by @DarrenOC.

 

As the Meraki DHCP clients will appear to the MX with the APs IP address, they will be excluded.  If you have another SSID using Meraki DHCP, then it will also be excluded, so change it if you don't want that.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to cmr
Brash
Kind of a big deal
Kind of a big deal
‎Oct 9 2024 10:24 PM
‎Oct 9 2024 10:24 PM

I may be having a brain fart - is there a way to exclude subnets from forwarding DNS requests to Umbrella? You can exclude domains, but I didn't think there was a place to exclude subnets as such.

In response to Brash
cmr
Kind of a big deal
Kind of a big deal
‎Oct 10 2024 12:04 AM
‎Oct 10 2024 12:04 AM

I was referring to your option 2 - using group policies.  I think that should work?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to cmr
Brash
Kind of a big deal
Kind of a big deal
‎Oct 10 2024 2:58 PM
‎Oct 10 2024 2:58 PM

True, that's probably the easiest way to do it - using group policies to apply Umbrella only to subnets you specifically want it on.

I recently deployed it using option 1 which worked just fine, the idea being that Umbrella was preferred on all clients of a network unless excluded via group policies.

0 Kudos
Brash
Kind of a big deal
Kind of a big deal
‎Oct 9 2024 10:21 PM
‎Oct 9 2024 10:21 PM

It kind of depends where you're integrating Umbrella.

 

1. On the MX (under Threat Protection)
    - Adding the Umbrella integration here should intercept DNS requests from all clients and proxy them to Umbrella (except for domains added to the exclusions list). If there are clients you don't want this to apply to, you can assign a group-policy to them (Eg. via the VLAN) which will then exclude them from this behaviour.

2. On the MX (via Group Policies)
  - Adding the Umbrella integration in the group policy will only apply it to clients that are assigned that group policy (directly or via VLAN or AD etc.)

3. On the MR (via SSID)
  - This will apply the Umbrella integration only on clients connected on that SSID.


In your scenario, if you have integration on the MX via Threat Protection, and are using Meraki DHCP for clients, this means that the client's DNS requests are seen by the MX as coming from the MR's management IP address. The only way to exclude these from Umbrella would be to create a group policy and apply it to the Meraki AP management subnet.
The group policy itself should be able to use network defaults for all of the settings but not have any Umbrella integration applied to it.

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.