cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1981
Views
0
Helpful
7
Replies

Umbrella internal network ranges overlap

Madura Malwatte
Level 4
Level 4

This is regarding the internal networks that need to be configured in Umbrella. I have a network where my 10.0.0.0/16 is used primarily at one site, and have another subnet in this range (10.0.2.0/24) used at another site. If I add both internal networks (10.0.0.0/16 - site A and 10.0.2.0/24 - site B), would this cause any problems and does Umbrella know to use the more specific match so traffic from 10.0.2.0/24 will get marked marked correctly as site B?

7 Replies 7

jj27
Spotlight
Spotlight

Ideally, you would have Umbrella VA(s) located in each Umbrella site and you would configure each local network's DNS servers to point to the Umbrella VA(s) associated with the site, so the Umbrella portal would never see traffic from 10.0.2.0/24 on the other site with the 10.0.0.0/16 supernet.

Thanks for the response. No I get that is the ideal, but this is regarding the Internal Networks section in Umbrella dashboard: Deployments > Configuration > Internal Networks. With multiple sites and VA's in each site, the internal networks used by organisation needs to be listed in the dashboard. My question is if I have a more specific subnet will DNS from that site match the more specific subnet in the list or match both supernet and subnet?

I believe when you add the internal network to the dashboard you also specify which site that the subnet belongs to. That, plus the traffic being forwarded from the VA in that site should take care of the classification of the traffic.

Thanks, yeah I just checked and can specify the site for the network range. So its probably tying in with the appliance configured for that same site. I'll need to test it to see how it goes. 

Yep, should be good to go. Be sure to let us know!

Hello @Madura Malwatte. I too have the same issue. We have the /16 network, but i want to be able to apply a policy to just a /21 within that /16. Did this work for you? Both of mine will be at the default site, but will require different policies, and just want to make sure Umbrella will see the more specific subnet and apply that first. There is no reordering that can be done.

Thanks.

adamwin
Cisco Employee
Cisco Employee

Umbrella should treat the smaller subnet with higher priority. Let us know if it doesn't!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: