cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
578
Views
0
Helpful
1
Replies

Umbrella VA Design

packet2020
Level 1
Level 1

Hi All,

I'm after some guidance with a new Umbrella design

We currently operate across two large campus sites that are connected together using a high-speed link. Each site has an internet connection that are used in active/active so the sites use their local internet connection as primary, and the internet connection at the other site in the event that the local internet service fails. The same public IP block is routable across both sites depending on state. We also operate a single AD domain with two domain controllers in each location.

I am currently planning on installing two VAs in each campus site for resiliency, with forwarders for our local domains to the local DNS servers in each site. What I'm unsure about is how AD integration works and if we need to setup each campus site as a separate Umbrella site, even though the VAs will be querying the same domain/domain controllers etc. I'm unsure what the recommendations are here and if AD Sites and Services comes into play in any way.

Has anyone setup Umbrella in a similar environment?

1 Accepted Solution

Accepted Solutions

aaragonb
Cisco Employee
Cisco Employee

Hi,
From Umbrella's point of view, in theory (in practice, it needs to be tested), there are two main options for your scenario: 1) One Umbrella site, 2) Two Umbrella sites.

** Conditionals:
     a) Do internal IPs overlap between campuses?
     b) Are the campuses within the same city? - distance factor
     c) Would there be cross-communication between AD integration components (for instance, a user sending a DNS request to the other campus' server)?

Option 1) configuring just one Umbrella site:
     - Umbrella would see the whole configuration as a container, with all the components (4 VAs, 2 connectors, 2 DCs) within the same container, meaning, just one connector would be syncing the logging events with both DCs and all 4 VAs.
     - This could be a good option if the internal IPs don't overlap, the campuses are within the same city and there is cross-communication between components.

Option 2) two Umbrella sites:
     - This option would improve performance, but it would break if, for instance, the DNS request from a user in campus A goes to campus B's VA.
     - Having two Umbrella sites would separate the components into two independent containers, where each connector communicates with its local VAs and DCs.

Any option would need to be tested, there might be other factors we are not considering.

 

View solution in original post

1 Reply 1

aaragonb
Cisco Employee
Cisco Employee

Hi,
From Umbrella's point of view, in theory (in practice, it needs to be tested), there are two main options for your scenario: 1) One Umbrella site, 2) Two Umbrella sites.

** Conditionals:
     a) Do internal IPs overlap between campuses?
     b) Are the campuses within the same city? - distance factor
     c) Would there be cross-communication between AD integration components (for instance, a user sending a DNS request to the other campus' server)?

Option 1) configuring just one Umbrella site:
     - Umbrella would see the whole configuration as a container, with all the components (4 VAs, 2 connectors, 2 DCs) within the same container, meaning, just one connector would be syncing the logging events with both DCs and all 4 VAs.
     - This could be a good option if the internal IPs don't overlap, the campuses are within the same city and there is cross-communication between components.

Option 2) two Umbrella sites:
     - This option would improve performance, but it would break if, for instance, the DNS request from a user in campus A goes to campus B's VA.
     - Having two Umbrella sites would separate the components into two independent containers, where each connector communicates with its local VAs and DCs.

Any option would need to be tested, there might be other factors we are not considering.