Showing results for 
Search instead for 
Did you mean: 

Cisco Umbrella in Cisco Wireless Lan Controller




The concept of DNS Proxy ( similar to DHCP proxy )
has been given the term , as Cisco Umbrella , which has Cloud DNS servers. So, to the wireless clients, the WLC appears as the DNS server.

Unlike DHCP proxy, this concept of DNS proxy also refers to the 'P'rofiles and 'P'olicies .
'P'rofiles identify the wireless clients ( via their registered WLCs) . These profiles can be mapped to either WLAN, AP group or incorporated into local policy.
'P'olicies identify the rules which get applied to the wireless clients.

So, we can say the following:
- there is a one to one mapping between these profiles and policies.
- for each profile, there is a policy.
- we can tie/bind a profile to a policy.

Both, profiles and polices are configured in the WLC, which are referred to by the Cisco Umbrella DNS Servers.

Now, if we refer to a policy, then it can be represented by ;
- a locally configured policy in the WLC. // if we want to identify all the wireless clients , based on their role.
- an AP Group in the WLC // if we want to identify all the wireless clients who connect to all the APs of a given APGroup.
- a WLAN in the WLC. // if we want to identify all the wireless clients who connect to a given WLAN

Therefore, a given Umbrella Profile (configured in WLC) can be mapped to either WLAN, AP group or incorporated into local policy

The policy-priority-order (starting from highest) is: Local Policy > AP Group > WLAN.

To configure policy via :
- local local policy, please refer to
- APGroup or WLAN , please refer to

Traffic-flow in brief:
Before any web request, goes the DNS request for name resolution, so that ip can be retrieved , to which web request needs to be sent.
On behalf of the DNS server, the WLC intercepts DNS request from the client, and sends the DNS request to DNS Servers in the Cloud:, .
These DNS Servers in the Cloud:, (Cisco Umbrella Cloud DNS servers), do the following:
- resolve the DNS query
- enforce the preconfigured security filtering rules,
( first-off the identification is done , and then based on their identity, will be found , for them, some pre-configured filtering rules, they are enforced )

if identity is successful, is returned resolved ip address of the FQDN, which was asked to-be-resolved by the WLC.
else blocked page is sent to the WLC.

Whatever is received by the WLC, the WLC forwards it back to the wireless clients.

Significance of the Registration Process:
WLC is registered with Cisco Umbrella Cloud DNS servers, over a secure HTTPS tunnel . (This is one-time process; doesn't need to be done , everytime)
For the WLC's registration, we go to the Cisco Umbrella Cloud DNS servers's dashboard , and retrieve the API-Token, and paste it in the WLC.
[ Note : API-Token identifies the WLC to the Cloud, and which defines the behind-the-scenes communication flow between WLC and Cloud ]

Once, we get that API-Token, we apply that Token on the WLC, which ends up getting the WLC registered to the Cisco Umbrella Cloud DNS servers account.

Once the WLC gets registerted to Cisco Umbrella Cloud DNS serversy, we create Cisco Umbrella Cloud DNS servers Profile/s on WLC.
Once configured, these profiles automatically get pushed to the Cisco Umbrella Cloud DNS servers Cloud DNS servers, as Identitiers for the WLC.
Once these identifiers are received by the Cisco Umbrella Cloud DNS servers, then :
whenever these Cisco Umbrella Cloud servers get Wireless client's traffic flow, then based on identification of the WLCs, the pre-configured polices for those identitified WLCs, get enforced to that wireless client's traffic flow !


This is how it goes:
a - A wireless client sends a DNS request to WLC.
b - WLC snoops the DNS packet and tags it with an identifier/Cisco Umbrella Profile.
(As discussed already, an Umbrella-Profile is the identity of the packet which also resides on Cisco Umbrella)
c - This E-DNS packet is redirected to the Cisco Umbrella cloud server for name resolution
d - Cisco Umbrella DNS Server enforce a policy on those packets, depending on the identity , and apply category-based-filtering-rules, to ensure organization compliance .
e - As result of the name resolution to the FQDN, Wireless client either gets resovled IP address or a blocked page.


1. Create a user account at Cisco Umbrella Cloud.
2. Enable WLC to communicate with Cisco Umbrella Cloud DNS Servers.
(after these two steps, WLC registers to the cloud account over a secure HTTPS tunnel)
3. Configure profiles/identities on WLC.



CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards