The concept of DNS Proxy ( similar to DHCP proxy ) ------------------------ has been given the term , as Cisco Umbrella , which has Cloud DNS servers. So, to the wireless clients, the WLC appears as the DNS server.
Unlike DHCP proxy, this concept of DNS proxy also refers to the 'P'rofiles and 'P'olicies . 'P'rofiles identify the wireless clients ( via their registered WLCs) . These profiles can be mapped to either WLAN, AP group or incorporated into local policy. 'P'olicies identify the rules which get applied to the wireless clients.
So, we can say the following: - there is a one to one mapping between these profiles and policies. - for each profile, there is a policy. - we can tie/bind a profile to a policy.
Both, profiles and polices are configured in the WLC, which are referred to by the Cisco Umbrella DNS Servers.
Now, if we refer to a policy, then it can be represented by ; - a locally configured policy in the WLC. // if we want to identify all the wireless clients , based on their role. - an AP Group in the WLC // if we want to identify all the wireless clients who connect to all the APs of a given APGroup. - a WLAN in the WLC. // if we want to identify all the wireless clients who connect to a given WLAN
Therefore, a given Umbrella Profile (configured in WLC) can be mapped to either WLAN, AP group or incorporated into local policy
The policy-priority-order (starting from highest) is: Local Policy > AP Group > WLAN. -------------------------
Traffic-flow in brief: ---------------------- Before any web request, goes the DNS request for name resolution, so that ip can be retrieved , to which web request needs to be sent. On behalf of the DNS server, the WLC intercepts DNS request from the client, and sends the DNS request to DNS Servers in the Cloud: 188.8.131.52, 184.108.40.206 . These DNS Servers in the Cloud: 220.127.116.11, 18.104.22.168 (Cisco Umbrella Cloud DNS servers), do the following: - resolve the DNS query - enforce the preconfigured security filtering rules, ( first-off the identification is done , and then based on their identity, will be found , for them, some pre-configured filtering rules, they are enforced )
if identity is successful, is returned resolved ip address of the FQDN, which was asked to-be-resolved by the WLC. else blocked page is sent to the WLC.
Whatever is received by the WLC, the WLC forwards it back to the wireless clients.
Significance of the Registration Process: ----------------------------------------- WLC is registered with Cisco Umbrella Cloud DNS servers, over a secure HTTPS tunnel . (This is one-time process; doesn't need to be done , everytime) For the WLC's registration, we go to the Cisco Umbrella Cloud DNS servers's dashboard , and retrieve the API-Token, and paste it in the WLC. [ Note : API-Token identifies the WLC to the Cloud, and which defines the behind-the-scenes communication flow between WLC and Cloud ]
Once, we get that API-Token, we apply that Token on the WLC, which ends up getting the WLC registered to the Cisco Umbrella Cloud DNS servers account.
Once the WLC gets registerted to Cisco Umbrella Cloud DNS serversy, we create Cisco Umbrella Cloud DNS servers Profile/s on WLC. Once configured, these profiles automatically get pushed to the Cisco Umbrella Cloud DNS servers Cloud DNS servers, as Identitiers for the WLC. Once these identifiers are received by the Cisco Umbrella Cloud DNS servers, then : whenever these Cisco Umbrella Cloud servers get Wireless client's traffic flow, then based on identification of the WLCs, the pre-configured polices for those identitified WLCs, get enforced to that wireless client's traffic flow !
This is how it goes: -------------------- a - A wireless client sends a DNS request to WLC. b - WLC snoops the DNS packet and tags it with an identifier/Cisco Umbrella Profile. (As discussed already, an Umbrella-Profile is the identity of the packet which also resides on Cisco Umbrella) c - This E-DNS packet is redirected to the Cisco Umbrella cloud server for name resolution d - Cisco Umbrella DNS Server enforce a policy on those packets, depending on the identity , and apply category-based-filtering-rules, to ensure organization compliance . e - As result of the name resolution to the FQDN, Wireless client either gets resovled IP address or a blocked page.
1. Create a user account at Cisco Umbrella Cloud. 2. Enable WLC to communicate with Cisco Umbrella Cloud DNS Servers. (after these two steps, WLC registers to the cloud account over a secure HTTPS tunnel) 3. Configure profiles/identities on WLC.
Hi;I installed CSR100v (Version 16.11.01a) on my SD-WAN lab. As I know this version supports SD-WAN capabilities for IOS-XE but appreciate if anyone could confirm that. Then I need to onboard this router on vManage and other controllers. I searched the In...
Hello... Recently we decided for some reasons to shut/no shut a specific ports on 2960 and 3560 switches in a regular basis, so I decided to create a Macro with the specific commands on the specific interfaces and I tested it man...
Hello and sorry for my English, Lately I had problems with an application in RDS. We tried to find explanations. Among various concerns, we found that when we ping permanently on a device, on 2000 packets, we have 2 or 3 packets of lost.The response ...
Hi Everyone, I'm a junior CCNA, and I've been to devnet express. It was amazing but it blew over my head. In my current environment we're changing our phones and we'll be adding the new phones to a new VLAN. What I understood from the Devnet Exp...
Hey guys, I have this weird problem: I have two VLANs coming from the same port of the same device. One VLAN periodically becomes unreachable, no ping. If i do shut/no shut on the switch, that fixes the problem. After a few days, it pops ...