Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
Guru Elite
Posts: 8,765
Registered: ‎09-08-2010
Blocking or throttling iOS 8 updates (crosspost)
[ Edited ]

Today (9/17/14) brings iOS 8 which many of us saw cripple our networks during the rollout of iOS 7.

 

Since that time, there are new features that can help you handle this traffic.

 

With AOS 6.4+ and any 7 series controller with DPI enabled (under global firewall settings), you can block or throttle iOS update traffic at the global level or by user-role.

 

Here are some examples:

 

BLOCK - USER-ROLE

 

Create a new ACL (like below) and apply it to a user-role(s). Also, make sure DPI is enabled for the user-role.

 

ios-deny.PNG

 

DENY-STUDENT.PNG

 

 

 

BLOCK - GLOBALLY

 

Under Security > Firewall Policies, find the "global-sacl" ACL.

 

 

IOS-UPDATES-GLOBAL.PNG

 

 

THROTTLE - USER-ROLE

(Make sure you have a bandwidth contract defined - Advanced Services > Stateful Firewall > Bandwidth Contracts. You can also create one from the drop down.)

 

STUDENT-THROTTLE.png

 

role-contracts.PNG

 

 

THROTTLE - GLOBALLY

 

This must be done at the CLI level

 

(config) # dpi global-bandwidth-contract app ios-ota-update downstream mbits 1
(config) # dpi global-bandwidth-contract app ios-ota-update upstream mbits 1
(config) # dpi global-bandwidth-contract app apple-update downstream mbits 1
(config) # dpi global-bandwidth-contract app apple-update upstream mbits 1

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 1,011
Registered: ‎04-13-2009
Re: Blocking or throttling iOS 8 updates (crosspost)

Very nice Tim. 

 

 

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
MVP
Posts: 1,437
Registered: ‎10-25-2011
Re: Blocking or throttling iOS 8 updates (crosspost)

Very nice

 

Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Occasional Contributor I
Posts: 10
Registered: ‎12-02-2009
Re: Blocking or throttling iOS 8 updates (crosspost)

What if we are not on version 6.4?

 

 

Frequent Contributor I
Posts: 126
Registered: ‎07-06-2010
Re: Blocking or throttling iOS 8 updates (crosspost)
[ Edited ]

Do you have a DPI firewall on your internet connection?  We are blocking it there (well throttling)...

Guru Elite
Posts: 8,765
Registered: ‎09-08-2010
Re: Blocking or throttling iOS 8 updates (crosspost)
You need AOS 6.4 and 7 series controllers.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Member
Posts: 14
Registered: ‎02-26-2013
Re: Blocking or throttling iOS 8 updates (crosspost)

Hey Tim,

 

It's a moot point as soon as I move over to the new controllers we just picked up, but any clue if this feature does in fact work on 3600 model controllers?  I saw support listed for it on Aruba's website, and went in at the GUI level and added all the bandwidth contracts there on a per role basis.  The only feature that didn't seem to work was enabling DPI at the controller level.  

 

I didn't have time to see if the packetshaping took effect or not, but our WAN didn't max out, which was all we were concerned about.  

 

-Patrick

Guru Elite
Posts: 8,765
Registered: ‎09-08-2010
Re: Blocking or throttling iOS 8 updates (crosspost)
You can configure it on legacy controllers but it will not actually enforce it unless the traffic is terminating on a 7 series controller.

This allows you to use a legacy 3 series controller as a master with 7 series locals.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: