Wireless Access

Reply
Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Blocking or Throttling iOS 8 updates

[ Edited ]

Today (9/17/14) brings iOS 8 which many of us saw cripple our networks during the rollout of iOS 7.

 

Since that time, there are new features that can help you handle this traffic.

 

With AOS 6.4+ and any 7 series controller with DPI enabled (under global firewall settings), you can block or throttle iOS update traffic at the global level or by user-role.

 

Here are some examples:

 

BLOCK - USER-ROLE

 

Create a new ACL (like below) and apply it to a user-role(s). Also, make sure DPI is enabled for the user-role.

 

ios-deny.PNG

 

DENY-STUDENT.PNG

 

 

 

BLOCK - GLOBALLY

 

Under Security > Firewall Policies, find the "global-sacl" ACL.

 

 

IOS-UPDATES-GLOBAL.PNG

 

 

THROTTLE - USER-ROLE

(Make sure you have a bandwidth contract defined - Advanced Services > Stateful Firewall > Bandwidth Contracts. You can also create one from the drop down.)

 

STUDENT-THROTTLE.png

 

role-contracts.PNG

 

 

THROTTLE - GLOBALLY

 

This must be done at the CLI level

 

(config) # dpi global-bandwidth-contract app ios-ota-update downstream mbits 1
(config) # dpi global-bandwidth-contract app ios-ota-update upstream mbits 1
(config) # dpi global-bandwidth-contract app apple-update downstream mbits 1
(config) # dpi global-bandwidth-contract app apple-update upstream mbits 1

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 5
Registered: ‎08-25-2009

Re: Blocking or Throttling iOS 8 updates

Is there any chance we have similar capabilities or options is 6.3 without a 7 series controller?

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Blocking or Throttling iOS 8 updates

No there is not. The legacy hardware does not support deep packet inspection.

Normally you could go in and block certain DNS names and IP ranges but there are so many CDNs in use that this is not feasible.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Chief Airhead
Posts: 1,122
Registered: ‎07-13-2010

Re: Blocking or Throttling iOS 8 updates

What if we prioritized instead of throttled this traffic? Get it off the network as soon as possible.
Sean Rynearson | Chief Airhead
Aruba, a Hewlett Packard Enterprise Company
Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Blocking or Throttling iOS 8 updates

I don't think many organizations have the internet pipe to be able to make non-business traffic a priority.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Chief Airhead
Posts: 1,122
Registered: ‎07-13-2010

Re: Blocking or Throttling iOS 8 updates

Gotcha. Solving the WAN bottleneck.
Sean Rynearson | Chief Airhead
Aruba, a Hewlett Packard Enterprise Company
Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Blocking or Throttling iOS 8 updates

Right. Some organizations don't have any device near the internet border that can throttle or block with this granularity.

 

Also, I've always had the mindset of blocking the traffic closest to the source. Why let it go all the way through your core network just to be blocked or choked at the internet edge?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: