09-16-2014 06:39 PM - edited 09-17-2014 07:18 AM
Today (9/17/14) brings iOS 8 which many of us saw cripple our networks during the rollout of iOS 7.
Since that time, there are new features that can help you handle this traffic.
With AOS 6.4+ and any 7 series controller with DPI enabled (under global firewall settings), you can block or throttle iOS update traffic at the global level or by user-role.
Here are some examples:
BLOCK - USER-ROLE
Create a new ACL (like below) and apply it to a user-role(s). Also, make sure DPI is enabled for the user-role.
BLOCK - GLOBALLY
Under Security > Firewall Policies, find the "global-sacl" ACL.
THROTTLE - USER-ROLE
(Make sure you have a bandwidth contract defined - Advanced Services > Stateful Firewall > Bandwidth Contracts. You can also create one from the drop down.)
THROTTLE - GLOBALLY
This must be done at the CLI level
(config) # dpi global-bandwidth-contract app ios-ota-update downstream mbits 1 (config) # dpi global-bandwidth-contract app ios-ota-update upstream mbits 1 (config) # dpi global-bandwidth-contract app apple-update downstream mbits 1 (config) # dpi global-bandwidth-contract app apple-update upstream mbits 1
Solved! Go to Solution.
09-17-2014 09:18 AM
09-22-2014 09:51 AM
Aruba, a Hewlett Packard Enterprise Company
09-22-2014 09:52 AM
09-22-2014 10:11 AM
Right. Some organizations don't have any device near the internet border that can throttle or block with this granularity.
Also, I've always had the mindset of blocking the traffic closest to the source. Why let it go all the way through your core network just to be blocked or choked at the internet edge?