Higher Education

last person joined: 7 days ago 

Got questions on how to enable mobility in education? Submit them here!
Back to discussions
Expand all | Collapse all

Blocking or throttling iOS 8 updates (crosspost)

This thread has been viewed 0 times

  • 1.  Blocking or throttling iOS 8 updates (crosspost)

    EMPLOYEE
    Posted Sep 17, 2014 09:43 AM

    Today (9/17/14) brings iOS 8 which many of us saw cripple our networks during the rollout of iOS 7.

     

    Since that time, there are new features that can help you handle this traffic.

     

    With AOS 6.4+ and any 7 series controller with DPI enabled (under global firewall settings), you can block or throttle iOS update traffic at the global level or by user-role.

     

    Here are some examples:

     

    BLOCK - USER-ROLE

     

    Create a new ACL (like below) and apply it to a user-role(s). Also, make sure DPI is enabled for the user-role.

     

    ios-deny.PNG

     

    DENY-STUDENT.PNG

     

     

     

    BLOCK - GLOBALLY

     

    Under Security > Firewall Policies, find the "global-sacl" ACL.

     

     

    IOS-UPDATES-GLOBAL.PNG

     

     

    THROTTLE - USER-ROLE

    (Make sure you have a bandwidth contract defined - Advanced Services > Stateful Firewall > Bandwidth Contracts. You can also create one from the drop down.)

     

    STUDENT-THROTTLE.png

     

    role-contracts.PNG

     

     

    THROTTLE - GLOBALLY

     

    This must be done at the CLI level

     

    (config) # dpi global-bandwidth-contract app ios-ota-update downstream mbits 1
(config) # dpi global-bandwidth-contract app ios-ota-update upstream mbits 1
(config) # dpi global-bandwidth-contract app apple-update downstream mbits 1
(config) # dpi global-bandwidth-contract app apple-update upstream mbits 1

     



  • 2.  RE: Blocking or throttling iOS 8 updates (crosspost)

    Posted Sep 17, 2014 10:49 AM

    Very nice Tim. 

     

     



  • 3.  RE: Blocking or throttling iOS 8 updates (crosspost)

    Posted Sep 17, 2014 11:00 AM

    Very nice

     



  • 4.  RE: Blocking or throttling iOS 8 updates (crosspost)

    Posted Sep 17, 2014 11:35 AM

    What if we are not on version 6.4?

     

     



  • 5.  RE: Blocking or throttling iOS 8 updates (crosspost)

    Posted Sep 17, 2014 11:36 AM

    Do you have a DPI firewall on your internet connection?  We are blocking it there (well throttling)...



  • 6.  RE: Blocking or throttling iOS 8 updates (crosspost)

    EMPLOYEE
    Posted Sep 17, 2014 11:38 AM
    You need AOS 6.4 and 7 series controllers.


  • 7.  RE: Blocking or throttling iOS 8 updates (crosspost)

    Posted Sep 17, 2014 05:06 PM

    Hey Tim,

     

    It's a moot point as soon as I move over to the new controllers we just picked up, but any clue if this feature does in fact work on 3600 model controllers?  I saw support listed for it on Aruba's website, and went in at the GUI level and added all the bandwidth contracts there on a per role basis.  The only feature that didn't seem to work was enabling DPI at the controller level.  

     

    I didn't have time to see if the packetshaping took effect or not, but our WAN didn't max out, which was all we were concerned about.  

     

    -Patrick



  • 8.  RE: Blocking or throttling iOS 8 updates (crosspost)

    EMPLOYEE
    Posted Sep 17, 2014 05:08 PM
    You can configure it on legacy controllers but it will not actually enforce it unless the traffic is terminating on a 7 series controller.

    This allows you to use a legacy 3 series controller as a master with 7 series locals.