Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
436
Views
0
Helpful
4
Replies

Cisco Secure Firewall 3105 with FMC - QoS schedule

Tibor M
Level 1
Level 1

‎07-29-2024 06:56 AM

Hi,

on ASA there were possible to create service policy rule for some interface and apply QoS shaping for download/upload based on time of day schedule. We using it to limiting upload speed for exact subnets to not deplete whole capacity of line to WAN (i.e. upload max 50mbps during 8:00 - 22:00, but during 22:00 - 8:00 it could be 200mbps)

I'm looking for way how to do it on FTD3105 managed by FMC and cannot find anything. There is possible to configure QoS but it looks as static setting without any schedule which is kind of problem as it's mandatory for us to have successful migration from ASA to FTD.

0 Helpful
4 Replies 4

Marius Gunnerud
VIP
VIP

‎07-29-2024 07:36 AM

To configure QoS on a schedule you will most likely need to do this through Flexconfig.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Tibor M
Level 1
Level 1
In response to Marius Gunnerud

‎07-29-2024 08:17 AM - edited ‎07-29-2024 09:54 AM

but I do not know how. of course this is something not described officially how to manipulate with qos and schedules in flexconfig 

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Tibor M

‎07-29-2024 10:13 AM

What you need to do is just add the ASA configuration into the flexconfig policy. And apply it to the FTD. 
I can get you a sample config a bit later, if needed, as I am not infront of my PC right now.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Tibor M
Level 1
Level 1
In response to Marius Gunnerud

‎07-29-2024 02:05 PM - edited ‎07-29-2024 02:39 PM

ASA code I have

i.e.

time-range perflab_upload_limit_night_and_weekend
 periodic weekend 0:00 to 23:59
 periodic weekdays 0:00 to 6:00
!
time-range perflab_upload_limit_workday
 periodic weekdays 6:00 to 23:59
!
access-list inside_mpc_1 extended permit ip object subnet-10-16-0-0__16-Perflab any4 time-range perflab_upload_limit_night_and_weekend
access-list inside_mpc_2 extended permit ip object subnet-10-16-0-0__16-Perflab any4 time-range perflab_upload_limit_workday
!
class-map inside-class-qos-perflab-limit
  match access-list inside_mpc_2
!
class-map inside-class-qos-perflab-nolimit
  match access-list inside_mpc_1
!
policy-map inside-policy
 class inside-class-qos-perflab-limit
  set connection decrement-ttl
  police input 50000000 1562500
 class inside-class-qos-perflab-nolimit
  police input 200000000 6250000
  set connection decrement-ttl
 class inside-class1
  set connection timeout half-closed 0:05:00 idle 0:30:00
  set connection decrement-ttl
  user-statistics accounting
 class inside-class
  inspect dns
  inspect icmp
  inspect icmp error
  inspect ip-options
  inspect ipsec-pass-thru
  inspect pptp
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
!
service-policy inside-policy interface inside

but can I modify qos with Flex so simple, just to replace interface name? I'm curious why such new device like Firepower does not know stupid easy thing as time range ACL available since ages old IOS devices easily in these days. I know time ranges are now available as part of Access List Policy, but QoS is detached from it and it could be set just as static. It looks like Cisco engineers thinks that QoS could not change in time.

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card