Classification and Marking

The difference between classification and marking is action. Classification tools categorize packets while marking changes packet headers. These tools lay the foundation upon which the rest of QoS is built.

Classification — Perform classification closest to the source as possible is the most efficient use of network resources.

Marking — Marking is performed after classification, how it is marked depends upon the layer.

Layer 2 Marking:

  • CoS — Used on ISL or 802.1Q header
  • EXP — MPLS header
  • DE — Frame relay header
  • CLP — ATM cell header

Layer 3 Marking:

  • IP Precedence — RFC 791, first 3 bits of the ToS byte.
  • DSCP IP Header — RFC 2474 and 2475, first 6 bits of the ToS byte.

Layer 2 Class of Service (CoS):

Ethernet frame 802.1Q/P uses the 3 bits from the PRI field, which make up 8 possible values.

CoS Name Application
000 Routine Best-Effort Data
001 Priority Medium Priority Data
010 Immediate High Priority Data
011 Flash Call Signaling
100 Flash Override Video Conferencing
101 Critic/ECP/Critical Voice Bearer
110 Internetwork Control Internetwork Control
111 Network Control Network Control

Frame relay uses the discard eligible (DE) bit to tell a router whether the frame can be dropped, 1 == discard eligible, 0 == should not be dropped.

ATM cells has the cell loss priority field, 1 == discard eligible, 0 == should not be discarded.

Layer 2 1/2:
MPLS packets have the EXP field within the MPLS header which is compatible with the 3 bit PRI/CoS field of the 802.1Q header. The CoS field can be copied into the MPLS EXP field or, a service provider can designate their own EXP value, leaving the customer’s intact in the IP header field.

Layer 3:
RFC 791 called the 3 most significant bits of the ToS byte the IP Precedence bits. It was the predecessor to Differentiated Services Code Point (DSCP) which uses 6 bits of the ToS byte to classify traffic, the remaining two bits of DSCP are for Explicit Congestion Notification (ECN).

DSCP is backward compatible with IP Precedence, however, it has more options for classification.

Because DiffServ does not signal along the path like IntServ, each hop has it’s own behavior based upon the DSCP which are called Per-Hop Behaviors (PHB).

DSCP defines four PHBs:

    • Class selector PHB — The 3 least significant DSCP bits set to 000, provides backward compatibility with ToS based IP Precedence.


    • Default PHB — The 3 most significant bits set to 000, this is best effort or when a packet has not been marked.


    • Assure Forwarding (AF) PHB — Defines four queues with reserved bandwidth for each queue. When congestion occurs for a queue packets are dropped to avoid tail drop based on their drop precedence. Lower AF drop precedence provides better QoS within each AF class.
      Low Drop Probability Within Class Medium Drop Probability within Class High Drop Probability within Class
      Name/Decimal/Binary Name/Decimal/Binary Name/Decimal/Binary
      Class 1 AF11 / 10 / 001010 AF12 / 12 / 001100 AF13 / 14 / 001110
      Class 2 AF21 / 18 / 010010 AF22 / 20 / 010100 AF23 / 22 / 010110
      Class 3 AF31 / 26 / 011010 AF32 / 28 / 011100 AF33 / 30 / 011110
      Class 4 AF41 / 34 / 100010 AF42 / 36 / 100100 AF43 / 38 / 100110


  • Expedited Forwarding (EF) PHB — Provides low delay service to packets with the DSCP field set to 101110 or a decimal value of 46.

QoS Service Class

  1. Identify network traffic and its requirements.
  2. Divide traffic into classes.
  3. Define QoS policies for each class

Cisco recommended mappings between CoS, DSCP IP precedence markings:

AutoQoS Class Layer 2 CoS or

IP Precedence

DSCP Value in Decimal DSCP Value in Binary Code Name
Best Effort 0 0 000000 BE

(Best Effort)

Scavenger 1 8 001000 CS1

(Class Selector 1)

Bulk Data 1 10









Network Management 2 16 010000 CS2

Class Selector 2

Telephony Signaling 3 26 011010 AF31
Local Mission Crtiical 3 28






Streaming Media Traffic 4 32 100000 CS4

Class Selector 4

Interactive Video Traffic 4 34









Interactive Voice Traffic 5 46 101110 EF

Trust Boundaries — The trust boundary is the perimeter where you classify data and do not reclassify QoS markings after that point. The trust boundary should be as close to the source as possible taking into account the ability of the device.

Network Based Application Recognition (NBAR):
NBAR has some built in traffic recognition and can expand the number of packets it recognizes by using Packet Description Language Models (PDLMs) published by Cisco.
Can be used for:

  • Protocol discovery — Used to learn and report on the types of traffic passing through an interface. NBAR uses subport classification, it looks into the payload of the packet and classifies based on content.
  • Traffic classification — NBAR can use deep packet inspection to classify traffic based on URL, MIME type or hostname.
  • Traffic statistics collection — NBAR reports traffic statistics by protocol as shown below:
    circus-rtr#sh ip nbar protocol-discovery 
                                Input                    Output
                                -----                    ------
       Protocol                 Packet Count             Packet Count
                                Byte Count               Byte Count
                                5min Bit Rate (bps)      5min Bit Rate (bps)
                                5min Max Bit Rate (bps)  5min Max Bit Rate (bps)
       ------------------------ ------------------------ ------------------------------
       secure-http              45804031                 51160464
                                14439692115              45672201126
                                2000                     1000
                                5249000                  2207000
       http                     426396714                578778999
                                54201282821              812650380836
                                2000                     372000
                                4309000                  3087000
       ftp                      689880                   771488
                                467904677                812190544
                                0                        0
                                802000                   1798000
       ssh                      71666                    95757
                                11923882                 103359890
                                0                        0

NBAR Limitations:

  • Cannot function on Fast Etherchannel logical interface.
  • Can only handle 24 concurrent URLs, hosts or MIME types.
  • Only analyzes the first 400 bytes of a packet.
  • Only supports CEF.

Commands to implement NBAR:

! Turn on CEF
ip cef
! Load the bittorrent.pdlm from flash:
ip nbar pdlm flash:bittorrent.pdlm
! Match any protocol listed below.
class-map match-any cmap-nbar-drop
 match protocol edonkey
 match protocol gnutella
 match protocol fasttrack
 match protocol kazaa2
 match protocol http url "*cmd.exe*"
 match protocol novadigm
 match protocol bittorrent
! Make a policy map.
policy-map pmap-nbar-drop
 class cmap-nbar-drop
! Apply it to an interface.
interface GigabitEthernet0/1/0
 description LAN Subnet
 ip address
! This command may not be necessary but for ONT testing purposes use it.
 ip nbar protocol-discovery
!Apply the policy map to incoming traffic.
 service-policy input pmap-nbar-drop
This entry was posted in Routing. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s