Classification and Marking Part 2

  • IP Precedence – Old Way
  • Diffserv Codepoint/DSCP – New Way

Where Should I Mark?

Mark the traffic as close to the source as you possibly can. Cisco refer to as the ‘trust boundary’. Marking will be trusted via the entire network.

Types of Marking

Layer 2

  • Typically stripped at router hops
  • Examples:
  • CoS – 8 Bits
  • Frame Relay DE Bit
  • ATM CLP Bit
  • MPLS EXP Bits

Layer 3

  • Passed through routers
  • Examples:
  • IP Precedence
  • DSCP
  • True end to end QoS

How To Mark

(At Trust Boundary of 1st Router)

1. Create a class map IP_PHONE_AUDIO to match protocol RTP. (Class)

2. Create a policy map called MARK_VOICE, class IP_PHONE_AUDIO, set ip precedence (0-7 value) (5 = critical for voice)

show policy-map to verify

3. Apply policy map to interface (incoming interface from source)

service-policy input MARK_VOICE

This is a complete marking configuration to mark voice as critical.

Marking Values – CoS and IP Precedence

7-Reserved (Routing Protocols, Management Traffic etc… Important for network to be working that voice traffic!)


5-Voice Bearer – (1st value we can use)


3-Call Signalling (RTCP – Call Stats, SIP, SCCP etc…)

2-High Priority Data – Citrix, SNA

1-Medium Priority Data – SQL

0-Best Effort – P2P/HTTP


Now is a packet marked? Details…

IP Precedence – Layer 3 = ToS

CoS – Layer 2 (3 bits only 0-7)

ToS = 1 Byte/8 Bits

IP Precedence marks using 0-7 and only uses 1st 3 bits of packet (4, 2, 1)

DSCP uses all 8 bits, still backwards compatible with IP Precedence.

8 Bits into 3 groups: (Left to right)

  • 3 bits – Major Group
  • 3 bits – Minor Group
  • 2 bits – ECN – Explicit Congestion Notification

set dscp ? (0-63 values)

As only 6 bits are used, we are never going to total more than 64 in binary.

128 64 32 16 8 4 2 1 BOLD = 64

Major Class

0-7 (3 bits) (Allows backward compatibility with IP Precedence)

Minor Class/Drop Preference

DSCP Classes


  • Default = 0
  • AF1 (Assured Forwarding) – IP Precedence 1 – AF11, AF12 and AF13
  • AF2 – IP Precedence 2 – AF21, AF22, and AF23
  • AF3 – IP Precedence 3 – AF31, AF32 and AF33
  • AF4 – IP Precedence 4 – AF41, AF42 and AF43
  • EF (Expedited Forwarding/Ultimate QoS) – IP Precedence 5 (No drop pref)
  • Major Class = Left Hand Number
  • Minor Class = Right Hand Number
  • 2 sets of 3 bits each!

CS Classes

Use DSCP and same flexibility as IP Precedence. No drop classes with other 3 bits.

QoS 642-642 Video Training: Classification and Marking Part 1

QoS 642-642 Video Training: Classification and Marking Part 1

Classification – Inspecting one or more aspects of a packet, to see what that packet is carrying. Example of port number or source IP address. Or possible application details via NBAR.

Marking – Writing information to a packet to identify the classification decision. “Colouring the packet”

Inside a Packet

  • Layer 2 – CoS, ATM, CLP, MPLS, EXP, Frame Relay DE
  • Layer 3 – Source IP/Destination IP – ToS
  • Layer 4 – Source Port/Dest Port
  • Layer 5-7 – NBAR PDLM

NBAR can read into data and recognise the data itself, such as RTP for voice payload.

TRUST Boundary = 1st begin to trust and mark packets.

Cisco general rule of thumb – Mark packets as close to the source as possible.

Cisco IP Phone can mark packet itself, therefore trust boundary is as phone itself.

Once packet is identified as RTP, the packet can then be marked accordingly.

Marking at Layer 3 = ToS

Classification Options

Most common matching options:

  • access-group (Access List name or number)
  • any
  • CoS (Layer 2 Marking – Router can match CoS and then replace with ToS at Layer 3)
  • class-map – Match a class-map based on another class-map!
  • destination-address – MAC Address destination not IP
  • source-address – MAC Address source not IP
  • fr-de – Frame Relay Discard Eligible – ISP can drop packets with this marking.
  • ip – dscp, precedence, RTP. Layer 3 values
  • packet – Layer 3 Packet Length
  • protocol – NBAR/Application Data
  • Specific list of application for Deep Packet Inspection. For example BGP identified by the TCP port.
  • match protocol http >? deep commands to match HTML, hostname, MIME types etc… **JEREMY WOW**
  • Copy file to flash via TFTP and import via ‘ip nbar pdlm PATH TO FILE’
  • NBAR also has packet sniffing capabilities. You can enable NBAR in a passive state so it is just watching packets.
  • Jeremy uses an alias command called ‘traffic’:
  • interface serial 0
  • ip nbar protocol-discovery
  • show ip nbar protocol-discovery bit-rate top-n 5
  • show ip nbar unclassified-port-stats – Applications that NBAR doesn’t have definitions for