CiscoCCNPEnterprise NetworkingBeginner26 min read

What Is QoS Classification and Marking in Networking?

Also known as: QoS Classification and Marking, DSCP, CoS, CCNP ENCOR, Cisco QoS

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

QoS Classification and Marking is a way for network devices to look at data packets and decide which ones are more important. The device puts a special tag on important packets, like a sticker, so other devices in the network can treat them with higher priority. This helps make sure time-sensitive traffic, like video calls or voice messages, does not get delayed by less important traffic, like file downloads.

Must Know for Exams

QoS Classification and Marking is a fundamental topic in the Cisco CCNP ENCOR (350-401) exam, as well as in other Cisco professional certifications like CCNA and CCIE. The ENCOR exam blueprint explicitly includes QoS concepts under the “Infrastructure” section, with subtopics covering classification, marking, queuing, and congestion management. Candidates are expected to understand how to configure classification using class maps and how to apply marking using policy maps with the MQC framework.

Exam questions often ask about the difference between classification and marking, or they present a scenario where traffic needs to be prioritized and the candidate must choose the correct DSCP or CoS value. For example, a question might ask which DSCP value is recommended for voice traffic. The correct answer is EF (Expedited Forwarding, value 46).

Another question might ask for the standard DSCP value for video conferencing, which is AF41 (Assured Forwarding class 4, low drop probability). The exam also tests the trust boundary concept. A typical question describes a switch connected to an IP phone and a PC, and the candidate must decide where marking should be performed and whether to trust the markings from the PC or only from the IP phone.

Understanding that marking should be done as close to the source as possible and that untrusted devices should have their markings overwritten is a key exam objective. Additionally, the ENCOR exam may include questions that require comparing DSCP and CoS or understanding how they map to each other on a trunk link carrying voice and data VLANs. Scenario-based questions might show a network diagram with a router connected to the internet via a WAN link, and the candidate must propose a marking policy for VoIP, video, and data traffic, explaining why each marking is chosen.

In some questions, the exam tests the ability to interpret the output of “show policy-map interface” or “show class-map” commands to verify classification matches. There may also be troubleshooting questions where a voice application is performing poorly, and the candidate must identify that classification is not matching the traffic or that marking is not being applied at the ingress. The ENCOR exam is not the only one covering this.

The CCNA exam includes basic QoS concepts, including classification and marking, at a less detailed level. For CCIE candidates, classification and marking are assumed knowledge and are tested in deeper scenarios involving complex MQC policies, hierarchical QoS, and integration with MPLS EXP bits. Candidates who master classification and marking will find it easier to understand subsequent QoS topics like policing, shaping, and queuing.

Since these topics are interconnected, exam questions often require an integrated understanding. For instance, a question might ask how to configure a policy that classifies traffic, marks it, and then applies a queue. Being able to describe the end-to-end flow from classification through marking to queuing is a typical exam expectation.

In summary, classification and marking are not just theoretical concepts; they are directly tested in configuration, verification, and troubleshooting scenarios in the ENCOR exam and beyond.

Simple Meaning

Imagine you are at a busy post office. Every piece of mail is a data packet traveling across the internet. Some mail is urgent, like a passport renewal application, while other mail is just a magazine subscription.

Without any system, all mail gets processed in the order it arrives. That means your urgent passport application might wait behind a stack of catalogs. QoS Classification and Marking is like the post office sorting system.

It looks at each piece of mail and decides what it is. An envelope with a government stamp is classified as important. Then the postal worker marks it with a red “express” sticker.

From that moment on, every sorting machine and delivery truck sees that red sticker and moves that envelope to the front of the line. In networking, classification happens when a router or switch inspects the packet. It looks at information inside the packet, such as the type of application, the source and destination addresses, or the port numbers.

For example, a packet from a voice call application might be recognized as real-time traffic. Marking is when the device changes a field in the packet header to indicate this priority. The most common field used for marking is the Differentiated Services Code Point (DSCP) or the Class of Service (CoS) field.

Once a packet is marked, every other device along the path can quickly see the tag and apply the correct treatment, like putting the packet in a fast lane or giving it extra bandwidth. This whole process is essential because not all data on a network is equally important. A one-second delay in a video stream can ruin a live presentation, while a one-second delay in an email is barely noticeable.

By classifying and marking traffic, network engineers ensure that critical applications perform well even when the network is busy. Think of it as a VIP pass for data packets. Without classification and marking, all packets are treated the same, and important traffic can get stuck behind bulk downloads or background updates.

This is the foundational step for all Quality of Service (QoS) mechanisms in modern networks.

Full Technical Definition

QoS Classification and Marking is the first step in implementing Quality of Service in a network. Classification is the process of identifying and categorizing network traffic based on specific criteria. These criteria can include Layer 2 information such as source or destination MAC addresses, or Layer 3 information like IP source and destination addresses, protocol type, or port numbers, or even deeper inspection of application signatures.

Marking, also known as coloring or tagging, is the act of setting a specific value in the packet header to preserve the classification decision across the network. The two primary marking fields are the DSCP field in the IP header, which is a 6-bit value providing up to 64 traffic classes, and the 802.1p priority field within the 802.

1Q VLAN tag, which is a 3-bit CoS value providing 8 classes. For IPv4, the DSCP field occupies the first six bits of the original ToS byte, and for IPv6, it occupies the Traffic Class byte. In Cisco IOS and IOS-XE, classification is typically configured using class maps in the Modular QoS CLI (MQC) framework.

A class map defines the match criteria, such as matching an access control list (ACL) or a specific DSCP value or an NBAR protocol signature. After traffic is classified into a class, a policy map is created to apply actions, including marking. The set command inside a policy map changes the DSCP, IP precedence, or CoS value.

For example, “set ip dscp ef” marks traffic as Expedited Forwarding, typically used for voice. Marking should be performed as close to the source as possible, ideally on the ingress interface of the first Layer 3 device. This is called trust boundary.

Devices further downstream can then base their queuing, policing, and shaping decisions on these markings. Common DSCP values include EF for voice, AF41 for video, AF31 for mission-critical data, and DF (Best Effort) for default traffic. Marking can also be done at Layer 2 using CoS, which maps to DSCP values through a mapping table.

In enterprise networks, classification and marking policies are enforced on switches and routers, often using Cisco AutoQoS for simpler deployments or custom MQC configurations. The IEEE 802.1Q standard for VLAN tagging includes the Priority Code Point field for CoS marking, which is used in trunk links.

MPLS networks also use the Experimental (EXP) bits for QoS marking, which are analogous to the IP DSCP bits. Understanding classification and marking is critical because they form the foundation of any QoS strategy. Without accurate classification and consistent marking, downstream mechanisms like weighted fair queuing and policing cannot function correctly.

In the Cisco CCNP ENCOR exam, candidates must understand the difference between classification and marking, common DSCP and CoS values, the MQC syntax for configuration, and how trust boundaries operate in campus and WAN environments. Network engineers also must be aware of the security implications, such as marking traffic from untrusted sources could lead to denial-of-service attacks if priority markings are spoofed, which is why trust boundaries are enforced.

Real-Life Example

Think of a busy airport security checkpoint. Every passenger is a data packet arriving at a network device. The airport staff needs to determine which passengers need extra attention.

This is the classification step. A person in a pilot uniform probably needs to get to the cockpit quickly, while a family with strollers might need help with their bags. The security agent at the front of the line looks at each passenger's ticket and ID.

This is like inspecting the packet's headers. Once the agent identifies a pilot, they mark the ticket with a special “lane 1” sticker. That sticker is the marking. Now, as the pilot moves through the airport, every other staff member — the bag scanner, the body scanner, the boarding gate agent — sees that sticker and gives the pilot priority.

The pilot goes to the front of every line. This is exactly how QoS marking works. The first router or switch in the network classifies the packet, marks it with a DSCP value, and all subsequent devices honor that marking.

If a passenger without a sticker tries to sneak into the fast lane, the airport staff can stop them and send them back. In networking, this is called policing. The map of the airport is the network topology.

The stickers are the DSCP or CoS values. The security agents are the ingress switches or routers configured with classification policies. Without classification and marking, every passenger waits in the same long line, and a pilot might miss their flight because they got stuck behind a slow-moving family.

This analogy shows why classification and marking are essential for time-sensitive applications like voice and video, where every millisecond counts.

Why This Term Matters

QoS Classification and Marking matters because it directly impacts the performance and reliability of critical applications in real IT environments. In any modern network, bandwidth is a shared resource. Without classification and marking, all data packets are treated equally.

This is called best effort delivery. During congestion, a router will drop packets arbitrarily, which can cause catastrophic failures for real-time applications. For example, a VoIP call requires low latency and low jitter.

If a large file transfer saturates the link, voice packets could be dropped or delayed, resulting in choppy audio or dropped calls. Classification and marking allow the network to give priority to those voice packets. In a corporate network, video conferencing, virtual desktop sessions, and critical database transactions all rely on consistent network performance.

Without marking, a background software update could consume all available bandwidth, causing a remote employee’s video call to freeze. This leads to productivity loss and user frustration. In cloud infrastructure, QoS classification helps ensure that control plane traffic for services like Kubernetes or AWS Direct Connect is prioritized over bulk data replication.

For security, classification and marking also enable traffic shaping and policing policies that can protect the network from denial-of-service attacks by dropping marked low-priority packets during a flood. Network engineers who understand classification and marking can design networks that deliver predictable performance. They can apply policies in a scalable way by marking at the edge and trusting those marks inside the network core, which simplifies device configurations.

Without this foundational step, any QoS deployment is essentially useless because devices downstream have no way to distinguish important traffic from background noise. For Cisco certification holders, this concept is a core skill. It appears in design discussions, troubleshooting of slow applications, and configuration of WAN optimization tools.

Ultimately, QoS classification and marking is the key that unlocks the ability to prioritize traffic, ensuring that the most critical data always gets through, regardless of network congestion.

How It Appears in Exam Questions

In certification exams like Cisco CCNP ENCOR, questions on QoS Classification and Marking appear in several distinct formats. The most common type is the multiple-choice question that tests theoretical knowledge. For example, a question might ask: “Which DSCP value is recommended for voice traffic?

” The options include EF, AF41, AF31, and DF. The correct answer is EF. Another typical question is: “Which layer of the OSI model is used for Class of Service marking?” The answer is Layer 2.

Another question pattern presents a scenario: “A network administrator wants to ensure that video conferencing traffic is given priority over web browsing traffic on a WAN link. What is the first step the administrator must perform?” The correct answer is to classify the traffic based on protocol or port numbers and then mark it with the appropriate DSCP value.

Scenario-based questions often provide a network diagram showing devices and links, along with a description of the traffic types. The candidate must then select the correct marking policy. For example: “An organization has a head office and a branch office connected via a 10 Mbps MPLS link.

The network carries VoIP, video conferencing, and critical database replication. The administrator wants to ensure that VoIP traffic is not delayed. Which marking should be applied to VoIP traffic?

” The answer is DSCP EF. There are also command-based questions where the candidate must interpret output. For instance, a question might show the output of “show policy-map interface serial0/0/0” and ask: “Based on the output, which class is not matching any packets?

” The candidate must analyze the packet counters for each class to identify a misclassification. Another command-based question might show a class map configuration and ask: “Which traffic will be matched by this class map?” If the class map uses an ACL that permits only HTTP traffic, the candidate must recognize that other traffic types will not be classified.

Troubleshooting questions are also common. A typical troubleshooting scenario might be: “Users report that video calls are experiencing jitter and packet loss. The network already has QoS configured.

What could be the issue?” The candidate may need to identify that video traffic is not being correctly classified because the class map does not match the correct ports or DSCP values. Another troubleshooting angle is the trust boundary: “A switch is connected to an IP phone and a PC.

The PC is marking its own traffic with DSCP EF, but the voice quality from the phone is poor. What is the most likely cause?” The answer could be that the switch is trusting the PC’s marking, which overwrites the phone’s marking, or that the switch does not have trust configured on the port.

Architecture design questions are also common, especially in the ENCOR exam. For example: “An enterprise is redesigning its campus network. The network team wants to implement QoS based on application awareness.

Which tool can be used for application-level classification?” The answer is NBAR (Network Based Application Recognition). Some questions combine multiple QoS concepts: “A policy map is applied to an interface in the output direction.

The policy includes classification, marking, and shaping. If shaping is not working as expected, what is the first step to troubleshoot?” The candidate must understand that classification must match before any action, including marking and shaping, can take effect.

In all these question patterns, the key is understanding the sequence: classification happens first, then marking, then other QoS actions. Candidates must also know the difference between marking at Layer 2 (CoS) and Layer 3 (DSCP) and when each is appropriate. The exam may include a question where a switch port is configured for voice VLAN and the candidate must choose the correct CoS marking for voice traffic, which is typically CoS 5.

Overall, questions are designed to test not just memorization of DSCP values but the practical application of classification and marking in realistic network scenarios.

Study encor

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A company with 500 employees uses a unified communications system that includes IP telephony and video conferencing. The network connects a head office and two branch offices over a 50 Mbps leased line. During peak hours, employees frequently report that their video calls freeze and audio quality drops.

The IT team checks the link utilization and finds that it is consistently at 90% due to large file transfers and cloud backups. To resolve this, the network engineer decides to implement QoS Classification and Marking. First, the engineer configures a class map on the head office router to match traffic from the VoIP server and the video conferencing endpoints.

The class map uses a match statement based on the destination port numbers used by the voice and video applications. Next, the engineer creates a policy map that includes two classes: one for voice and one for video. For the voice class, the policy map sets the DSCP value to EF.

For the video class, it sets the DSCP value to AF41. All other traffic is placed into a default class with a best-effort marking of DSCP 0. The policy map is applied to the outbound interface of the router toward the branch offices.

After the configuration is deployed, the engineer uses the command “show policy-map interface” to verify that voice and video packets are being matched and marked correctly. The result is that during peak hours, voice and video packets are now given priority over file transfers. The freeze and audio drop issues disappear.

This scenario shows how classification and marking solve a real-world performance problem by identifying critical traffic and tagging it for preferential treatment.

Common Mistakes

Confusing classification with marking as the same step

Classification is the process of identifying traffic based on criteria like port or protocol. Marking is the separate action of writing a new value into the packet header. They are two distinct operations that often happen together but are not the same.

Remember that classification is looking at the packet to decide what it is, while marking is changing the packet to show that decision. You must classify before you can mark, but you can classify without marking if you only need to count packets.

Applying marking policies on the outbound interface instead of the inbound interface near the source

Marking should be done as close to the source as possible on the ingress interface to ensure all downstream devices can use the marking. Applying marking only on the outbound of a core router may miss traffic entering from other paths and can cause inconsistent behavior.

Configure marking policies on the ingress interfaces of access switches or edge routers where traffic first enters the network. This establishes a trust boundary and ensures all traffic is marked at the edge before traversing the network core.

Using IP precedence (3-bit value) when DSCP (6-bit value) is available and more granular

IP precedence only offers 8 classes, which is insufficient for modern networks with many traffic types like voice, video, multiple data tiers, and network control. DSCP provides 64 classes and is the recommended standard.

Always use DSCP for Layer 3 marking unless there is a specific legacy requirement to use IP precedence. DSCP is backward compatible with IP precedence and provides much finer granularity for classification.

Assuming that trusted markings from end devices are reliable

End devices like PCs can be misconfigured or compromised, and they may mark their own traffic with high priority, causing unfairness or denial of service. Trusting these markings without verification defeats the purpose of QoS.

Configure trust boundaries on network ports. For example, on a switch port connected to an IP phone, trust the CoS marking from the phone but do not trust the PC connected behind it. Overwrite any markings from untrusted devices at the ingress.

Forgetting to apply the policy map to the correct interface and direction

A policy map does nothing until it is attached to an interface. If attached to the wrong direction (e.g., output instead of input) or to the wrong interface, classification and marking will not occur for the intended traffic.

Always verify the interface configuration with “show running-config interface [interface]” or “show policy-map interface [interface]” to ensure the service policy is applied in the correct direction. For marking, the typical direction is input (ingress).

Exam Trap — Don't Get Fooled

In an exam question, you might see a scenario where a switch port is connected to an IP phone, and the PC is connected through the phone. The question asks where to place the trust boundary. Some candidates think the trust boundary should be at the PC, but that is incorrect.

Remember the concept of trust boundary. The network should trust markings only from devices that the network administrator controls or that are known to mark correctly. In the case of an IP phone, the switch should trust the CoS marking from the phone but overwrite any marking from the PC.

The trust boundary is at the switch port, not at the PC. Configure the switch port with “mls qos trust cos” and use QoS policies to reclassify traffic from the PC if needed.

Commonly Confused With

QoS Classification and MarkingvsQoS Policing

Classification and Marking identify and tag traffic, while Policing measures the traffic rate and drops or remarks packets that exceed a configured threshold. Policing uses the markings to decide which packets to drop, but it is a separate function that occurs after marking.

Classification marks a video packet as high priority. Policing then checks if the video stream exceeds 5 Mbps and drops the excess packets, but it uses the marking to decide which packets get dropped first.

QoS Classification and MarkingvsQoS Shaping

Shaping delays packets to keep the traffic rate within a configured limit, while marking does not delay packets. Shaping uses buffering to smooth out traffic bursts, whereas marking simply changes a header field. Shaping can be applied to marked traffic to ensure it conforms to a service level agreement.

A shape policy at the branch office delays non-urgent data (marked as best effort) to keep the total traffic below 10 Mbps, while voice packets (marked EF) are sent immediately without delay.

QoS Classification and MarkingvsQoS Queuing

Queuing uses the markings to decide which packets get sent first and which get dropped during congestion. Classification and marking happen before packets are placed into queues. Queuing is the mechanism that implements the priority decision based on the markings.

A router has two queues: a priority queue for voice (EF) and a default queue for data (DF). The queuing mechanism looks at the DSCP marking to place packets into the correct queue.

Step-by-Step Breakdown

1

Packet Arrives at Ingress Interface

A data packet arrives at the input interface of a network device such as a switch or router. The device does not yet know anything about the packet’s importance. This is the starting point for QoS Classification and Marking.

2

Classification Based on Match Criteria

The device inspects the packet against the match criteria defined in a class map. This inspection can look at source IP, destination IP, port number, protocol type, or even deeper application signatures using NBAR. For example, a packet with destination port 5060 for SIP voice is classified into the voice class.

3

Assignment to a Traffic Class

Based on the classification, the packet is assigned to a specific traffic class within a policy map. If the packet matches multiple classes, the first matching class in the policy map wins. Traffic that does not match any explicit class falls into the default class.

4

Marking the Packet Header

For each traffic class, the policy map specifies a mark action, such as “set ip dscp ef” for voice. The device writes the new DSCP or CoS value into the packet header. This marking stays with the packet as it travels through the network.

5

Transmission to Egress Interface

After marking, the device forwards the packet to the appropriate egress interface based on its routing or switching table. The packet is now ready for downstream QoS treatments such as policing, shaping, and queuing, all of which use the marking to make decisions.

Practical Mini-Lesson

QoS Classification and Marking is the foundational step for any Quality of Service deployment. As a network professional, you must understand that without accurate classification, all subsequent QoS actions are blind. In practice, classification is done using class maps in the Modular QoS CLI (MQC).

The first step is to define what traffic you want to prioritize. For example, on a Cisco router, you create a class map named VOICE with a match command like “match ip dscp ef” if the traffic is already marked, or “match protocol sip” using NBAR if it is not marked. The second step is to build a policy map that associates each class with specific marking actions.

For example: “policy-map QOS-POLICY class VOICE set ip dscp ef.” The third step is to apply the policy map to the ingress interface, typically with the “service-policy input QOS-POLICY” command. There are several best practices to follow.

Always mark traffic as close to the source as possible. For a VoIP phone, the phone itself marks its own packets with CoS 5 or DSCP EF, and the switch should trust this marking. For a PC behind the phone, the switch should re-mark that traffic to best effort unless the PC is known to be a critical server.

This is called establishing a trust boundary. In a larger enterprise, you may use a Cisco router or switch at the distribution layer to perform classification and marking based on application-level visibility provided by NBAR. NBAR can recognize hundreds of applications, including cloud services like Microsoft Teams or Zoom, and classify them automatically.

This is extremely useful for traffic that uses dynamic ports or encryption, because NBAR can look at the payload to identify the application even when the port number is nonstandard. Another common configuration is to use access control lists (ACLs) for classification. For instance, a standard ACL can match traffic from a specific IP subnet, and an extended ACL can match protocols and ports.

The ACL is then referenced inside the class map. One critical point is to ensure that the classification does not interfere with security policies. ACLs used for QoS classification are separate from ACLs used for security, but they can overlap accidentally, causing unintended drops.

Therefore, always verify with “show access-list” and “show class-map” to confirm correct matches. Monitoring classification and marking is done via commands like “show policy-map interface gigabitethernet0/0/1 input” to see packet counts for each class. If a class shows zero packets, then classification is not matching the intended traffic, and you need to adjust the match criteria.

In some environments, you might also mark traffic using a combination of DSCP and CoS. For example, on a trunk link with voice VLAN, you can set CoS 5 for voice and DSCP EF. Understanding that CoS is a Layer 2 marking and DSCP is Layer 3 is essential because a Layer 3 router will strip the CoS header, so DSCP marking ensures the QoS decision survives across router hops.

In summary, classification and marking is the art of telling your network exactly what kind of traffic is passing through, and then encoding that information in a standard way. The more accurate your classification, the better your network will be at delivering the right quality for each application. As networks evolve with SD-WAN and cloud, classification and marking remain critical because they allow you to apply consistent policies across hybrid environments.

Pro tip: always document your classification policies, including the match criteria and the DSCP or CoS values used, because troubleshooting QoS issues later will depend on knowing exactly what markings were applied.

Memory Tip

Remember “Classify then Color”: Classify the packet into a group, then Color it with a DSCP or CoS value. For voice, think “EF” like “Extra Fast,” and for video, think “AF41” like “Always Forwarding for 4K Video.”

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

What is the difference between DSCP and IP Precedence?

DSCP uses 6 bits in the IP header, providing up to 64 traffic classes, while IP Precedence uses only 3 bits, providing 8 classes. DSCP is the modern standard and is backward compatible with IP Precedence.

Can I classify traffic without marking it?

Yes, you can classify traffic solely for the purpose of counting packets or applying other QoS actions like policing or queuing without changing the packet header. Marking is an optional action that adds a tag for downstream devices.

What is the recommended DSCP value for voice traffic?

The recommended DSCP value for voice traffic is EF (Expedited Forwarding), which has a decimal value of 46. This gives the highest priority to voice packets.

Should I mark traffic at the source device or at the network edge?

Ideally, marking should happen at the source device if it is trusted and capable, but the first Layer 3 network device should be configured as the trust boundary. In practice, marking at the ingress edge switch or router is common and reliable.

How does NBAR help with classification?

NBAR (Network Based Application Recognition) performs deep packet inspection to identify applications beyond port numbers. It allows you to classify traffic based on application signatures, such as Skype for Business or YouTube, even if they use non-standard ports.

What happens if two devices mark the same packet differently?

The last device to mark the packet overwrites the previous marking. If a downstream device is configured to re-mark traffic, the new DSCP value replaces the old one. This is why consistent marking policies are important across the network.

Summary

QoS Classification and Marking is the essential first step in managing network traffic quality. It involves identifying packets based on criteria like port, protocol, or application, and then tagging them with a DSCP or CoS value to indicate their priority. This marking allows downstream network devices to apply appropriate queuing, policing, and shaping policies, ensuring that critical applications such as voice and video receive the bandwidth and low latency they need.

For IT certification exams, especially the Cisco CCNP ENCOR, understanding the difference between classification and marking, knowing the common DSCP and CoS values, and being able to configure and verify these policies using the MQC framework is crucial. Common mistakes include confusing classification with marking, misplacing the trust boundary, and using IP precedence instead of DSCP. By mastering classification and marking, you gain the ability to design networks that deliver consistent, predictable performance even under congestion.

This knowledge is the bedrock of any QoS implementation and is essential for any network professional aspiring to pass Cisco exams and work in enterprise networking.