Imagine trying to deliver a package in a city where every package is treated exactly the same — a wedding cake, a live snake, and a box of feathers all get the same delivery priority. That's a network without QoS marking and classification. On the CCNA 200-301 exam (objective 4.8), you must understand how to identify traffic types and mark them so that the network can treat them differently. In real networks, QoS marking is what makes voice and video work over a congested link; without it, your CEO's Zoom call drops while someone downloads a Linux ISO. This chapter will teach you exactly how marking works at Layer 2 and Layer 3, the different marking fields, and how to configure classification on Cisco IOS.
Jump to a section
Think of a busy airport where passengers need to get through security and to their gates. Without any system, everyone queues in one line — business travelers rushing to a meeting, families with strollers, and tourists with no deadline. That's a best-effort network. Now, the airport introduces a priority system: frequent flyers get a special tag on their boarding pass (the marking). At security checkpoints, scanners read that tag and route them to a faster lane (the queuing). At boarding gates, priority tags mean you board first. But the tag itself doesn't speed up the plane — it only tells the airport staff how to treat you. Similarly, QoS marking doesn't create bandwidth; it tells routers how to prioritize packets during congestion. The marking is done by the sending device (like the airline issuing a tag) or by a trusted switch at the entrance (like a check-in kiosk). The network then uses that marking to classify packets into different queues. If a passenger loses their tag (marking is stripped), they're treated as ordinary. If a passenger forges a tag (unauthorized marking), they might get priority but the airline can punish them — on a network, we can police and drop or re-mark unauthorized markings. The key insight: the marking is just a few bits in the packet header; it doesn't guarantee anything by itself, just like a VIP tag doesn't guarantee the plane will leave on time. But combined with proper queuing and scheduling, it makes the whole system efficient.
What is QoS Marking and Classification?
Quality of Service (QoS) marking is the process of setting bits in a packet's header to indicate its traffic class. Classification is the act of identifying packets based on criteria (like source IP, DSCP value, or application) and assigning them to a class. Marking and classification are the foundation of any QoS policy: you can't prioritize what you haven't identified and tagged.
On the CCNA 200-301 exam, you need to know two primary marking fields: - Layer 2: CoS (Class of Service) — 3 bits in the 802.1Q tag, used in switched networks. Values 0-7 (0 best effort, 5 voice, 7 network control). - Layer 3: DSCP (Differentiated Services Code Point) — 6 bits in the IP header ToS byte. Values 0-63, but common ones include EF (46) for voice, AF41 (34) for video, and CS0 (0) for best effort.
Also important: IP Precedence (3 bits, values 0-7) is the legacy predecessor to DSCP. Modern networks use DSCP, but you may still see IP Precedence on exam questions.
How Marking Works at the Packet Level
When a packet is created by an application, the operating system may set the DSCP value (e.g., VoIP phones set EF). As the packet traverses the network, switches and routers can read and possibly change the marking. The marking is stored in: - IP header: ToS byte (DSCP uses 6 bits, ECN uses 2 bits) - Ethernet header: 802.1Q tag (CoS uses 3 bits)
On a trunk link, both CoS and DSCP can be present. Cisco switches can map between CoS and DSCP using trust boundaries. The trust boundary is the point where the network accepts or overrides the marking. Typically, we trust markings from known devices (like IP phones) and re-mark traffic from untrusted sources (like PCs).
Default Behaviors and Trust
By default, most Cisco switch ports are untrusted — they set the CoS to 0 for all incoming frames. To trust markings, you configure:
interface GigabitEthernet0/1
mls qos trust cosOr for DSCP:
interface GigabitEthernet0/1
mls qos trust dscpIf you trust DSCP, the switch copies the DSCP to the internal QoS tag. If you trust CoS, the switch uses the CoS value.
Classification Using MQC (Modular QoS CLI)
Cisco's standard way to classify and mark traffic is the Modular QoS CLI (MQC). The three steps: 1. Class map — Defines traffic match criteria. 2. Policy map — Defines actions (mark, queue, police) for each class. 3. Service policy — Applies the policy to an interface.
Example: Mark VoIP traffic with DSCP EF:
class-map match-any VOIP
match ip dscp ef
!
policy-map MARK-VOIP
class VOIP
set dscp ef
!
interface GigabitEthernet0/1
service-policy input MARK-VOIPVerification Commands
To see the classification and marking configuration:
show class-map
show policy-map
show policy-map interface GigabitEthernet0/1Example output:
Router# show policy-map interface GigabitEthernet0/1
GigabitEthernet0/1
Service-policy input: MARK-VOIP
Class-map: VOIP (match-any)
5 packets, 500 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp ef (46)
QoS Set
dscp ef
Packets marked 5Interaction with Queuing and Shaping
Marking alone does nothing; it must be combined with a queuing strategy (like LLQ, CBWFQ) or policing/shaping. The marking determines which queue a packet goes into. For example, a policy that puts DSCP EF into a priority queue:
policy-map QUEUE
class VOIP
priority 1000
class class-default
fair-queue
!
interface Serial0/0/0
service-policy output QUEUEOn the CCNA exam, you may be asked to identify the correct marking for a given application. Memorize these:
Voice: EF (DSCP 46) or CoS 5
Video conferencing: AF41 (DSCP 34) or AF42 (36) or AF43 (38)
Streaming video: AF31 (26), AF32 (28), AF33 (30)
Call signaling: CS3 (24) or CoS 3
Best effort: DF (0) or CoS 0
Network control: CS6 (48) or CoS 7
Marking at Layer 2 vs Layer 3
Layer 2 marking (CoS) is only relevant within a switched domain. When a packet leaves a router, the CoS is typically stripped unless you're using 802.1Q trunking. Layer 3 marking (DSCP) survives across routers until the IP header is rewritten. So for end-to-end QoS, DSCP is preferred. However, in a campus network, CoS is often used between switches, and the switch maps CoS to DSCP at the Layer 3 boundary.
Common Pitfalls
Trust boundary not configured: By default, switches overwrite CoS to 0. If you don't configure trust, your markings are lost.
Mismatch between CoS and DSCP: If you map CoS 5 to DSCP 0, voice traffic gets best effort treatment.
Applying policy in wrong direction: Marking should be done as close to the source as possible (input policy). Queuing is done on output.
Forgetting that marking is only as good as the classification: If your class map doesn't match the right traffic, your marking policy is useless.
Identify Trust Boundary
The trust boundary defines which devices are allowed to set QoS markings. In a typical campus, IP phones are trusted, but PCs are not. Configure the switch port connected to an IP phone to trust CoS (because the phone marks voice traffic with CoS 5). For PC ports, do not trust — set CoS to 0. Use the 'mls qos trust cos' command on the switch interface connected to the phone. For the PC, ensure 'mls qos trust' is not configured (default untrusted). This step is critical because if you trust a PC, it could mark its traffic as high priority and starve voice traffic.
Define Class Maps for Traffic Types
Create class maps to identify traffic based on criteria like DSCP, IP precedence, or ACL. Use 'class-map match-any VOICE' and then 'match ip dscp ef'. For video, use 'match ip dscp af41'. For call signaling, use 'match ip dscp cs3'. You can also match on access groups: 'match access-group name VOICE-ACL'. Class maps are used inside policy maps. On the exam, you might be asked to match multiple DSCP values; use 'match-any' if any one condition should trigger the class, or 'match-all' if all conditions must be met.
Create Policy Map with Marking Actions
A policy map associates actions with class maps. For marking, use the 'set' command. Example: 'policy-map MARK' then 'class VOICE' then 'set dscp ef'. You can also set CoS: 'set cos 5'. For the default class (class-default), you can set a default marking like 'set dscp default' (which is 0). Remember that marking is typically done on input (ingress) to the network. Also, you can police and mark down (e.g., set dscp af41 to af43 if traffic exceeds a rate). The policy map can have multiple classes.
Apply Service Policy to Interface
Use 'service-policy input POLICY-NAME' on the interface where traffic enters the network. For marking, it's almost always input. For queuing, it's output. Example: 'interface GigabitEthernet0/1' then 'service-policy input MARK'. Verify with 'show policy-map interface GigabitEthernet0/1'. If you apply it to the wrong direction, the marking will not happen. Also, only one service policy per direction per interface is allowed.
Verify Marking with Show Commands
Use 'show policy-map interface' to see how many packets have been marked. Look for the 'QoS Set' section. Example output: 'dscp ef, packets marked 150'. Also use 'show class-map' to confirm class maps exist. For troubleshooting, 'show mls qos interface <interface>' on a switch shows trust state and CoS/DSCP statistics. On a router, 'show policy-map interface' is your go-to. If no packets are being marked, check if the class map matches correctly (maybe the traffic is not using the expected DSCP).
Test End-to-End with Ping or Traffic Generator
Generate traffic from a source that should be marked. Use 'ping' with ToS byte (e.g., 'ping 10.1.1.1 tos 184' sets DSCP EF). On the destination, capture packets with Wireshark to see the DSCP value. Alternatively, use 'debug ip packet' (carefully) or 'show policy-map interface' to confirm counters increment. In production, use IP SLA or traffic generators. On the exam, you might be given a scenario where marking is not working; check trust boundary first, then class map match criteria, then policy map application direction.
Enterprise Scenario 1: VoIP Deployment
A company deploys Cisco IP phones. The phones mark voice RTP traffic with DSCP EF and signaling with CS3. The switch ports are configured to trust CoS from the phone (via the 'mls qos trust cos' command). The access switch then maps CoS 5 to DSCP EF and CoS 3 to CS3. At the distribution layer, a service policy marks any traffic from untrusted PCs to DSCP 0. This ensures that voice traffic gets priority across the network. Without this marking, during congestion, voice packets would be dropped equally with data, causing jitter and poor call quality.
Enterprise Scenario 2: Data Center Traffic Prioritization
In a data center, storage traffic (iSCSI) and backup traffic compete for bandwidth. The storage team marks iSCSI with DSCP AF41 (34) and backup with AF11 (10). The network team configures a policy that guarantees minimum bandwidth for AF41 and limits AF11 to 1 Gbps. This prevents backups from saturating the link and causing storage timeouts. Misconfiguration could happen if backup traffic is marked higher than storage, causing storage performance degradation.
Enterprise Scenario 3: Internet Edge Marking
At the internet edge, the router marks all inbound traffic based on source IP (e.g., executive VPN traffic gets DSCP AF31, guest traffic gets DF). The ISP may honor these markings (if you pay for QoS) or ignore them. Inside the enterprise, the markings are used to prioritize traffic over the WAN link. If the markings are not applied correctly, critical business traffic might be dropped during congestion. Scale consideration: marking policies should be simple to avoid CPU overload; use hardware offload where possible.
What Happens When Misconfigured?
Trusting too much: A compromised PC can mark its traffic as EF and starve voice queues.
Not trusting enough: Voice traffic from IP phones gets re-marked to best effort, causing poor call quality.
Wrong direction: Applying marking as output instead of input means the packet is already past the marking point; the marking may not take effect or may be overwritten later.
Mismatched mappings: CoS 5 mapped to DSCP 0 on a switch causes voice traffic to be treated as best effort.
What the CCNA 200-301 Tests on QoS Marking and Classification (Objective 4.8)
The exam expects you to:
Identify the appropriate marking for a given application (e.g., voice = EF, video = AF41).
Understand the difference between Layer 2 (CoS) and Layer 3 (DSCP) marking.
Configure class maps and policy maps using MQC to mark traffic.
Interpret 'show policy-map interface' output.
Understand trust boundaries and default switch behavior.
Common Wrong Answers and Why Candidates Choose Them
1. Wrong: 'Voice traffic should be marked with DSCP 5.' Why: They confuse CoS (3-bit, 0-7) with DSCP (6-bit, 0-63). DSCP EF is 46, not 5. CoS 5 is for voice at Layer 2. Candidates often mix these up.
2. Wrong: 'Apply the marking policy on the output of the router.' Why: They think marking should happen before leaving the network, but marking should be done as close to the source as possible (ingress). If you mark on output, the packet may have already been queued without the marking.
3. Wrong: 'The default trust state on a switch port trusts CoS.' Why: They assume Cisco wants to trust markings. Actually, default is untrusted for security. Many candidates forget this and get questions wrong about where to configure trust.
4. Wrong: 'DSCP and IP Precedence are the same.' Why: They both use the ToS byte, but DSCP uses 6 bits (64 values) and IP Precedence uses 3 bits (8 values). The exam may ask which is more granular.
Specific Values and Commands to Memorize
DSCP EF = 46, AF41 = 34, AF31 = 26, CS3 = 24, DF = 0.
CoS values: voice = 5, video = 4, signaling = 3, best effort = 0, network control = 7.
Command to trust: 'mls qos trust cos' or 'mls qos trust dscp'.
Default CoS for untrusted port: 0.
Show command: 'show policy-map interface'.
Decision Rule for Scenario Questions
If a question asks: 'Where should marking be applied?' Answer: As close to the source as possible (ingress on the access switch). If the question mentions 'trust boundary,' the answer is typically the access layer switch port connected to the IP phone. For multiple-choice on marking values, eliminate any that do not match the standard (e.g., voice = 5 is CoS, not DSCP).
QoS marking sets bits in packet headers (CoS at Layer 2, DSCP at Layer 3) to indicate traffic priority.
Default switch ports are untrusted; use 'mls qos trust cos' or 'dscp' to trust markings from known devices.
Voice traffic should be marked with DSCP EF (46) or CoS 5; video with AF41 (34); signaling with CS3 (24).
MQC uses class maps to match traffic and policy maps to set marking; apply as service-policy input.
Use 'show policy-map interface' to verify marking counts.
Marking alone does not guarantee priority; it must be paired with queuing (like LLQ) or policing.
DSCP is end-to-end; CoS is only within a switched domain (802.1Q).
These come up on the exam all the time. Here's how to tell them apart.
CoS (Class of Service)
3 bits; values 0-7
Layer 2 marking in 802.1Q tag
Only valid on trunk links
Stripped at Layer 3 boundary
Simpler, less granular
DSCP (Differentiated Services Code Point)
6 bits; values 0-63
Layer 3 marking in IP ToS byte
End-to-end across routers
Survives routing
More granular, standard for modern QoS
Mistake
DSCP and IP Precedence are interchangeable.
Correct
DSCP uses 6 bits (0-63), IP Precedence uses 3 bits (0-7). They are different fields within the same ToS byte. Cisco IOS treats them separately; 'match ip dscp' and 'match ip precedence' are different match criteria.
Candidates see both use the ToS byte and assume they are the same, but they have different bit allocations and values.
Mistake
Applying a marking policy on the output interface is correct.
Correct
Marking should be applied on the input interface (ingress) to the network, as close to the source as possible. Output marking is possible but less common and can cause issues with queuing decisions.
Candidates think marking should happen before the packet leaves the router, but the standard practice is to mark on arrival.
Mistake
A switch port trusts CoS by default.
Correct
By default, Cisco switch ports are untrusted; they set the internal CoS to 0 for all incoming frames. You must explicitly configure 'mls qos trust' to honor incoming markings.
Many assume Cisco devices trust markings for ease of use, but security concerns dictate untrusted default.
Mistake
Setting DSCP EF guarantees bandwidth for voice.
Correct
DSCP EF only marks the packet. To guarantee bandwidth, you must configure a queuing policy (e.g., priority queue) that treats EF packets preferentially. Without queuing, the marking is ignored.
Candidates think marking alone creates priority, but it's just a label; the router must act on it.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Classification is the process of identifying packets based on criteria (e.g., DSCP, ACL, protocol). Marking is the action of setting bits in the packet header (e.g., set DSCP EF). Classification comes before marking; you classify to decide which packets to mark. On Cisco IOS, you use class maps for classification and policy maps for marking. Exam tip: You might be asked to 'classify' traffic — that means identify it, not necessarily mark it.
It depends on the network segment. Within a switched campus network using 802.1Q trunks, CoS is used at Layer 2. For end-to-end QoS across routers, DSCP is better because it survives routing. Often, switches map CoS to DSCP at the distribution layer. On the CCNA exam, know both and when each is appropriate. Typically, you'll see DSCP in routing contexts and CoS in switching contexts.
On a Cisco switch, this command enables trust of the 802.1p CoS value in incoming frames. Without it, the switch overwrites the CoS to 0. When you trust CoS, the switch uses the incoming CoS for internal queuing and can map it to DSCP. This is commonly used on ports connected to IP phones. Exam tip: Remember that default is untrusted.
Yes, you can use an ACL in a class map to match traffic, then mark it in a policy map. For example: 'class-map match-any HTTP' then 'match access-group name HTTP-ACL' then 'policy-map MARK-HTTP' then 'class HTTP' then 'set dscp af11'. This is common for marking based on source/destination IP. The exam may test this combination.
The default DSCP value is 0, also called DF (Default Forwarding) or CS0. All traffic that is not explicitly marked should be treated as best effort. On the exam, if you see 'set dscp default', it sets DSCP to 0.
Use 'show policy-map interface <interface>'. Look for the class and the 'QoS Set' section. It will show the number of packets marked. Example: 'dscp ef, packets marked 500'. If the count is not increasing, check your class map match criteria and the interface direction. Also, use 'show class-map' to verify the class map exists.
The trust boundary is the point in the network where you decide to accept or override QoS markings. Typically, you trust markings from known devices (IP phones, routers) and re-mark traffic from untrusted devices (PCs). It's important for security: if you trust a PC, it could mark its traffic as high priority and starve critical traffic. On the exam, you may be asked where to place the trust boundary — usually at the access layer switch port connected to the phone.
You've just covered QoS Marking and Classification — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?