CCNA Qos Architecture Questions

58 questions · Qos Architecture topic · All types, answers revealed

1
MCQmedium

An enterprise is deploying a leaf-spine architecture in its data center to support high-bandwidth east-west traffic. The design must include QoS to prioritize storage replication traffic (iSCSI) over backup traffic, while ensuring low latency for real-time applications. Where should the architect apply QoS classification and queuing policies in this topology?

A.Apply classification and marking on the leaf switches at ingress, and queuing policies on egress interfaces of both leaf and spine switches.
B.Apply all QoS policies only on the spine switches, since they handle inter-leaf traffic.
C.Configure QoS only on the default gateway router, which is upstream of the leaf-spine fabric.
D.Use a single QoS policy on all interfaces with default settings, relying on hardware buffers.
AnswerA

Ingress classification at the leaf marks traffic; egress queuing on leaf and spine ensures consistent PHB across the fabric.

Why this answer

In a leaf-spine architecture, QoS classification and marking must occur at the ingress of leaf switches (where traffic enters the fabric) to identify iSCSI, backup, and real-time flows. Queuing policies must be applied on egress interfaces of both leaf and spine switches to manage congestion and prioritize latency-sensitive traffic across the entire path, ensuring end-to-end QoS for east-west traffic.

Exam trap

Cisco often tests the misconception that QoS policies should be applied only at the core or spine layer, but the correct approach requires classification at the edge (leaf ingress) and queuing on all egress interfaces to ensure end-to-end treatment across the fabric.

How to eliminate wrong answers

Option B is wrong because applying QoS only on spine switches ignores the need for classification at the network edge (leaf switches) and fails to manage congestion on leaf egress interfaces, where traffic first enters the fabric. Option C is wrong because the default gateway router is upstream of the leaf-spine fabric and does not handle inter-leaf east-west traffic; QoS must be applied within the fabric itself. Option D is wrong because relying on default settings and hardware buffers does not provide the granular classification, marking, and queuing required to differentiate iSCSI, backup, and real-time traffic, leading to potential packet loss and latency issues.

2
Drag & Dropmedium

Drag and drop the steps of WRED configuration for TCP congestion avoidance into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

WRED configuration starts by enabling the feature globally, then defining a class map for TCP traffic, creating a policy map with random-detect, applying it to an interface, and verifying the drop thresholds. WRED proactively drops packets to avoid TCP global synchronization.

3
MCQhard

An enterprise is deploying a new VoIP system and wants to ensure voice traffic receives priority over data traffic on a WAN link. The engineer configures a class-map to match RTP traffic using the 'match protocol rtp' command. However, the class-map does not match any packets. What is the most likely reason?

A.RTP traffic uses UDP ports, and the class-map must match on the UDP port range instead.
B.The 'match protocol rtp' command requires NBAR to be enabled globally with 'ip nbar protocol-discovery'.
C.The class-map must be configured with 'match any' to capture all traffic.
D.RTP traffic is always marked with DSCP EF, so the class-map should match on DSCP instead.
AnswerB

Correct because NBAR-based matching requires the 'ip nbar protocol-discovery' command to be enabled on the interface for the classification to work.

Why this answer

The 'match protocol rtp' command relies on Network-Based Application Recognition (NBAR) to identify RTP traffic by inspecting packet payloads and using protocol signatures. Without NBAR enabled globally via 'ip nbar protocol-discovery', the class-map cannot match any packets because the router does not have the necessary deep packet inspection capability. Enabling NBAR allows the device to recognize RTP traffic even though it uses dynamic UDP ports.

Exam trap

The trap here is that candidates assume 'match protocol rtp' works out-of-the-box like a simple port match, but Cisco tests the requirement for NBAR to be explicitly enabled for protocol-based matching that relies on deep packet inspection.

How to eliminate wrong answers

Option A is wrong because while RTP does use UDP ports, the 'match protocol rtp' command is designed to match RTP traffic without specifying port ranges, and the issue is not about port matching but about NBAR being disabled. Option C is wrong because 'match any' would match all traffic, defeating the purpose of prioritizing voice over data and not addressing the root cause of the class-map not matching RTP. Option D is wrong because although RTP traffic is often marked with DSCP EF, the class-map is configured to match on protocol, not DSCP; matching on DSCP would be a different approach and does not explain why the 'match protocol rtp' command fails.

4
Matchingmedium

Drag and drop each DSCP value on the left to its matching Per-Hop Behavior (PHB) on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

EF

AF11

AF21

AF31

AF41

Why these pairings

DSCP 46 maps to EF (Expedited Forwarding), DSCP 10 maps to AF11 (Assured Forwarding class 1 low drop), DSCP 18 maps to AF21 (Assured Forwarding class 2 low drop), DSCP 26 maps to AF31 (Assured Forwarding class 3 low drop), DSCP 34 maps to AF41 (Assured Forwarding class 4 low drop).

5
Multi-Selecthard

Which two statements about Cisco QoS classification and marking are true? (Choose two.)

Select 2 answers
A.A class map can match traffic based on DSCP, CoS, IP precedence, or ACL.
B.Marking should be performed as close to the source as possible, typically at the access layer.
C.Marking can only be applied to Layer 2 frames using CoS bits.
D.Marking is a congestion avoidance mechanism that uses tail drop.
E.A class map is used to apply marking actions to classified traffic.
AnswersA, B

Correct because class maps support multiple match criteria including DSCP, CoS, IP precedence, and ACLs.

Why this answer

Classification identifies traffic based on fields like DSCP, CoS, or IP precedence. Marking sets the DSCP or CoS value for subsequent actions. The 'class-map' command matches traffic, and 'policy-map' applies marking.

Option A is correct because class maps can match on DSCP, CoS, IP precedence, or even ACLs. Option B is correct because marking is typically done at the trust boundary (access layer) to set the initial QoS marking. Option C is incorrect because marking is not limited to Layer 2; Layer 3 DSCP marking is common.

Option D is incorrect because marking does not use tail drop; tail drop is a congestion avoidance mechanism. Option E is incorrect because class maps do not apply actions; policy maps do.

6
Matchingmedium

Drag and drop each queuing mechanism on the left to its matching use case on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Strict priority queuing for delay-sensitive traffic

Guarantees minimum bandwidth per class

Strict priority queue with bandwidth guarantees for other classes

Fair queuing based on flow weights

Why these pairings

PQ gives strict priority to one queue, CBWFQ guarantees bandwidth to classes, LLQ combines strict priority with CBWFQ, WFQ provides fair queuing for flows, and CBWFQ is often used for data classes.

7
Drag & Dropmedium

Drag and drop the steps of WRED configuration for TCP congestion avoidance into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, enable WRED under an interface or policy-map. Then set the minimum and maximum thresholds for each IP precedence or DSCP value. Configure the mark probability denominator.

Apply the policy-map to the interface. Finally, verify WRED operation using show queueing or show policy-map interface.

8
MCQeasy

An enterprise is deploying QoS across a network that includes both Cisco and non-Cisco devices. The engineer wants to use a marking scheme that is end-to-end and not stripped at Layer 3 boundaries. Which marking field should the engineer use?

A.CoS
B.IP Precedence
D.MPLS EXP
AnswerC

Correct because DSCP is a Layer 3 field that is preserved across routers and is supported by most vendors.

Why this answer

DSCP (Differentiated Services Code Point) is the correct choice because it is defined in RFC 2474 as a Layer 3 marking field in the IP header. Unlike CoS (Layer 2) or MPLS EXP (which is stripped at MPLS boundaries), DSCP markings are preserved across Layer 3 boundaries (routers) and can be used end-to-end across both Cisco and non-Cisco devices, as long as the intermediate devices trust the DSCP value.

Exam trap

Cisco often tests the distinction between Layer 2 (CoS) and Layer 3 (DSCP) marking, and the trap here is that candidates confuse 'end-to-end' with 'within a single domain,' leading them to choose CoS or MPLS EXP, which are not preserved across Layer 3 boundaries.

How to eliminate wrong answers

Option A is wrong because CoS (Class of Service) is a Layer 2 marking field in the 802.1Q/p header, which is stripped when a frame passes through a Layer 3 boundary (router) and is not preserved across IP networks. Option B is wrong because IP Precedence is a 3-bit field in the IP header that provides only 8 classes, but it is often re-marked or ignored in modern networks; DSCP (6 bits) is the preferred Layer 3 marking for end-to-end QoS and is backward-compatible with IP Precedence. Option D is wrong because MPLS EXP (Experimental bits) is a Layer 2.5 marking field used within an MPLS domain; it is stripped when the MPLS label is removed at the egress LER, so it is not end-to-end across Layer 3 boundaries.

9
MCQmedium

A network engineer is configuring QoS on a Cisco router to prioritize business-critical applications. The engineer creates a class-map that matches traffic based on the destination IP address and port. However, the class-map does not match the expected traffic. What is the most likely reason?

A.The class-map uses 'match-all' but the engineer intended to use 'match-any'.
B.The access-list used for matching is not applied to the correct interface.
C.The router does not support matching on both IP and port in the same class-map.
D.The class-map must be applied to the interface before it can match traffic.
AnswerA

Correct because if the class-map uses 'match-all', all match conditions must be true; if the traffic matches only one condition, it will not be classified.

Why this answer

Option A is correct because when a class-map uses 'match-all', all match conditions must be true for a packet to be classified. If the engineer intended to match traffic based on either the destination IP address OR the port, using 'match-any' would allow the class-map to match if any single condition is met. The mismatch occurs because the class-map is too restrictive, requiring both conditions to be satisfied simultaneously.

Exam trap

Cisco often tests the subtle difference between 'match-all' (default) and 'match-any' in class-maps, trapping candidates who assume that multiple match conditions automatically use OR logic.

How to eliminate wrong answers

Option B is wrong because the access-list used for matching is referenced inside the class-map, not applied directly to the interface; the class-map itself is applied to the interface via a policy-map, so the access-list does not need separate interface application. Option C is wrong because Cisco routers fully support matching on both IP and port in the same class-map using nested match statements or an extended access-list; there is no inherent limitation. Option D is wrong because a class-map does not need to be applied to an interface to match traffic; it is the policy-map that references the class-map and is applied to the interface, and the class-map itself can be tested independently.

10
Drag & Dropmedium

Drag and drop the steps of DSCP re-marking at enterprise WAN edge into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

At the enterprise WAN edge, traffic is first classified based on existing markings or other criteria. Then a policy-map is created to set the new DSCP value. The policy is applied outbound on the WAN interface.

The router re-marks packets as they exit. Finally, the new DSCP value is verified using show commands.

11
MCQmedium

An enterprise is designing a QoS architecture for its WAN edge routers connecting to multiple service providers. The design must support traffic shaping to avoid packet drops due to provider policers, while also prioritizing real-time traffic. Which approach should the architect use to shape traffic to the contracted CIR while still allowing bursts?

A.Apply a shape average policy on the egress interface of the WAN edge router, setting the CIR and burst parameters to match the provider contract.
B.Use a policer on the ingress interface to drop traffic exceeding the CIR.
C.Configure a shaper on the provider's device instead of the customer router.
D.Set the interface bandwidth to the CIR and rely on FIFO queuing.
AnswerA

Shape average enforces the CIR with bursting, preventing tail drops at the provider's policer.

Why this answer

Option A is correct because 'shape average' on the egress interface allows the router to buffer excess traffic and transmit it at the contracted CIR, while the burst parameters (Bc and Be) enable short-term bursts above CIR to accommodate real-time traffic spikes without drops. This prevents the provider's policer from discarding packets, as the shaper ensures the outbound traffic rate stays within the agreed contract limits.

Exam trap

Cisco often tests the distinction between shaping and policing—the trap here is that candidates may choose policing (Option B) because it seems simpler, but they overlook that shaping buffers bursts to avoid drops, which is essential when the provider enforces a policer downstream.

How to eliminate wrong answers

Option B is wrong because policing on the ingress interface drops or marks traffic exceeding the CIR, which does not prevent packet loss from the provider's egress policer and fails to buffer bursts; it also does not shape traffic to match the contract. Option C is wrong because the provider's device is typically not under the customer's administrative control, and shaping on the provider side would not allow the customer to prioritize their own real-time traffic or manage bursts locally. Option D is wrong because setting interface bandwidth to CIR does not perform shaping—it only influences routing metrics and QoS calculations, and FIFO queuing provides no prioritization for real-time traffic, leading to jitter and potential drops.

12
MCQhard

A network engineer is configuring QoS on a Cisco switch to ensure that video traffic (DSCP AF41) is not dropped during congestion. The engineer creates a policy-map that sets the queue-limit for the AF41 class. However, the switch is still dropping video packets. What is the most likely cause?

A.The queue-limit is set too low, causing tail drops.
B.The switch uses a single queue for all traffic unless multiple queues are configured.
C.The video traffic is not being marked with DSCP AF41.
D.The policy-map must be applied to the output direction.
AnswerB

Correct because by default, switches may use a single queue; the engineer must configure multiple queues and assign the class to a specific queue.

Why this answer

By default, Cisco switches use a single queue for all traffic. Creating a policy-map that sets a queue-limit for the AF41 class does not automatically create a separate queue for that class; the switch must have multiple egress queues configured (e.g., via the 'priority-queue out' command or by mapping DSCP values to specific queues). Without multiple queues, all traffic shares the same queue, and setting a queue-limit on a class within a single-queue system does not prevent drops during congestion.

Exam trap

Cisco often tests the misconception that creating a class-map and policy-map with a queue-limit automatically creates a separate queue for that traffic, when in fact the switch must have multiple queues explicitly configured to isolate traffic classes.

How to eliminate wrong answers

Option A is wrong because setting the queue-limit too low could cause tail drops, but the question states the engineer created a queue-limit for the AF41 class, and the core issue is that the switch is not using separate queues for different traffic classes. Option C is wrong because the problem is not about marking; the engineer is configuring QoS for video traffic marked as DSCP AF41, and the drops occur even if the marking is correct, due to the lack of multiple queues. Option D is wrong because the policy-map must be applied in the output direction for egress queuing, but the engineer likely applied it correctly; the real issue is that the switch does not have multiple queues configured to isolate the AF41 traffic.

13
MCQeasy

Which QoS mechanism is used to prevent congestion by dropping packets before a queue becomes full?

A.Weighted Random Early Detection (WRED)
B.Priority Queuing (PQ)
C.Class-Based Weighted Fair Queuing (CBWFQ)
D.Tail Drop
AnswerA

WRED proactively drops packets to avoid tail drop and global synchronization.

Why this answer

Weighted Random Early Detection (WRED) is a congestion avoidance mechanism that proactively drops packets before a queue becomes full. By monitoring the average queue depth and dropping packets with a probability that increases as the queue depth grows, WRED signals TCP senders to reduce their transmission rate, thereby preventing tail drop and global synchronization. This differs from congestion management mechanisms like PQ or CBWFQ, which only act on packets after the queue is full.

Exam trap

Cisco often tests the distinction between congestion management (queuing/scheduling) and congestion avoidance (drop policy), so the trap here is that candidates confuse mechanisms like CBWFQ or PQ (which manage queues after they form) with WRED (which prevents queues from filling up in the first place).

How to eliminate wrong answers

Option B is wrong because Priority Queuing (PQ) is a congestion management mechanism that services queues in strict priority order, not a congestion avoidance mechanism; it does not drop packets before the queue is full. Option C is wrong because Class-Based Weighted Fair Queuing (CBWFQ) is a scheduling mechanism that allocates bandwidth to classes and queues packets, but it does not proactively drop packets to prevent congestion. Option D is wrong because Tail Drop is a passive congestion management mechanism that drops packets only when the queue is completely full, which can cause global TCP synchronization and does not prevent congestion by dropping packets early.

14
Matchingmedium

Drag and drop each CoS value on the left to its matching traffic type on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Best effort data

Voice signaling

Video conferencing

Voice bearer

Internetwork control

Why these pairings

CoS 0 is typically best effort, CoS 3 is voice signaling, CoS 4 is video conferencing, CoS 5 is voice bearer, CoS 6 is internetwork control (e.g., routing protocols).

15
Matchingmedium

Drag and drop each QoS model on the left to its matching characteristic on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses RSVP to reserve resources per flow

Classifies traffic with DSCP markings

No QoS guarantees

Why these pairings

IntServ uses RSVP for per-flow signaling, DiffServ uses DSCP markings for per-hop behavior, Best Effort provides no guarantees, IntServ is not scalable for large networks, DiffServ offers classification and policing at the edge.

16
Multi-Selectmedium

Which two statements about the QoS trust boundary on a Cisco switch are true? (Choose two.)

Select 2 answers
A.By default, a Cisco switch port in access mode trusts the CoS value received from the attached device.
B.On a trunk port, the switch can be configured to trust the CoS value by default.
C.The trust boundary can be extended to the endpoint by configuring the interface with the 'mls qos trust' command.
D.When a Cisco IP Phone is connected, the switch automatically trusts the CoS values from the phone but not from the PC behind the phone.
E.The 'trust device cisco-phone' command enables the switch to trust all CoS values from both the phone and the attached PC.
AnswersB, C

Correct. On trunk ports, the default trust state is to trust the CoS value, as the switch expects the other switch or router to have set the marking appropriately.

Why this answer

The trust boundary defines which device in the network is trusted to mark QoS values. By default, Cisco switches trust the CoS value on trunk ports but do not trust the DSCP value on access ports. The trust boundary can be extended to the endpoint by configuring the switch port as trusted, and the Cisco IP Phone can override the marking from the attached PC.

17
Drag & Dropmedium

Drag and drop the steps of traffic shaping vs policing configuration steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, identify the traffic to be shaped or policed using a class-map. Then configure the policy-map with either shape or police command. Apply the service-policy in the appropriate direction.

For shaping, the router buffers excess traffic; for policing, it drops or re-marks. Finally, verify using show policy-map interface.

18
MCQmedium

Given the following configuration: policy-map MARKING_POLICY class CRITICAL_DATA set dscp af31 class BULK_DATA set dscp af11 class class-default set dscp default What is the effect of the set dscp default command in the class-default?

A.It sets the DSCP value to 0, which is the default best-effort marking.
B.It sets the DSCP value to the original value of the packet, effectively not changing it.
C.It sets the DSCP value to 46, which is the default for voice.
D.It is invalid because class-default cannot have a set action.
AnswerA

DSCP default is 0, used for best-effort traffic.

Why this answer

The 'set dscp default' command explicitly sets the DSCP field to a value of 0, which corresponds to the default best-effort per-hop behavior (PHB) as defined in RFC 2474. This ensures that any traffic not matching the user-defined classes (CRITICAL_DATA or BULK_DATA) is marked with the lowest priority, which is the standard behavior for class-default in a marking policy.

Exam trap

Cisco often tests the misconception that 'default' means 'leave the original value unchanged' or that it refers to a specific high-priority default like voice, rather than the actual DSCP value of 0 for best-effort traffic.

How to eliminate wrong answers

Option B is wrong because 'set dscp default' does not preserve the original packet value; it overwrites the DSCP field with a fixed value of 0. Option C is wrong because DSCP 46 (EF) is the default for voice traffic, not the 'default' keyword, which maps to DSCP 0. Option D is wrong because class-default can indeed have a set action; it is a valid and common practice to mark all unmatched traffic with a specific DSCP value.

19
MCQeasy

What is the purpose of the 'police' command in a QoS policy-map?

A.To shape traffic to a specific rate by buffering excess packets.
B.To limit the rate of traffic and take action (drop or remark) on packets that exceed the rate.
C.To prioritize traffic by assigning it to a strict priority queue.
D.To classify traffic based on IP precedence or DSCP values.
AnswerB

Policing enforces a rate limit by dropping or remarking excess traffic.

Why this answer

The 'police' command in a Cisco QoS policy-map implements traffic policing, which enforces a rate limit by measuring traffic flow and taking immediate action—typically dropping or remarking packets—when the traffic exceeds the configured rate. Unlike shaping, policing does not buffer excess traffic; it acts on packets in real time, making it ideal for marking down or discarding non-compliant traffic at the ingress or egress of an interface.

Exam trap

Cisco often tests the distinction between policing and shaping—the trap here is that candidates confuse 'police' with 'shape' because both limit traffic rates, but policing drops/remarks without buffering, while shaping queues and delays excess traffic.

How to eliminate wrong answers

Option A is wrong because shaping (not policing) buffers excess packets to smooth traffic to a specific rate; the 'police' command drops or remarks, not buffers. Option C is wrong because strict priority queuing is configured with the 'priority' command within a class, not with 'police'; policing controls rate, not queue scheduling. Option D is wrong because traffic classification based on IP precedence or DSCP is done with the 'class-map' and 'match' commands, not with the 'police' action; policing is applied after classification.

20
Multi-Selectmedium

Which three statements about Cisco QoS policing and shaping are true? (Choose three.)

Select 3 answers
A.Policing can re-mark traffic that exceeds the configured rate to a lower priority.
B.Shaping buffers excess traffic and transmits it later to avoid drops.
C.Both policing and shaping use a token bucket algorithm to measure traffic rates.
D.Policing buffers traffic that exceeds the rate to reduce packet loss.
E.Shaping is typically applied on the ingress interface to control incoming traffic.
AnswersA, B, C

Correct because policing can set a new DSCP or CoS value for out-of-profile traffic.

Why this answer

Policing drops or re-marks traffic exceeding a rate, while shaping buffers excess traffic. Policing is typically applied inbound, shaping outbound. Option A is correct because policing can mark down traffic (e.g., set DSCP to 0) when the rate is exceeded.

Option B is correct because shaping buffers traffic to smooth bursts, reducing drops. Option C is correct because both use a token bucket model to measure conformance. Option D is incorrect because policing does not buffer; it drops or re-marks.

Option E is incorrect because shaping is applied on egress, not ingress.

21
Multi-Selecthard

Which three statements about queuing and congestion avoidance in a QoS architecture are true? (Choose three.)

Select 3 answers
A.Class-Based Weighted Fair Queuing (CBWFQ) assigns a weight to each class and guarantees a minimum bandwidth during congestion.
B.Low Latency Queuing (LLQ) provides a strict priority queue that is serviced before any other queues, which can cause starvation of other queues if not policed.
C.Weighted Random Early Detection (WRED) can be used only with TCP traffic and drops packets randomly based on the average queue depth.
D.Tail drop is a congestion avoidance mechanism that drops packets from the front of the queue when it is full.
E.WRED can be configured per class within a policy map using the 'random-detect' command under the class.
AnswersA, B, E

Correct. CBWFQ allocates bandwidth to each class based on the configured bandwidth or weight, ensuring each class gets its minimum share when the link is congested.

Why this answer

Queuing manages packets when output is congested, using algorithms like CBWFQ and LLQ. Congestion avoidance techniques like WRED proactively drop packets to prevent tail drops. LLQ provides strict priority queuing for delay-sensitive traffic.

WRED can be configured per class in a policy map.

22
Drag & Dropmedium

Drag and drop the steps of LLQ configuration for voice traffic into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

LLQ for voice requires first classifying voice traffic, then creating a policy map with a priority queue, applying it to the interface, and verifying the configuration. The priority queue ensures low latency for voice packets.

23
Drag & Dropmedium

Drag and drop the steps of NBAR2 application recognition and classification steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

NBAR2 configuration begins by enabling the protocol discovery, then creating a class map to match the application, a policy map to mark traffic, applying it to the interface, and verifying the classification. NBAR2 uses deep packet inspection to identify applications.

24
Matchingmedium

Drag and drop each CoS value on the left to its matching traffic type on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Voice payload

Video conferencing

Call signaling

Critical data

Best-effort data

Why these pairings

CoS values are used in 802.1Q frames: CoS 5 for voice, CoS 4 for video, CoS 3 for call signaling, CoS 2 for critical data, CoS 0 for best-effort data.

25
Matchingmedium

Drag and drop each DSCP value on the left to its matching Per-Hop Behavior (PHB) on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Expedited Forwarding

Assured Forwarding class 4, low drop probability

Class Selector 3

Assured Forwarding class 2, medium drop probability

Best-effort

Why these pairings

DSCP values map to specific PHBs: EF is for expedited forwarding, AF41 is Assured Forwarding class 4 low drop, CS3 is class selector 3, AF21 is Assured Forwarding class 2 medium drop, and BE (0) is best-effort.

26
MCQeasy

A network engineer is designing a QoS policy for a Cisco router that connects to an MPLS VPN. The service provider expects all traffic to be marked with IP Precedence values. The engineer wants to ensure that voice traffic (DSCP EF) is mapped to IP Precedence 5. What configuration is required on the router to perform this mapping?

A.Configure a policy-map that sets the IP precedence to 5 using 'set ip precedence 5'.
B.Configure a policy-map that sets the DSCP to EF, and the router will automatically set IP precedence to 5.
C.Use the 'qos map dscp-ip-precedence' command to create a mapping table.
D.The router will automatically map DSCP EF to IP precedence 5 without any configuration.
AnswerA

Correct because setting IP precedence directly achieves the required marking without needing to map from DSCP.

Why this answer

Option A is correct because the 'set ip precedence 5' command in a policy-map explicitly marks the IP Precedence field to 5, which corresponds to the same value as DSCP EF (46) in the IP header. This ensures that voice traffic is marked with IP Precedence 5 as required by the service provider, regardless of any existing DSCP markings.

Exam trap

Cisco often tests the misconception that DSCP and IP Precedence are automatically synchronized or that a single command like 'set dscp ef' will implicitly set the IP Precedence field, when in fact they are independent markings that require separate configuration.

How to eliminate wrong answers

Option B is wrong because setting DSCP to EF does not automatically set IP Precedence to 5; the router treats DSCP and IP Precedence as separate fields, and explicit configuration is needed to map between them. Option C is wrong because the 'qos map dscp-ip-precedence' command does not exist; the correct command for creating a mapping table is 'qos map dscp-ip-precedence' is not a valid Cisco IOS command, and such mappings are typically done via policy-map actions. Option D is wrong because the router does not automatically map DSCP EF to IP Precedence 5; without explicit configuration, the IP Precedence field remains unchanged or is set based on default behavior, which may not meet the service provider's requirement.

27
MCQmedium

A network engineer is configuring QoS on a Cisco Catalyst 9300 switch to prioritize voice traffic. The switch has multiple access ports connected to IP phones and PCs. The engineer applies a policy-map that matches DSCP EF and sets the CoS to 5. However, after testing, the voice packets are not being marked correctly. What is the most likely cause?

A.The policy-map is not applied to the correct interface direction.
B.The switch does not support DSCP-to-CoS mapping.
C.The interface is missing the 'mls qos trust cos' or 'mls qos trust dscp' command.
D.The IP phone is not sending packets with DSCP EF.
AnswerC

Correct because by default, Cisco switches do not trust incoming QoS markings; the trust command must be configured to accept the marking from the IP phone.

Why this answer

On Cisco Catalyst switches like the 9300, QoS marking policies applied via a policy-map only re-mark packets if the interface port is configured to trust a specific marking. Without the 'mls qos trust dscp' command, the switch defaults to an untrusted state and may ignore or overwrite the DSCP-to-CoS mapping set by the policy-map. Option C is correct because the missing trust command prevents the policy-map from correctly applying the CoS 5 marking to voice packets.

Exam trap

Cisco often tests the trust boundary concept, where candidates assume a policy-map alone is sufficient to re-mark packets, but the missing 'mls qos trust' command is the hidden prerequisite that causes the marking to fail.

How to eliminate wrong answers

Option A is wrong because the policy-map direction (input vs. output) is not the core issue here; the problem is that the switch does not trust the incoming DSCP marking, so even if applied in the correct direction, the marking will not be honored. Option B is wrong because the Catalyst 9300 fully supports DSCP-to-CoS mapping via the 'mls qos map dscp-cos' command and the policy-map can perform this mapping when trust is enabled. Option D is wrong because the question states the engineer is matching DSCP EF, implying the IP phone is sending DSCP EF; the failure is in the switch's handling of that marking, not in the phone's transmission.

28
Multi-Selecthard

Which three statements about Cisco QoS queuing and scheduling are true? (Choose three.)

Select 3 answers
A.Strict priority queuing ensures that voice traffic is always sent before other traffic.
B.Weighted Round Robin (WRR) is used to service non-priority queues in a round-robin fashion based on configured weights.
C.On Cisco Catalyst switches, the default queue (queue 1) is typically used for best-effort traffic.
D.Tail drop is a scheduling algorithm that determines which queue to service next.
E.Queuing and scheduling are performed on the ingress interface before routing decisions.
AnswersA, B, C

Correct because strict priority queue guarantees low latency for delay-sensitive traffic like voice.

Why this answer

Queuing manages packets when output is congested, and scheduling determines the order of transmission. Cisco uses multiple queues (e.g., 4 queues on Catalyst switches) with strict priority or weighted round-robin (WRR). Option A is correct because strict priority queue (PQ) ensures low-latency for voice.

Option B is correct because WRR (or shaped round robin) is used for non-priority queues. Option C is correct because the default queue is usually queue 1 (or the best-effort queue). Option D is incorrect because tail drop is a congestion avoidance mechanism applied to a queue, not a scheduling method.

Option E is incorrect because scheduling occurs on the egress interface, not ingress.

29
MCQhard

A network team is designing QoS for a multi-tenant data center using leaf-spine architecture. Each tenant requires guaranteed bandwidth for their mission-critical applications, while best-effort traffic must not interfere. The design must use hierarchical queuing to enforce per-tenant fairness. Which queuing mechanism should the architect implement on the leaf switches?

A.Implement hierarchical QoS (HQoS) with a parent policy shaping per-tenant traffic and a child policy applying class-based weighted fair queuing (CBWFQ) for each tenant's applications.
B.Use a single level of CBWFQ on all interfaces, classifying traffic by tenant using VLANs.
C.Apply strict priority queuing for all mission-critical traffic across all tenants.
D.Configure separate physical interfaces for each tenant and apply independent QoS policies.
AnswerA

HQoS provides per-tenant shaping and per-class queuing, meeting the requirements for fairness and isolation.

Why this answer

Hierarchical QoS (HQoS) is the correct choice because it allows the architect to enforce per-tenant bandwidth guarantees using a parent policy (shaping) while applying class-based weighted fair queuing (CBWFQ) in a child policy to prioritize each tenant's mission-critical applications. This two-level structure ensures that best-effort traffic from one tenant cannot starve another tenant's guaranteed traffic, meeting the multi-tenant fairness requirement.

Exam trap

Cisco often tests the misconception that a single level of CBWFQ or strict priority queuing can achieve per-tenant fairness, but without hierarchical shaping, one tenant's bursty traffic can consume all available bandwidth, breaking the isolation required in multi-tenant environments.

How to eliminate wrong answers

Option B is wrong because a single level of CBWFQ on all interfaces, classifying by VLAN, cannot enforce per-tenant fairness; it would treat all traffic from different tenants equally within the same queue, allowing one tenant's best-effort traffic to interfere with another tenant's critical traffic. Option C is wrong because strict priority queuing for all mission-critical traffic across all tenants would allow a single tenant's high-priority traffic to monopolize bandwidth, starving other tenants' critical applications and violating per-tenant fairness. Option D is wrong because configuring separate physical interfaces for each tenant is not scalable in a leaf-spine architecture and does not inherently provide hierarchical queuing or per-tenant fairness; it would require excessive port consumption and does not address intra-tenant application differentiation.

30
Drag & Dropmedium

Drag and drop the steps of NBAR2 application recognition and classification steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, enable NBAR2 on the interface using ip nbar protocol-discovery. Then create a class-map to match the application using match protocol. Next, create a policy-map to mark or apply QoS actions.

Apply the policy-map to the interface. Finally, verify NBAR2 statistics using show ip nbar protocol-discovery.

31
MCQmedium

A company is implementing QoS on its campus network. The network engineer configures a policy-map that sets the CoS value for voice traffic to 5 on a switch interface. However, when the traffic reaches the router, the CoS marking is lost. What is the most likely reason?

A.The router does not trust the CoS marking and re-marks it to 0.
B.CoS is a Layer 2 marking and is not carried across a Layer 3 hop; the router must map CoS to DSCP.
C.The switch must be configured to set DSCP instead of CoS.
D.The router must have 'mls qos trust cos' configured on the interface.
AnswerB

Correct because CoS is part of the 802.1Q header, which is stripped when the packet is routed; the router needs to map CoS to DSCP to preserve the priority.

Why this answer

CoS (Class of Service) is a Layer 2 marking field in the 802.1Q VLAN tag, which is stripped when a frame passes through a Layer 3 device (router). Since the router operates at Layer 3, it does not preserve the CoS value; instead, the router must map the CoS to a DSCP (Differentiated Services Code Point) value at Layer 3 to maintain QoS across the routed hop. Option B correctly identifies this fundamental Layer 2 vs.

Layer 3 boundary issue.

Exam trap

The trap here is that candidates assume CoS is preserved across routers because they see 'trust cos' on switches, but Cisco tests the understanding that CoS is a Layer 2-only marking that disappears at a Layer 3 boundary, requiring DSCP for inter-VLAN or routed QoS.

How to eliminate wrong answers

Option A is wrong because the router does not automatically 'trust' or 're-mark' CoS to 0; CoS is simply not present in the IP packet after the Layer 2 header is removed, so no re-marking occurs. Option C is wrong because setting DSCP instead of CoS on the switch would not solve the problem—the issue is that CoS is lost at the Layer 3 boundary, and DSCP must be used on the router, but the switch can set both CoS and DSCP; the root cause is the Layer 2/3 demarcation. Option D is wrong because 'mls qos trust cos' is a Catalyst switch command (not a router command) that tells the switch to trust the CoS value on ingress; it does not apply to routers and would not preserve CoS across a Layer 3 hop.

32
MCQmedium

Consider the following configuration: class-map match-any VOICE match ip dscp ef class-map match-any VIDEO match ip dscp af41 match ip dscp af42 What is the effect of the match-any keyword in these class-maps?

A.A packet must match all specified DSCP values to be classified into the class.
B.A packet matching either DSCP EF or AF41 will be classified into both classes.
C.A packet matching any one of the specified DSCP values is classified into that class.
D.The match-any keyword is invalid for DSCP matching; only match-all is supported.
AnswerC

match-any means logical OR of the match conditions.

Why this answer

The `match-any` keyword in a Cisco class-map means that a packet needs to match only one of the listed match criteria to be classified into that class. In the VIDEO class-map, a packet matching either DSCP AF41 or AF42 will be classified as VIDEO. This is the default behavior for class-maps when no keyword is specified, but explicitly using `match-any` reinforces that logical OR operation is applied.

Exam trap

Cisco often tests the confusion between `match-any` (logical OR) and `match-all` (logical AND), expecting candidates to mistakenly think that `match-any` requires all conditions or that it causes a packet to be placed into multiple classes simultaneously.

How to eliminate wrong answers

Option A is wrong because `match-any` uses logical OR, not AND; a packet does not need to match all specified DSCP values. Option B is wrong because a packet matching DSCP EF would be classified only into the VOICE class, not both classes, as class-maps are evaluated independently and a single packet can match multiple class-maps but the keyword does not cause cross-classification. Option D is wrong because `match-any` is perfectly valid for DSCP matching; Cisco IOS supports both `match-any` and `match-all` keywords in class-map definitions.

33
MCQmedium

An architect is designing a QoS policy for a campus LAN that must support real-time voice and video traffic alongside mission-critical data. The design must use the DiffServ model with consistent per-hop behavior across all switches. Which approach should the architect choose to ensure that voice traffic receives priority queuing while video traffic is guaranteed bandwidth without starving other classes?

A.Use the MQC framework to classify traffic based on DSCP markings, apply a priority queue for EF traffic, and allocate a minimum bandwidth guarantee for AF41 traffic.
B.Implement a single FIFO queue on all interfaces and rely on the default CoS-to-queue mapping to prioritize voice.
C.Configure strict priority queuing for all traffic marked with DSCP values greater than 0.
D.Use the IntServ model with RSVP to reserve bandwidth for each voice and video flow.
AnswerA

This correctly implements DiffServ with consistent PHB: priority for voice (EF) and bandwidth guarantee for video (AF41) using MQC.

Why this answer

Option A is correct because it uses the Modular QoS CLI (MQC) framework to classify traffic by DSCP markings, which aligns with the DiffServ model's per-hop behavior consistency. By applying a strict priority queue for EF (Expedited Forwarding, DSCP 46) traffic, voice gets low-latency treatment, while a minimum bandwidth guarantee for AF41 (Assured Forwarding, DSCP 34) ensures video traffic receives a guaranteed share without starving other classes, as AF uses weighted fair queuing with bandwidth allocation.

Exam trap

Cisco often tests the misconception that strict priority queuing can be applied broadly to multiple traffic classes without starvation risks, but the trap here is that only EF (voice) should use priority queuing, while AF (video) requires a bandwidth guarantee to avoid starving other classes.

How to eliminate wrong answers

Option B is wrong because a single FIFO queue cannot provide differentiated treatment; it treats all traffic equally, causing voice and video to suffer jitter and delay, and default CoS-to-queue mappings are not sufficient for consistent per-hop behavior across switches. Option C is wrong because strict priority queuing for all traffic with DSCP > 0 would place multiple classes (e.g., AF, CS) into the priority queue, leading to starvation of lower-priority traffic and potential queue overflow for voice. Option D is wrong because the IntServ model with RSVP is not designed for campus LANs with DiffServ; it requires per-flow state and signaling, which does not scale and violates the requirement for consistent per-hop behavior across all switches.

34
Drag & Dropmedium

Drag and drop the steps of LLQ configuration for voice traffic into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, classify voice traffic using a class-map matching DSCP EF. Then create a policy-map and assign the class to priority (LLQ). Optionally configure a bandwidth guarantee for other classes.

Apply the service-policy on the WAN interface. Finally, verify the LLQ operation using show policy-map interface.

35
Matchingmedium

Drag and drop each MQC component on the left to its matching role on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines traffic classification criteria

Defines QoS actions to apply

Applies the policy-map to an interface

Why these pairings

class-map defines traffic classification criteria, policy-map defines the QoS actions to apply, service-policy applies the policy-map to an interface, class-map uses match statements, policy-map uses class statements.

36
MCQmedium

Examine the following configuration: policy-map SHAPE_POLICY class class-default shape average 10000000 service-policy INNER_POLICY What is the purpose of the nested service-policy (service-policy INNER_POLICY) under the shape command?

A.It applies the INNER_POLICY to traffic after shaping, allowing per-class queuing within the shaped rate.
B.It applies the INNER_POLICY to traffic before shaping, which is not supported.
C.It is used to shape traffic twice, first at 10 Mbps and then again based on INNER_POLICY.
D.This configuration is invalid because service-policy cannot be nested under shape.
AnswerA

Hierarchical QoS: the inner policy manages queues within the shaped pipe.

Why this answer

The correct answer is A because the nested service-policy under the shape command applies the INNER_POLICY to traffic after it has been shaped to 10 Mbps. This allows per-class queuing and scheduling within the shaped rate, enabling finer QoS control such as bandwidth allocation or priority queuing for specific traffic classes while ensuring the overall output does not exceed the shaped rate.

Exam trap

Cisco often tests the concept that a nested service-policy under shape applies after shaping, not before, and that it is a valid method for hierarchical QoS, leading candidates to incorrectly assume it is unsupported or that it shapes traffic twice.

How to eliminate wrong answers

Option B is wrong because the nested service-policy under shape is applied after shaping, not before; applying a policy before shaping would require a different configuration (e.g., a parent policy with a service-policy before the shape command). Option C is wrong because the configuration does not shape traffic twice; the shape command defines the shaping rate, and the nested policy manages queuing within that rate, not additional shaping. Option D is wrong because nesting a service-policy under shape is a valid and supported Cisco IOS QoS feature, commonly used for hierarchical QoS (HQoS).

37
MCQmedium

Consider the following configuration snippet: policy-map QOS_POLICY class VOICE priority percent 30 class VIDEO bandwidth percent 20 queue-limit 50 packets class class-default fair-queue queue-limit 100 packets What is the effect of this configuration?

A.The VOICE class traffic is always sent before other classes, but if it exceeds 30% of the interface bandwidth, excess traffic is dropped.
B.The VOICE class traffic is always sent before other classes, and excess traffic beyond 30% is queued in the default class.
C.The VIDEO class traffic is treated with strict priority after the VOICE class.
D.The class-default uses Weighted Fair Queuing with a maximum queue size of 100 packets, and all classes share the remaining bandwidth equally.
AnswerA

Priority queuing sends traffic first; the percent 30 sets a policer that drops excess traffic beyond 30%.

Why this answer

The 'priority percent 30' command under the VOICE class enables strict priority queuing, meaning VOICE traffic is always transmitted before any other class. However, the priority queue is policed at 30% of the interface bandwidth; any traffic exceeding this rate is dropped, not queued. This is a fundamental behavior of the priority command in Cisco IOS — excess priority traffic is dropped to prevent starvation of other queues.

Exam trap

Cisco often tests the misconception that excess priority traffic is re-queued into the default class or another queue, when in fact it is always dropped to enforce the bandwidth limit and protect other traffic classes.

How to eliminate wrong answers

Option B is wrong because excess priority traffic beyond the configured percentage is dropped, not re-queued into the default class; the priority command does not allow excess traffic to fall back to another queue. Option C is wrong because the VIDEO class uses bandwidth percent 20, which is a non-priority queue (class-based weighted fair queuing), not strict priority; only the VOICE class has strict priority. Option D is wrong because the class-default uses fair-queue, but the remaining bandwidth is not shared equally among all classes — the VIDEO class has a guaranteed 20%, and the remaining bandwidth after VOICE and VIDEO is shared among the default class flows via fair-queuing, not equally across all classes.

38
Drag & Dropmedium

Drag and drop the steps of DSCP re-marking at enterprise WAN edge into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

DSCP re-marking at the WAN edge begins by identifying the trust boundary, then classifying traffic based on existing markings, applying a policy map to re-mark DSCP values, and finally applying the service policy to the interface. This ensures consistent QoS treatment across the WAN.

39
Drag & Dropmedium

Drag and drop the steps of the QoS trust boundary configuration process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The trust boundary process starts by enabling trust on the interface, then optionally setting a default CoS/DSCP for untrusted traffic, and finally applying a service policy to enforce policing or marking. Verification ensures the trust boundary is correctly applied.

40
MCQhard

A network engineer is troubleshooting voice quality issues on a WAN link. The engineer notices that voice packets are being dropped during congestion. The QoS policy uses LLQ for voice traffic, but the priority queue is not providing the expected bandwidth. What is the most likely cause?

A.The priority queue is not configured with a bandwidth statement.
B.The priority queue has a built-in policer that drops traffic exceeding the configured bandwidth.
C.The class-map is not matching voice traffic correctly.
D.The router is using FIFO queuing instead of LLQ.
AnswerB

Correct because LLQ uses a policer to limit the priority queue; if voice traffic exceeds the configured bandwidth, it is dropped.

Why this answer

The priority queue in LLQ uses a built-in policer that drops traffic exceeding the configured bandwidth. When congestion occurs, the policer enforces the bandwidth limit by dropping excess packets, which explains why voice packets are being dropped despite the priority queue being active. This is a fundamental behavior of LLQ to prevent the priority queue from starving other queues.

Exam trap

Cisco often tests the misconception that the priority queue provides unlimited bandwidth during congestion, when in fact LLQ uses a policer to enforce the configured bandwidth limit, causing drops for excess traffic.

How to eliminate wrong answers

Option A is wrong because the priority queue in LLQ does not require a bandwidth statement; it uses the 'priority' command which implicitly sets the bandwidth and enables the policer. Option C is wrong because if the class-map were not matching voice traffic correctly, the voice packets would not be placed into the priority queue at all, leading to different symptoms such as no prioritization rather than drops during congestion. Option D is wrong because if the router were using FIFO queuing, there would be no priority queue mechanism, and voice packets would experience general congestion drops without any bandwidth guarantee, not the specific behavior of the priority policer.

41
Multi-Selecthard

Which three statements about classification and marking in a QoS architecture are true? (Choose three.)

Select 3 answers
A.Classification can be based on the source IP address, destination port, or protocol type using an access control list.
B.Marking at Layer 3 uses the DSCP field, which provides 64 possible values, while IP Precedence provides only 8.
C.The MPLS EXP field is used to mark packets only at the ingress of an MPLS network and is never changed within the core.
D.Marking should be performed as close to the source as possible to ensure consistent treatment across the network.
E.NBAR (Network Based Application Recognition) can classify traffic by inspecting the payload up to Layer 7.
AnswersA, B, D

Correct. ACLs are a common method to classify traffic based on Layer 3 and Layer 4 information such as IP addresses, ports, and protocols.

Why this answer

Classification identifies traffic based on criteria like ACLs or NBAR, while marking sets QoS fields. Marking can be done at multiple layers (Layer 2 CoS, Layer 3 DSCP/IP Precedence) and should be performed as close to the source as possible. DSCP is preferred over IP Precedence due to its finer granularity.

MPLS EXP is used in MPLS networks.

42
MCQeasy

What is the default CoS-to-queue mapping on a Cisco switch that supports QoS?

A.CoS 0-1 to queue 1, CoS 2-3 to queue 2, CoS 4-5 to queue 3, CoS 6-7 to queue 4
B.CoS 0-2 to queue 1, CoS 3-5 to queue 2, CoS 6-7 to queue 3
C.CoS 0 to queue 1, CoS 1 to queue 2, CoS 2 to queue 3, CoS 3 to queue 4
D.All CoS values are mapped to a single queue by default.
AnswerA

This is the default mapping for many Cisco switches.

Why this answer

On Cisco switches that support QoS, the default Class of Service (CoS) to queue mapping distributes CoS values across four egress queues. CoS 0 and 1 are mapped to queue 1 (best effort), CoS 2 and 3 to queue 2, CoS 4 and 5 to queue 3, and CoS 6 and 7 to queue 4 (highest priority). This mapping is defined by the default trust state and is used to prioritize traffic based on the 802.1p priority bits in the VLAN tag.

Exam trap

Cisco often tests the default CoS-to-queue mapping as a memorization point, and the trap here is that candidates confuse the default mapping with a custom or logical grouping, such as assuming CoS 5 is always in the highest queue or that each CoS gets its own queue.

How to eliminate wrong answers

Option B is wrong because it maps CoS 0-2 to queue 1, CoS 3-5 to queue 2, and CoS 6-7 to queue 3, which is a three-queue mapping that does not match the standard four-queue default on Cisco switches. Option C is wrong because it assigns each CoS value (0, 1, 2, 3) to a separate queue, which is not the default; the default groups CoS values into pairs per queue. Option D is wrong because Cisco switches do not map all CoS values to a single queue by default; they use multiple queues to provide differentiated QoS based on CoS markings.

43
MCQmedium

Consider the following configuration: policy-map QUEUE_POLICY class VOICE priority level 1 police cir 1000000 class VIDEO priority level 2 police cir 2000000 class class-default fair-queue What is the effect of using priority level 1 and priority level 2?

A.VOICE traffic (level 1) is always sent before VIDEO traffic (level 2), and both are policed.
B.VOICE and VIDEO traffic are treated equally and share the priority bandwidth.
C.VIDEO traffic (level 2) is sent before VOICE traffic (level 1) because it has a higher police rate.
D.This configuration is invalid because only one priority level is allowed.
AnswerA

Priority levels allow multiple strict priority queues with a hierarchy.

Why this answer

The 'priority level' command under a class in a policy-map allows multiple priority queues with different levels. Level 1 is the highest priority, so VOICE traffic (level 1) is always scheduled before VIDEO traffic (level 2). Both classes are also subject to policing, which enforces a maximum rate (CIR) and drops or remarks excess traffic.

This ensures low-latency treatment for VOICE while still providing priority queuing for VIDEO, but with a lower scheduling preference.

Exam trap

The trap here is that candidates often assume only one priority queue is allowed per policy-map, but Cisco tests the 'priority level' feature which permits multiple priority queues with hierarchical strict scheduling.

How to eliminate wrong answers

Option B is wrong because VOICE and VIDEO are not treated equally; priority level 1 (VOICE) is strictly scheduled before priority level 2 (VIDEO), creating a hierarchical priority structure. Option C is wrong because a higher police rate does not affect scheduling priority; priority level determines scheduling order, not the policing rate. Option D is wrong because the configuration is valid; Cisco IOS supports multiple priority levels (up to 16 in some platforms) using the 'priority level' command, allowing differentiated priority queuing.

44
Drag & Dropmedium

Drag and drop the steps of the DiffServ traffic classification and marking pipeline into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In the DiffServ QoS pipeline, traffic must first be classified using class maps, then marked with a policy map, and finally applied to an interface using a service policy. The order ensures that packets are identified, marked, and then enforced on the egress interface.

45
Drag & Dropmedium

Drag and drop the steps of the QoS shaping and policing configuration sequence into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Shaping and policing require first defining traffic classes, then configuring the shaping/policing actions in a policy map, applying the policy to an interface, and finally adjusting parameters based on monitoring. This order ensures proper traffic control.

46
Multi-Selectmedium

Which two statements about the Cisco QoS trust boundary are true? (Choose two.)

Select 2 answers
A.The trust boundary can be set at the access layer switch port connected to an IP phone.
B.The 'mls qos trust cos' command configures the interface to trust the Layer 2 CoS value.
C.By default, all Cisco switch interfaces trust the incoming CoS or DSCP marking.
D.The trust boundary is always located at the distribution layer switch.
E.When a PC is connected to a switch port, the switch automatically trusts the DSCP value from the PC.
AnswersA, B

Correct because the trust boundary is typically configured at the access layer, and can be extended to the IP phone to mark traffic from the PC.

Why this answer

The trust boundary defines where the device accepts or overwrites Layer 2 CoS or Layer 3 DSCP markings. By default, Cisco switches trust the CoS value on trunk ports and set DSCP to 0 on access ports. The 'mls qos trust cos' command forces the switch to trust CoS, and 'mls qos trust dscp' forces trust of DSCP.

The trust boundary can be extended to an IP phone, which then re-marks traffic from the PC. Option C is incorrect because trust is not automatically applied to all interfaces; it must be configured. Option D is incorrect because the trust boundary is at the access layer, not the core.

Option E is incorrect because the switch does not automatically trust DSCP from a PC; it typically sets it to 0 unless configured otherwise.

47
MCQmedium

A company is virtualizing its network functions using NFV on a KVM-based hypervisor. The design must ensure that the virtual router (CSR1000v) can handle high-throughput traffic with minimal latency. Which architectural consideration is most critical for achieving this goal?

A.Pin the vCPU of the CSR1000v to dedicated physical cores and ensure the VM memory is allocated from the same NUMA node.
B.Use a Type 2 hypervisor to allow the VNF to share resources with other VMs more efficiently.
C.Enable overcommitment of CPU resources to maximize the number of VNFs per host.
D.Place the CSR1000v on a VMware ESXi host instead of KVM for better performance.
AnswerA

CPU pinning and NUMA locality reduce latency and improve performance by avoiding cross-NUMA memory access.

Why this answer

Pinning vCPUs to dedicated physical cores and allocating memory from the same NUMA node eliminates cross-NUMA memory access and CPU scheduling contention, which are critical for reducing latency and maximizing throughput in a data-plane-intensive VNF like the CSR1000v. This ensures that the VM's memory accesses are local to the NUMA node where its vCPUs run, avoiding the performance penalty of remote memory access over the QPI/UPI interconnect.

Exam trap

Cisco often tests the misconception that simply using a Type 1 hypervisor or avoiding overcommitment is sufficient, but the trap here is that candidates overlook the critical impact of NUMA locality and vCPU pinning on latency-sensitive VNFs, assuming that any virtualization optimization will suffice.

How to eliminate wrong answers

Option B is wrong because a Type 2 hypervisor (hosted on an OS) introduces additional overhead and is less performant for high-throughput NFV workloads compared to a Type 1 hypervisor like KVM, which runs directly on hardware. Option C is wrong because CPU overcommitment allows multiple vCPUs to share physical cores, which can cause resource contention and increased latency, directly undermining the goal of minimal latency for the CSR1000v. Option D is wrong because the question specifically states the design uses KVM, and while ESXi can be performant, the architectural consideration for achieving minimal latency on KVM is NUMA-aware pinning, not switching hypervisors; the correct answer addresses the universal principle of NUMA locality regardless of hypervisor.

48
Drag & Dropmedium

Drag and drop the steps of traffic shaping vs policing configuration steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Traffic shaping and policing require first defining a class map for traffic identification, then creating a policy map with either shape or police actions, applying the policy to an interface, and finally verifying the configuration. Shaping buffers excess traffic while policing drops or re-marks it.

49
MCQhard

An architect is designing a QoS policy for a Cisco SD-Access fabric. The policy must prioritize voice traffic from wireless clients connected to fabric-enabled access points over other traffic types. The design should use the fabric's built-in capabilities to simplify deployment. Which approach should the architect take?

A.Use Cisco TrustSec to assign an SGT to voice traffic based on ISE authentication, then apply a QoS policy on the fabric edge node that matches the SGT and provides priority queuing.
B.Configure QoS policies on the wireless LAN controller (WLC) only, marking voice traffic with DSCP EF, and rely on the fabric to preserve the marking.
C.Implement a centralized QoS policy on the fabric border node that matches the source IP addresses of voice devices.
D.Use VXLAN network identifiers (VNIs) to classify voice traffic and apply QoS on the control plane node.
AnswerA

This uses the fabric's native policy capabilities (TrustSec) to classify voice traffic by SGT, enabling consistent QoS without complex ACLs.

Why this answer

Option A is correct because Cisco SD-Access uses TrustSec to propagate Security Group Tags (SGTs) from ISE to the fabric edge nodes. By matching the SGT assigned to voice traffic (e.g., via ISE profiling and authentication), the fabric edge node can apply a QoS policy that places that traffic into a priority queue. This leverages the fabric's built-in SGT-based policy enforcement, simplifying deployment without requiring per-device ACLs or complex marking configurations.

Exam trap

Cisco often tests the misconception that QoS marking alone (e.g., DSCP EF) is sufficient in SD-Access, when in fact the fabric requires explicit policy enforcement at the edge node, and SGT-based classification is the recommended method for scalable, identity-aware QoS.

How to eliminate wrong answers

Option B is wrong because relying solely on the WLC to mark voice traffic with DSCP EF does not guarantee that the fabric will preserve the marking end-to-end; the fabric edge node must still apply a local QoS policy to honor the DSCP value, and the WLC-only approach ignores the fabric's ability to use SGTs for simplified, scalable policy. Option C is wrong because matching source IP addresses on the fabric border node is not scalable for voice traffic from many wireless clients, and the border node is not the optimal location for per-flow QoS classification in SD-Access; classification should occur at the fabric edge where traffic enters the fabric. Option D is wrong because VXLAN network identifiers (VNIs) are used for Layer 2 and Layer 3 segmentation, not for QoS classification; applying QoS on the control plane node is incorrect as the control plane handles overlay routing and database functions, not data-plane packet forwarding or queuing.

50
Matchingmedium

Drag and drop each MQC component on the left to its matching role on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines traffic classification using match statements

Defines QoS actions (e.g., bandwidth, priority) for each class

Applies a policy-map to an interface (input or output)

Why these pairings

class-map defines traffic classification criteria, policy-map defines the QoS actions to apply, service-policy applies the policy-map to an interface, class-map uses match statements, and policy-map uses class statements.

51
MCQmedium

A network architect is designing QoS for a Cisco SD-WAN deployment that uses a mix of MPLS and broadband Internet transports. The design must ensure that interactive video traffic is not delayed by large file transfers, even when the Internet link experiences congestion. Which SD-WAN policy type should the architect use to enforce this behavior?

A.Configure a localized QoS policy on the WAN edge routers that matches video traffic and applies a priority queue.
B.Use a centralized data policy to steer video traffic to the MPLS link only.
C.Implement a centralized application-aware routing policy to prefer the MPLS link for video.
D.Configure a VPN membership policy to isolate video traffic in a separate VPN.
AnswerA

Localized policies are applied per device and can prioritize video over bulk traffic on each link.

Why this answer

Option A is correct because a localized QoS policy on the WAN edge router can classify interactive video traffic and place it into a priority queue, ensuring low-latency treatment even when the Internet link is congested. This policy operates locally on the router, directly controlling queuing and scheduling behavior on the specific interface, which is essential for protecting real-time traffic from bulk file transfers.

Exam trap

Cisco often tests the distinction between traffic-steering policies (centralized data or app-aware routing) and local queuing mechanisms (QoS policies), leading candidates to mistakenly choose a path-selection solution when the question explicitly asks about preventing delay on a congested link.

How to eliminate wrong answers

Option B is wrong because a centralized data policy steers traffic based on routing decisions but does not provide per-hop queuing or congestion management; it cannot guarantee that video traffic is not delayed by file transfers on the same link. Option C is wrong because an application-aware routing policy selects the best path (e.g., MPLS) but does not enforce local queuing behavior; if the Internet link is the only available path or is chosen, video traffic can still be delayed without a priority queue. Option D is wrong because a VPN membership policy isolates traffic into separate logical networks but does not affect queuing or scheduling on the physical interface; congestion on the Internet link would still affect all traffic in that VPN.

52
MCQmedium

Given the following configuration: interface GigabitEthernet0/1 service-policy output QOS_POLICY Which statement is true about applying a service-policy in the output direction?

A.The policy-map is applied to traffic exiting the interface, allowing queuing and scheduling decisions.
B.The policy-map is applied to traffic entering the interface, performing classification and marking.
C.The policy-map can only be applied if the interface is in a shutdown state.
D.The policy-map must contain a class-default with a shape command to be valid.
AnswerA

Output service-policy controls how traffic is queued and transmitted out of the interface.

Why this answer

When a service-policy is applied in the output direction, the policy-map inspects and acts on packets as they leave the interface. This allows the policy to perform queuing and scheduling decisions (e.g., CBWFQ, LLQ, shaping) on outbound traffic, which is the correct behavior for managing bandwidth and latency on egress.

Exam trap

Cisco often tests the distinction between input and output service-policies, where candidates mistakenly assume that output policies are used for marking or classification, when in fact those actions are typically performed on ingress.

How to eliminate wrong answers

Option B is wrong because applying a service-policy in the output direction does not affect traffic entering the interface; input direction (service-policy input) is used for classification and marking on ingress. Option C is wrong because a service-policy can be applied to an interface regardless of its operational state; it does not require the interface to be in a shutdown state. Option D is wrong because a policy-map applied in the output direction does not require a class-default with a shape command; shaping is optional, and the policy can contain other actions like bandwidth, priority, or queue-limit without a shape statement.

53
MCQhard

A network engineer is implementing QoS on a Cisco router that connects to a service provider. The provider uses MPLS and expects the MPLS EXP bits to be set for voice traffic. The engineer configures a policy-map that sets the MPLS EXP to 5. However, the provider reports that the EXP bits are not being set. What is the most likely reason?

A.The policy-map is applied to the incoming interface, but MPLS EXP marking must be done on the outgoing interface.
B.The router does not support setting MPLS EXP bits.
C.The MPLS EXP bits are set automatically based on the IP precedence.
D.The policy-map must use 'set mpls experimental imposition 5' instead of 'set mpls experimental 5'.
AnswerA

Correct because the MPLS label is added when the packet is forwarded; the marking must be applied on the outgoing interface to set the EXP bits on the label.

Why this answer

The most likely reason is that the policy-map is applied to the incoming interface, but MPLS EXP marking must be applied on the outgoing interface. MPLS EXP bits are set at the imposition (ingress) of the MPLS label stack, which occurs when the packet is forwarded out of an interface that has MPLS enabled. If the policy-map is applied inbound, it marks the IP packet before MPLS encapsulation, and the EXP bits are not set on the MPLS label.

The correct approach is to apply the policy-map outbound on the interface facing the service provider, so that the 'set mpls experimental' command marks the EXP bits on the imposed label.

Exam trap

Cisco often tests the concept that MPLS EXP marking must be applied on the outgoing interface (where MPLS encapsulation occurs), not on the incoming interface, leading candidates to incorrectly assume that inbound marking is sufficient.

How to eliminate wrong answers

Option B is wrong because modern Cisco routers that support MPLS (e.g., ISR, ASR series) fully support setting MPLS EXP bits via policy-maps; this is a standard QoS feature. Option C is wrong because MPLS EXP bits are not automatically set based on IP precedence; they must be explicitly configured using a policy-map or can be copied from IP precedence if the 'mpls ip' command with 'mpls experimental' is configured, but this is not automatic and requires specific configuration. Option D is wrong because 'set mpls experimental 5' is the correct command for marking the EXP bits on the imposed label; 'set mpls experimental imposition 5' is not a valid Cisco IOS command.

54
MCQmedium

A company is deploying a new campus network with a hierarchical design (core, distribution, access). The QoS design must ensure that voice traffic is prioritized end-to-end, and that marking is trusted only on access ports connected to IP phones. Which architectural approach should the architect take for classification and marking?

A.Configure the access switches to trust DSCP on ports connected to IP phones, and apply queuing policies on distribution and core switches that match the trusted markings.
B.Remark all traffic to a single DSCP value at the access layer and apply priority queuing at the core.
C.Apply QoS policies only at the core layer, ignoring markings from the access layer.
D.Use the distribution layer to reclassify traffic based on source MAC addresses of IP phones.
AnswerA

Trusting DSCP on IP phone ports preserves the correct markings; queuing at higher layers ensures consistent treatment.

Why this answer

Option A is correct because it aligns with the Cisco QoS trust boundary model for campus networks. IP phones are trusted endpoints that mark voice traffic with the correct DSCP values (e.g., EF for voice, AF41 for video). By configuring the access switch port to trust DSCP from the IP phone, the marking is preserved end-to-end.

Distribution and core switches then apply queuing policies (e.g., LLQ) based on these trusted markings, ensuring voice traffic receives priority treatment across the entire network.

Exam trap

Cisco often tests the concept that the trust boundary must be set at the access layer, not at the distribution or core, and that trusting DSCP from IP phones is the correct method, while remarking all traffic to a single value or ignoring markings entirely are common misconceptions that break end-to-end QoS.

How to eliminate wrong answers

Option B is wrong because remarking all traffic to a single DSCP value at the access layer eliminates any differentiation between voice, video, and data, defeating the purpose of QoS and causing all traffic to be treated equally, which would starve voice of priority. Option C is wrong because applying QoS policies only at the core layer ignores the need to establish a trust boundary at the access layer; without trusting or marking at the edge, the core has no reliable markings to act upon, and the access layer may re-mark or drop priority packets. Option D is wrong because reclassifying traffic based on source MAC addresses at the distribution layer is inefficient and unscalable; classification should occur as close to the source as possible (at the access layer), and MAC-based classification does not leverage the standard DSCP markings that IP phones already set.

55
Matchingmedium

Drag and drop each QoS model on the left to its matching characteristic on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses RSVP to signal per-flow reservations

Classifies traffic using DSCP markings

No guarantees for delivery or delay

Why these pairings

IntServ uses RSVP for per-flow signaling, DiffServ uses DSCP marking for per-hop behavior, Best Effort provides no guarantees, IntServ requires state in routers, and DiffServ scales well for large networks.

56
MCQmedium

A network team is designing QoS for a Cisco SD-WAN fabric connecting multiple branch offices to a central data center. The design must ensure that VoIP traffic from branch sites receives priority treatment across the WAN overlay, regardless of the underlying transport (MPLS, Internet, LTE). Which architectural component should the team configure to enforce consistent QoS policies across all WAN edges?

A.Configure a centralized QoS policy on vManage that matches VoIP DSCP markings and applies priority queuing on all WAN edge routers.
B.Define a localized QoS policy on each branch router using MQC, matching the same DSCP values.
C.Use the vSmart controller to apply QoS policy only on the MPLS transport, leaving Internet and LTE unmanaged.
D.Implement QoS using RSVP across the overlay tunnels.
AnswerA

Centralized policies are pushed from vManage to all edges, providing uniform QoS across the fabric.

Why this answer

Option A is correct because vManage serves as the centralized SD-WAN management plane, allowing administrators to define a single QoS policy that matches VoIP DSCP markings (e.g., EF for expedited forwarding) and applies priority queuing across all WAN edge routers. This ensures consistent treatment of VoIP traffic over any transport (MPLS, Internet, LTE) by pushing the policy to all vEdge/cEdge devices via the vSmart controller, leveraging the SD-WAN overlay's ability to enforce QoS independently of the underlying physical transport.

Exam trap

Cisco often tests the misconception that QoS policies must be configured locally on each router (Option B) or that RSVP is required for guaranteed service in SD-WAN, but the key is that SD-WAN centralizes QoS management via vManage and vSmart to ensure consistency across all transports.

How to eliminate wrong answers

Option B is wrong because defining a localized QoS policy on each branch router using MQC (Modular QoS CLI) is operationally inefficient and error-prone in a large SD-WAN deployment; it lacks centralized management and consistency, and does not leverage the SD-WAN fabric's ability to enforce policies across all transports uniformly. Option C is wrong because using the vSmart controller to apply QoS policy only on MPLS transport violates the design requirement of treating VoIP traffic consistently across all transports (MPLS, Internet, LTE); this approach would leave Internet and LTE links unmanaged, causing potential degradation of VoIP over those transports. Option D is wrong because RSVP (Resource Reservation Protocol) is a per-flow signaling protocol designed for IntServ (Integrated Services) QoS, which does not scale well in an SD-WAN overlay environment and is not used for enforcing consistent QoS policies across WAN edges; SD-WAN relies on DiffServ (Differentiated Services) markings and centralized policy, not RSVP.

57
Multi-Selectmedium

Which two statements about policing and shaping in a QoS architecture are true? (Choose two.)

Select 2 answers
A.Policing can be configured on both ingress and egress interfaces, while shaping is only supported on egress interfaces.
B.Shaping uses a token bucket algorithm to meter traffic and drops packets that exceed the configured rate.
C.Policing introduces variable delay because it buffers excess traffic before forwarding.
D.Both policing and shaping can re-mark packets that conform to the configured rate.
E.The 'shape average' command configures shaping to use the average rate over time, while 'shape peak' allows bursts above the average.
AnswersA, E

Correct. Policing can be applied inbound or outbound on Cisco routers and switches, whereas shaping is typically applied only on outbound interfaces because it buffers packets.

Why this answer

Policing drops or re-marks traffic exceeding a rate, while shaping buffers excess traffic to smooth bursts. Policing is applied inbound or outbound, shaping is typically outbound. Policing does not introduce delay, shaping does.

Both can use token bucket algorithms.

58
Matchingmedium

Drag and drop each queuing mechanism on the left to its matching use case on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Strict priority for delay-sensitive traffic

Guaranteed bandwidth for defined classes

Strict priority queue with CBWFQ for voice/video

Fair queuing for all flows

Why these pairings

PQ provides strict priority for delay-sensitive traffic, CBWFQ guarantees bandwidth for defined classes, LLQ combines strict priority with CBWFQ for real-time traffic, WFQ provides fair queuing for all flows, CBWFQ is used for data traffic requiring bandwidth guarantees.

Ready to test yourself?

Try a timed practice session using only Qos Architecture questions.