Traffic Classification and Marking on Cisco IOS

In this article I will show how to mark IP packets to prioritize multimedia and critical applications following a QoS policy that will be later enforced inside the ISP cloud.

1. The QoS service offered by the ISP allows for control of how traffic is prioritized and bandwidth is reserved, with three queues available as shown in the figure below.

As shown in the figure, 30% of the bandwidth is reserved for multimedia applications such as VoIP, whose packets are marked with the DSCP value of EF. Other 50% of the bandwidth is reserved for critical applications, whose packets are marked with the DSCP value of AF1. The remaining 20% of the bandwidth will fall in the best effort queue (BE), used by the normal applications.

If no multimedia or critical applications are using the link, the BE queue can use up to 100% of the bandwidth. The same happens with the AF1 queue: it is allowed to use up to 100% of the bandwidth if the other queues are empty.

2. Thus, before sending the packets to the ISP router, the packets must be remarked with the EF value for VoIP 1) and with AF11 for critical applications. Other traffic that are not being remarked will be forwarded to the normal data queue, with best effort processing.

3. The first step towards traffic remarking will be defining the ACL for traffic classification. In this case, the IP address of the critical application server is, port 443. Thus, we will create an ACL that matches any traffic that is destined to that server:

access-list 100 permit tcp any host eq 443

In this article we are using ACLs to mark only the critical data, given that the VoIP traffic is already marked with the according DSCP value by the IP phones involved in the phone call, so another ACL is not required.

A common issue with traffic marking by the originating device is that the access switch must trust the markings sent by the phone. So, make sure your switch port is configured to trust DSCP markings done by your IP phones and other unified communications endpoints.

4. Configure a class-map using the defined ACLs.

class-map match-all Priority_Application
 match access-group 100

5. Configure the policy-map and inform the class and the value to remark the packets (af11).

policy-map Mark_PriorityTraffic
 class Priority_Application
  set dscp af11

6. Apply the defined policy-map to the port where the ISP router is connected.

interface GigabitEthernet0/0
 service-policy output Mark_PriorityTraffic

7. To verify the results, use the command:

show policy-map interface

References   [ + ]


Leave a Reply

Your email address will not be published. Required fields are marked *