Classification and Marking (Classification, Marking, and NBAR)

With QoS, you intend to provide different treatments to different classes of network traffic. Therefore, it is necessary to define traffic classes by identifying and grouping network traffic. Classification does just that; it is the process or mechanism that identifies traffic and categorizes it into classes. This categorization is done using traffic descriptors. Common traffic descriptors are any of the following:

■ Ingress (or incoming) interface

■ CoS value on ISL or 802.1p frame

■ Source or destination IP address

■ IP precedence or DSCP value on the IP Packet header

■ MPLS EXP value on the MPLS header

■ Application type

In the past, you performed classification without marking. As a result, each QoS mechanism at each device had to classify before it could provide unique treatments to each class of traffic. For example, to perform priority queuing, you must classify the traffic using access lists so that you can assign different traffic classes to various queues (high, medium, normal, or low). On the same device or another, to perform queuing, shaping, policing, fragmentation, RTP header compression, and so on, you must perform classification again so that different classes of traffic are treated differently. Repeated classification in that fashion, using access-lists for example, is inefficient. Today, after you perform the first-time classification, mark (or color) the packets. This way, the following devices on the traffic path can provide differentiated service to packets based on packet markings (colors): after the first-time classification is performed at the edge (which is mostly based on deep packet inspection) and the packet is marked, only a simple and efficient classification based on the packet marking is performed inside the network.

Classification has traditionally been done with access lists (standard or extended), but today the Cisco IOS command class-map is the common classification tool. class-map is a component of the Cisco IOS modular QoS command-line interface (MQC). The match statement within a class map can refer to a traffic descriptor, an access list, or an NBAR protocol. NBAR is a classification tool that will be discussed in this topic. Please note that class-map does not eliminate usage of other tools such as access lists. It simply makes the job of classification more sophisticated and powerful. For example, you can define a traffic class based on multiple conditions, one of which may be matching an access-list.

It is best to perform the initial classification (and marking) task as close to the source of traffic as possible. The network edge device such as the IP phone, and the access layer switch would be the preferable locations for traffic classification and marking.

Marking is the process of tagging or coloring traffic based on its category. Traffic is marked after you classify it. What is marked depends on whether you want to mark the Layer 2 frame or cell or the Layer 3 packet. Commonly used Layer 2 markers are CoS (on ISL or 802.1Q header), EXP (on MPLS header, which is in between layers 2 and 3), DE (on Frame Relay header), and CLP (on ATM cell header). Commonly used Layer 3 markers are IP precedence or DSCP (on IP header).

Layer 2 QoS: CoS on 802.1Q/P Ethernet Frame

The IEEE defined the 802.1Q frame for the purpose of implementing trunks between LAN devices. The 4-byte 802.1Q header field that is inserted after the source MAC address on the Ethernet header has a VLAN ID field for trunking purposes. A three-bit user priority field (PRI) is available also and is called CoS (802.1p). CoS is used for QoS purposes; it can have one of eight possible values, as shown in Table 3-2.

Table 3-2 CoS Bits and Their Corresponding Decimal Values and Definitions

CoS (bits)

CoS (in Decimal)






Best-Effort Data




Medium Priority Data




High Priority Data




Call Signaling




Video Conferencing




Voice Bearer





(inter-network control)




Reserved (network control)

Figure 3-1 shows the 4-byte 802.1Q field that is inserted into the Ethernet header after the source MAC address. In a network with IP Telephony deployed, workstations connect to the IP phone Ethernet jack (marked PC), and the IP phone connects to the access layer switch (marked Switch).

The IP phone sends 802.1Q/P frames to the workgroup switch. The frames leaving the IP phone toward the workgroup (access) switch have the voice VLAN number in the VLAN ID field, and their priority (CoS) field is usually set to 5 (decimal), which is equal to 101 binary, interpreted as critical or voice bearer.

Figure 3-1 802.1Q/P Field

802.1Q/P Field

Layer 2 QoS: DE and CLP on Frame Relay and ATM (Cells)

Frame Relay and ATM QoS standards were defined and used (by ITU-T and FRF) before Internet Engineering Task Force (IETF) QoS standards were introduced and standardized. In Frame Relay, for instance, the forward explicit congestion notification (FECN), backward explicit congestion notification (BECN), and discard eligible (DE) fields in the frame header have been used to perform congestion notification and drop preference notification. Neither Frame Relay frames nor ATM cells have a field comparable to the 3-bit CoS field previously discussed on 802.1P frames. A Frame Relay frame has a 1-bit DE, and an ATM cell has a 1-bit cell loss priority (CLP) field that essentially informs the transit switches whether the data unit is not (DE or CLP equal 0) or whether it is (DE or CLP equal 1) a good candidate for dropping, should the need for dropping arise. Figure 3-2 displays the position of the DE field in the Frame Relay frame header.

Figure 3-2 DE Field on Frame Relay Frame Header

DE Field on Frame Relay Frame Header

Layer 2 1/2 QoS: MPLS EXP Field

MPLS packets are IP packets that have one or more 4-byte MPLS headers added. The IP packet with its added MPLS header is encapsulated in a Layer 2 protocol data unit (PDU) such as Ethernet before it is transmitted. Therefore, the MPLS header is often called the SHIM or layer 2 1/2 header. Figure 3-3 displays an MPLS-IP packet encapsulated in an Ethernet frame. The EXP (experimental) field within the MPLS header is used for QoS purposes. The EXP field was designed as a 3-bit field to be compatible with the 3-bit IP precedence field on the IP header and the 3-bit PRI (CoS) field in the 802.1Q header.

Figure 3-3 EXP Field in the MPLS Header

EXP Field in the MPLS Header

By default, as an IP packet enters an MPLS network, the edge router copies the three most significant bits of the type of service (ToS) byte of the IP header to the EXP field of the MPLS header. The three most significant bits of the ToS byte on the IP header are called the IP precedence bits. The ToS byte of the IP header is now called the DiffServ field; the six most significant bits of the DiffServ field are called the DSCP.

Instead of allowing the EXP field of MPLS to be automatically copied from IP precedence, the administrator of the MPLS edge router can configure the edge router to set the EXP to a desired value. This way, the customer of an MPLS service provider can set the IP precedence or DSCP field to a value he wants, and the MPLS provider can set the EXP value on the MPLS header to a value that the service provider finds appropriate, without interfering with the customer IP header values and settings.

Next post:

Previous post: