In this lesson, we’ll take a look at marking packets. Marking means that we set the TOS (Type of Service) byte with an IP Precedence value or DSCP value. If you have no idea what precedence or DSCP is about, then you should read my IP Precedence and DSCP value lesson first. I’m also going to assume that you understand what classification is. If you don’t…read my classification lesson first.
Marking on a Cisco catalyst switch is a bit different than on a router. If you want to know how to configure marking on your Cisco switch, then look at this lesson.
Having said that, let’s take a look at the configuration!
Configuration
I will use three routers to demonstrate marking, connected like this:

I will send some traffic from R1 to R3, and we will use R2 to mark our traffic. I use static routes on R1 and R3 to make all networks reachable. We’ll keep it simple and start by marking telnet traffic.
Let’s create an access-list for classification:
R2(config)#ip access-list extended TELNET-TRAFFIC
R2(config-ext-nacl)#permit tcp any any eq telnet
Now, we need to add the access-list to a class-map:
R2(config)#class-map TELNET-TRAFFIC
R2(config-cmap)#match access-group name TELNET-TRAFFIC
And we’ll add the class-map to a policy-map:
R2(config)#policy-map MARKING
R2(config-pmap)#class TELNET-TRAFFIC
R2(config-pmap-c)#set ?
atm-clp Set ATM CLP bit to 1
cos Set IEEE 802.1Q/ISL class of service/user priority
cos-inner Set Inner CoS
discard-class Discard behavior identifier
dscp Set DSCP in IP(v4) and IPv6 packets
fr-de Set FR DE bit to 1
ip Set IP specific values
mpls Set MPLS specific values
precedence Set precedence in IP(v4) and IPv6 packets
qos-group Set QoS Group
vlan-inner Set Inner Vlan
There are quite some options for the set command. When it comes to IP packets, we’ll use the precedence or DSCP values. Let’s start with precedence:
R2(config-pmap-c)#set precedence ?
<0-7> Precedence value
cos Set packet precedence from L2 COS
critical Set packets with critical precedence (5)
flash Set packets with flash precedence (3)
flash-override Set packets with flash override precedence (4)
immediate Set packets with immediate precedence (2)
internet Set packets with internetwork control precedence (6)
network Set packets with network control precedence (7)
priority Set packets with priority precedence (1)
qos-group Set packet precedence from QoS Group.
routine Set packets with routine precedence (0)
For this example, it doesn’t matter much what we pick. Let’s go for IP precedence 7 (network):
R2(config-pmap-c)#set precedence network
Last but not least, we have to activate the policy-map:
R2(config)#interface FastEthernet 0/0
R2(config-if)#service-policy input MARKING
That’s all there is to it. Let’s see if it works….I’ll telnet from R1 to R3:
R1#telnet 192.168.23.3
Trying 192.168.23.3 ... Open
Now look at R2:
R2#show policy-map interface FastEthernet 0/0
FastEthernet0/0
Service-policy input: MARKING
Class-map: TELNET-TRAFFIC (match-all)
10 packets, 609 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name TELNET-TRAFFIC
QoS Set
precedence 7
Packets marked 10
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
That’s looking good! Ten packets have been marked with precedence 7. That’s not too bad, right?
Let’s see if we can also mark some packets with a DSCP value, let’s mark some HTTP traffic:
R2(config)#ip access-list extended HTTP-TRAFFIC
R2(config-ext-nacl)#permit tcp any any eq 80
Create a class-map:
R2(config)#class-map HTTP-TRAFFIC
R2(config-cmap)#match access-group name HTTP-TRAFFIC
And we’ll add it to the policy-map:
R2(config)#policy-map MARKING
R2(config-pmap)#class HTTP-TRAFFIC
R2(config-pmap-c)#set dscp ?
<0-63> Differentiated services codepoint value
af11 Match packets with AF11 dscp (001010)
af12 Match packets with AF12 dscp (001100)
af13 Match packets with AF13 dscp (001110)
af21 Match packets with AF21 dscp (010010)
af22 Match packets with AF22 dscp (010100)
af23 Match packets with AF23 dscp (010110)
af31 Match packets with AF31 dscp (011010)
af32 Match packets with AF32 dscp (011100)
af33 Match packets with AF33 dscp (011110)
af41 Match packets with AF41 dscp (100010)
af42 Match packets with AF42 dscp (100100)
af43 Match packets with AF43 dscp (100110)
cos Set packet DSCP from L2 COS
cs1 Match packets with CS1(precedence 1) dscp (001000)
cs2 Match packets with CS2(precedence 2) dscp (010000)
cs3 Match packets with CS3(precedence 3) dscp (011000)
cs4 Match packets with CS4(precedence 4) dscp (100000)
cs5 Match packets with CS5(precedence 5) dscp (101000)
cs6 Match packets with CS6(precedence 6) dscp (110000)
cs7 Match packets with CS7(precedence 7) dscp (111000)
default Match packets with default dscp (000000)
ef Match packets with EF dscp (101110)
qos-group Set packet dscp from QoS Group.
Let’s pick something…..AF12 will do:
R2(config-pmap-c)#set dscp af12
Let’s generate some traffic:
R3(config)#ip http server
R1#telnet 192.168.23.3 80
Trying 192.168.23.3, 80 ... Open
And check out the policy-map:
R2#show policy-map interface FastEthernet 0/0
FastEthernet0/0
Service-policy input: MARKING
Class-map: TELNET-TRAFFIC (match-all)
10 packets, 609 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name TELNET-TRAFFIC
QoS Set
precedence 7
Packets marked 10
Class-map: HTTP-TRAFFIC (match-all)
3 packets, 180 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name HTTP-TRAFFIC
QoS Set
dscp af12
Packets marked 3
Class-map: class-default (match-any)
99 packets, 5940 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
That’s all there is to it…
There is one thing left I’d like to share with you. Some network devices like switches or wireless controllers sometimes re-mark traffic; this can be a pain, and it’s something you might want to check. On a Cisco IOS router, it’s simple to do this…just create a policy-map and some class-maps that match your precedence or DSCP values. This allows you to quickly check if you are receiving (correctly) marked packets or not. Here’s what I usually do:
R3(config)#class-map AF12
R3(config-cmap)#match dscp af12
R3(config)#class-map PREC7
R3(config-cmap)#match precedence 7
R3(config)#policy-map COUNTER
R3(config-pmap)#class AF12
R3(config-pmap-c)#exit
R3(config-pmap)#class PREC7
R3(config-pmap-c)#exit
R3(config)#interface FastEthernet 0/0
R3(config-if)#service-policy input COUNTER
I created two class-maps that match on DSCP AF12 or precedence 7 marked packets. Take a look below:
R3#show policy-map interface FastEthernet 0/0
FastEthernet0/0
Service-policy input: COUNTER
Class-map: AF12 (match-all)
4 packets, 240 bytes
5 minute offered rate 0 bps
Match: dscp af12 (12)
Class-map: PREC7 (match-all)
12 packets, 729 bytes
5 minute offered rate 0 bps
Match: precedence 7
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
This proves that R3 is receiving our marked packets. In this scenario, it’s not a surprise, but when you do have network devices that mess with your markings, this can be a relief to see.