QoS Marking on Cisco IOS Router – Network Professional Member Site

In this lesson, we’ll take a look at marking packets. Marking means that we set the TOS (Type of Service) byte with an IP Precedence value or DSCP value. If you have no idea what precedence or DSCP is about, then you should read my IP Precedence and DSCP value lesson first. I’m also going to assume that you understand what classification is. If you don’t…read my classification lesson first.

Marking on a Cisco catalyst switch is a bit different than on a router. If you want to know how to configure marking on your Cisco switch, then look at this lesson.

Having said that, let’s take a look at the configuration!

Configuration

I will use three routers to demonstrate marking, connected like this:

I will send some traffic from R1 to R3, and we will use R2 to mark our traffic. I use static routes on R1 and R3 to make all networks reachable. We’ll keep it simple and start by marking telnet traffic.

Let’s create an access-list for classification:

R2(config)#ip access-list extended TELNET-TRAFFIC
R2(config-ext-nacl)#permit tcp any any eq telnet

Now, we need to add the access-list to a class-map:

R2(config)#class-map TELNET-TRAFFIC
R2(config-cmap)#match access-group name TELNET-TRAFFIC

And we’ll add the class-map to a policy-map:

R2(config)#policy-map MARKING
R2(config-pmap)#class TELNET-TRAFFIC
R2(config-pmap-c)#set ?
  atm-clp        Set ATM CLP bit to 1
  cos            Set IEEE 802.1Q/ISL class of service/user priority
  cos-inner      Set Inner CoS
  discard-class  Discard behavior identifier
  dscp           Set DSCP in IP(v4) and IPv6 packets
  fr-de          Set FR DE bit to 1
  ip             Set IP specific values
  mpls           Set MPLS specific values
  precedence     Set precedence in IP(v4) and IPv6 packets
  qos-group      Set QoS Group
  vlan-inner     Set Inner Vlan

There are quite some options for the set command. When it comes to IP packets, we’ll use the precedence or DSCP values. Let’s start with precedence:

R2(config-pmap-c)#set precedence ?
  <0-7>           Precedence value
  cos             Set packet precedence from L2 COS
  critical        Set packets with critical precedence (5)
  flash           Set packets with flash precedence (3)
  flash-override  Set packets with flash override precedence (4)
  immediate       Set packets with immediate precedence (2)
  internet        Set packets with internetwork control precedence (6)
  network         Set packets with network control precedence (7)
  priority        Set packets with priority precedence (1)
  qos-group       Set packet precedence from QoS Group.
  routine         Set packets with routine precedence (0)

For this example, it doesn’t matter much what we pick. Let’s go for IP precedence 7 (network):

R2(config-pmap-c)#set precedence network

Last but not least, we have to activate the policy-map:

R2(config)#interface FastEthernet 0/0
R2(config-if)#service-policy input MARKING

That’s all there is to it. Let’s see if it works….I’ll telnet from R1 to R3:

R1#telnet 192.168.23.3
Trying 192.168.23.3 ... Open

Now look at R2:

R2#show policy-map interface FastEthernet 0/0
 FastEthernet0/0

  Service-policy input: MARKING

    Class-map: TELNET-TRAFFIC (match-all)
      10 packets, 609 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name TELNET-TRAFFIC
      QoS Set
        precedence 7
          Packets marked 10

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

That’s looking good! Ten packets have been marked with precedence 7. That’s not too bad, right?

Let’s see if we can also mark some packets with a DSCP value, let’s mark some HTTP traffic:

R2(config)#ip access-list extended HTTP-TRAFFIC
R2(config-ext-nacl)#permit tcp any any eq 80

Create a class-map:

R2(config)#class-map HTTP-TRAFFIC
R2(config-cmap)#match access-group name HTTP-TRAFFIC

And we’ll add it to the policy-map:

R2(config)#policy-map MARKING
R2(config-pmap)#class HTTP-TRAFFIC
R2(config-pmap-c)#set dscp ?
  <0-63>     Differentiated services codepoint value
  af11       Match packets with AF11 dscp (001010)
  af12       Match packets with AF12 dscp (001100)
  af13       Match packets with AF13 dscp (001110)
  af21       Match packets with AF21 dscp (010010)
  af22       Match packets with AF22 dscp (010100)
  af23       Match packets with AF23 dscp (010110)
  af31       Match packets with AF31 dscp (011010)
  af32       Match packets with AF32 dscp (011100)
  af33       Match packets with AF33 dscp (011110)
  af41       Match packets with AF41 dscp (100010)
  af42       Match packets with AF42 dscp (100100)
  af43       Match packets with AF43 dscp (100110)
  cos        Set packet DSCP from L2 COS
  cs1        Match packets with CS1(precedence 1) dscp (001000)
  cs2        Match packets with CS2(precedence 2) dscp (010000)
  cs3        Match packets with CS3(precedence 3) dscp (011000)
  cs4        Match packets with CS4(precedence 4) dscp (100000)
  cs5        Match packets with CS5(precedence 5) dscp (101000)
  cs6        Match packets with CS6(precedence 6) dscp (110000)
  cs7        Match packets with CS7(precedence 7) dscp (111000)
  default    Match packets with default dscp (000000)
  ef         Match packets with EF dscp (101110)
  qos-group  Set packet dscp from QoS Group.

Let’s pick something…..AF12 will do:

R2(config-pmap-c)#set dscp af12

Let’s generate some traffic:

R3(config)#ip http server

R1#telnet 192.168.23.3 80
Trying 192.168.23.3, 80 ... Open

And check out the policy-map:

R2#show policy-map interface FastEthernet 0/0
 FastEthernet0/0

  Service-policy input: MARKING

    Class-map: TELNET-TRAFFIC (match-all)
      10 packets, 609 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name TELNET-TRAFFIC
      QoS Set
        precedence 7
          Packets marked 10

    Class-map: HTTP-TRAFFIC (match-all)
      3 packets, 180 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name HTTP-TRAFFIC
      QoS Set
        dscp af12
          Packets marked 3

    Class-map: class-default (match-any)
      99 packets, 5940 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

That’s all there is to it…

There is one thing left I’d like to share with you. Some network devices like switches or wireless controllers sometimes re-mark traffic; this can be a pain, and it’s something you might want to check. On a Cisco IOS router, it’s simple to do this…just create a policy-map and some class-maps that match your precedence or DSCP values. This allows you to quickly check if you are receiving (correctly) marked packets or not. Here’s what I usually do:

R3(config)#class-map AF12
R3(config-cmap)#match dscp af12

R3(config)#class-map PREC7
R3(config-cmap)#match precedence 7

R3(config)#policy-map COUNTER
R3(config-pmap)#class AF12
R3(config-pmap-c)#exit
R3(config-pmap)#class PREC7
R3(config-pmap-c)#exit

R3(config)#interface FastEthernet 0/0
R3(config-if)#service-policy input COUNTER

I created two class-maps that match on DSCP AF12 or precedence 7 marked packets. Take a look below:

R3#show policy-map interface FastEthernet 0/0
 FastEthernet0/0

  Service-policy input: COUNTER

    Class-map: AF12 (match-all)
      4 packets, 240 bytes
      5 minute offered rate 0 bps
      Match:  dscp af12 (12)

    Class-map: PREC7 (match-all)
      12 packets, 729 bytes
      5 minute offered rate 0 bps
      Match:  precedence 7

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

This proves that R3 is receiving our marked packets. In this scenario, it’s not a surprise, but when you do have network devices that mess with your markings, this can be a relief to see.