QoS
What It Is
Quality of Service is how a network decides which packets get preferred treatment when there is contention. QoS does not create bandwidth. It classifies traffic, marks traffic, queues traffic, drops traffic earlier or later, shapes traffic to a rate, or polices traffic to a ceiling.
Modern QoS is usually DiffServ: packets carry DSCP markings, each device applies local policy, and the design depends on a clear trust boundary. The useful question is not "is QoS enabled?" The useful question is "what happens when this interface is congested?"
QoS Models
| Model | Meaning | Modern Use |
|---|---|---|
| Best effort | No explicit preferential treatment | Default Internet and many LANs |
| IntServ | RSVP reserves resources per flow | Niche and provider-specific |
| DiffServ | Mark packets and apply per-hop behavior | Most enterprise, campus, WAN, and Wi-Fi QoS |
Modern note: QoS only matters at congestion points. A perfect policy on an uncongested link does not change forwarding behavior.
Core Workflow
| Step | Question | Examples |
|---|---|---|
| Classify | What traffic is this? | Voice RTP, video, control, backup, default |
| Mark | What label should it carry? | DSCP EF, AF31, CS6, default |
| Trust | Should inbound markings be kept? | Phone port, AP uplink, WAN edge |
| Queue | How should congestion be handled? | Priority queue, bandwidth class, default queue |
| Shape | Should egress be smoothed to a rate? | Provider handoff, cloud tunnel, subrate circuit |
| Police | Should excess be dropped or remarked? | Guest, scavenger, contract limit |
| Verify | Are counters moving under load? | Class counters, drops, queue depth |
Markings
| Marking | Field | Size | Where Seen |
|---|---|---|---|
| DSCP | IP DS field | 6 bits | IPv4 and IPv6 |
| ECN | IP DS field | 2 bits | Congestion notification |
| IP Precedence | Legacy IP TOS | 3 bits | Older designs and compatibility |
| CoS/PCP | 802.1Q VLAN tag | 3 bits | Ethernet trunks |
| MPLS TC | MPLS label stack | 3 bits | MPLS networks |
| WMM UP | 802.11 user priority | 3 bits | Wi-Fi QoS |
Watch out: DSCP can be rewritten at phones, switches, firewalls, WAN edges, SD-WAN edges, VPN gateways, and cloud handoffs. Verify markings where traffic enters and exits each domain.
Common DSCP Values
| Name | Decimal | Typical Use | Notes |
|---|---|---|---|
| CS7 | 56 | Network control, rarely user traffic | Protect carefully |
| CS6 | 48 | Routing and network control | Common for routing protocols |
| EF | 46 | Voice bearer RTP | Low delay, low jitter |
| CS5 | 40 | Broadcast video or selected real-time media | Validate local standard |
| AF41/42/43 | 34/36/38 | Interactive video | Higher drop preference as number rises |
| CS4 | 32 | Real-time interactive | Often used for conferencing |
| AF31/32/33 | 26/28/30 | Signaling or transactional apps | Depends on design |
| CS3 | 24 | Signaling | Common voice/video signaling class |
| AF21/22/23 | 18/20/22 | Low-latency data | Business app class in some models |
| CS2 | 16 | Operations, management, OAM | Site-specific |
| AF11/12/13 | 10/12/14 | Bulk or assured data | Lower priority than business critical |
| CS1 | 8 | Scavenger or low priority | Backups, updates, guest throttling |
| BE | 0 | Default forwarding | Normal traffic |
Design note: Do not build too many classes. Three to six well-understood classes are usually easier to operate than a complex matrix nobody trusts.
Per-Hop Behaviors
| PHB | Meaning | Common Use |
|---|---|---|
| Default Forwarding | Normal best-effort treatment | Most traffic |
| Class Selector | Backward-compatible class values | Control, management, broad classes |
| Assured Forwarding | Four classes with three drop preferences each | Data classes with WRED |
| Expedited Forwarding | Low-loss, low-latency, low-jitter treatment | Voice bearer and strict priority traffic |
Watch out: EF should be protected with admission control, policing, or a bounded priority queue. An unlimited priority queue can starve other traffic.
Queuing And Congestion
| Mechanism | Purpose | Notes |
|---|---|---|
| FIFO | Single queue | Simple, no traffic differentiation |
| Priority queue | Serve delay-sensitive traffic first | Must be bounded |
| CBWFQ | Allocate bandwidth by class | Common MQC model |
| LLQ | Priority queue inside class-based policy | Common for voice |
| Tail drop | Drop when queue is full | Simple but can synchronize TCP flows |
| RED/WRED | Drop earlier before queue fills | Useful for TCP classes, not for voice |
Shaping Vs Policing
| Tool | Behavior | Use |
|---|---|---|
| Shaping | Buffers excess and sends later | Egress to subrate WAN, provider handoff, tunnel |
| Policing | Drops or remarks excess | Ingress limits, contract enforcement, guest control |
| Remarking | Changes DSCP/CoS | Reset untrusted markings or enforce policy |
Modern note: Shape toward the slower downstream rate you control. Police traffic you do not trust or cannot buffer.
Wi-Fi QoS
| WMM Access Category | Typical Traffic | Notes |
|---|---|---|
| Voice | Voice RTP | Highest contention priority |
| Video | Interactive video | Higher than best effort |
| Best effort | Normal traffic | Default class |
| Background | Bulk and low priority | Lowest contention priority |
Wi-Fi QoS is contention-based. WMM changes airtime access behavior, but it does not guarantee bandwidth for a client with poor signal, high retries, or a crowded channel.
Trust Boundaries
| Edge | Usual Policy |
|---|---|
| User access port | Do not trust by default |
| IP phone plus PC port | Trust phone markings, not the attached PC |
| AP uplink | Trust if WLAN policy and controller markings are controlled |
| Server access | Trust only if host policy is managed |
| WAN edge | Remark to provider contract |
| Internet edge | Expect markings to be reset or ignored |
| VPN tunnel | Decide whether to copy, preserve, or remark DSCP |
Watch out: Encrypted traffic can hide application identity. If classification depends on payload inspection, test what still works after TLS, QUIC, IPsec, or SD-WAN encapsulation.
Cisco IOS/IOS-XE Examples
Classify and mark:
class-map match-any VOICE-RTP
match dscp ef
!
class-map match-any SIGNALING
match dscp cs3 af31
!
policy-map MARK-EDGE
class VOICE-RTP
set dscp ef
class SIGNALING
set dscp cs3
class class-default
set dscp defaultWAN egress with LLQ and shaping:
policy-map WAN-CHILD
class VOICE-RTP
priority percent 10
class SIGNALING
bandwidth percent 5
class class-default
bandwidth remaining percent 85
random-detect dscp-based
!
policy-map WAN-PARENT
class class-default
shape average 90000000
service-policy WAN-CHILD
!
interface GigabitEthernet0/0
description 100M provider handoff, shape below line rate
service-policy output WAN-PARENTPolice an untrusted class:
class-map match-any GUEST
match access-group name GUEST-SUBNETS
!
policy-map GUEST-LIMIT
class GUEST
police 20000000 conform-action transmit exceed-action dropNotes:
- MQC syntax and supported actions vary by platform, ASIC, interface type, and software release.
- Test with real traffic and congestion. A policy can parse correctly and still do nothing useful.
- Keep provider QoS contracts, DSCP rewrite rules, and tunnel behavior in the design notes.
Troubleshooting
| Symptom | Check | Likely Cause |
|---|---|---|
| Voice still choppy | Drops, jitter, WAN shaping, Wi-Fi retries | QoS not at the real bottleneck |
| Class counters stay zero | Match statement, DSCP value, direction | Traffic not classified |
| Everything hits default | Trust boundary or remarking | Markings reset before policy |
| Provider ignores classes | Contract and handoff markings | DSCP not mapped into provider QoS |
| Priority queue drops | Offered voice load, codec count, admission | Priority class overloaded |
| Bulk traffic hurts apps | Default queue, no scavenger class | No congestion separation |
| VPN traffic misclassified | DSCP copy mode, tunnel header | Inner markings hidden or not copied |
Commands
show policy-map interface
show policy-map interface GigabitEthernet0/0 output
show class-map
show policy-map
show platform hardware qfp active feature qos interface GigabitEthernet0/0
show mls qos interface
show interfaces counters errorsExpected clues:
- Packets and bytes increment in the intended classes.
- Drops occur in expected queues during congestion, not randomly everywhere.
- Shaper rate matches the provider or downstream bottleneck.
- Priority queue is bounded and not constantly dropping.
- DSCP values are preserved or rewritten exactly where intended.
Watch Out
- Do not trust endpoint markings just because they exist.
- Do not mark everything important as EF.
- Do not enable QoS and skip congestion testing.
- Do not forget Wi-Fi airtime, retries, and roaming when troubleshooting voice.
- Do not ignore tunnel overhead when shaping IPsec, GRE, VXLAN, or SD-WAN.
- Do not assume a cloud or Internet provider honors DSCP.
References
- RFC 2474: Definition of the Differentiated Services Field
- RFC 2597: Assured Forwarding PHB Group
- RFC 3246: An Expedited Forwarding PHB
- RFC 4594: Configuration Guidelines for DiffServ Service Classes
- Cisco IOS XE Quality of Service Configuration Guide
- Cisco IOS XE QoS Packet Policing
- Cisco Wireless QoS Design Guide