Classification and Marking (Classification, Marking, and

NBAR)
With QoS, you intend to provide different treatments to different
classes of network traffic. Therefore, it is necessary to define traffic
classes by identifying and grouping network traffic. Classification does
just that; it is the process or mechanism that identifies traffic and
categorizes it into classes. This categorization is done using traffic
descriptors. Common traffic descriptors are any of the following:

Ingress (or incoming) interface

CoS value on ISL or 802.1p frame
Source or destination IP address
IP precedence or DSCP value on the IP Packet header
MPLS EXP value on the MPLS header
Application type

In the past, you performed classification without marking. As a

result, each QoS mechanism at each device had to classify before it
could provide unique treatments to each class of traffic. For example,
to perform priority queuing, you must classify the traffic using access
lists so that you can assign different traffic classes to various queues
(high, medium, normal, or low). On the same device or another, to
perform queuing, shaping, policing, fragmentation, RTP header
compression, and so on, you must perform classification again so that
different classes of traffic are treated differently. Repeated
classification in that fashion, using access-lists for example, is
inefficient. Today, after you perform the first-time classification, mark
(or color) the packets. This way, the following devices on the traffic
path can provide differentiated service to packets based on packet
markings (colors): after the first-time classification is performed at the
edge (which is mostly based on deep packet inspection) and the
packet is marked, only a simple and efficient classification based on
the packet marking is performed inside the network.
Classification has traditionally been done with access lists
(standard or extended), but today the Cisco IOS command class-map
is the common classification tool. class-map is a component of the
Cisco IOS modular QoS command-line interface (MQC). The match
statement within a class map can refer to a traffic descriptor, an
access list, or an NBAR protocol. NBAR is a classification tool that will
be discussed in this topic. Please note that class-map does not
eliminate usage of other tools such as access lists. It simply makes
the job of classification more sophisticated and powerful. For
example, you can define a traffic class based on multiple conditions,
one of which may be matching an access-list.
It is best to perform the initial classification (and marking) task as
close to the source of traffic as possible. The network edge device

such as the IP phone, and the access layer switch would be the
preferable locations for traffic classification and marking.
Marking is the process of tagging or coloring traffic based on its
category. Traffic is marked after you classify it. What is marked
depends on whether you want to mark the Layer 2 frame or cell or the
Layer 3 packet. Commonly used Layer 2 markers are CoS (on ISL or
802.1Q header), EXP (on MPLS header, which is in between layers 2
and 3), DE (on Frame Relay header), and CLP (on ATM cell header).
Commonly used Layer 3 markers are IP precedence or DSCP (on IP
header).
Layer 2 QoS: CoS on 802.1Q/P Ethernet Frame
The IEEE defined the 802.1Q frame for the purpose of
implementing trunks between LAN devices. The 4-byte 802.1Q header
field that is inserted after the source MAC address on the Ethernet
header has a VLAN ID field for trunking purposes. A three-bit user
priority field (PRI) is available also and is called CoS (802.1p). CoS is
used for QoS purposes; it can have one of eight possible values, as
shown in Table 3-2.
Table 3-2 CoS Bits and Their Corresponding Decimal Values
and Definitions

Figure 3-1 shows the 4-byte 802.1Q field that is inserted into the
Ethernet header after the source MAC address. In a network with IP
Telephony deployed, workstations connect to the IP phone Ethernet
jack (marked PC), and the IP phone connects to the access layer
switch (marked Switch).
The IP phone sends 802.1Q/P frames to the workgroup switch.
The frames leaving the IP phone toward the workgroup (access)
switch have the voice VLAN number in the VLAN ID field, and their
priority (CoS) field is usually set to 5 (decimal), which is equal to 101
binary, interpreted as critical or voice bearer.
Figure 3-1 802.1Q/P Field

Layer 2 QoS: DE and CLP on Frame Relay and ATM (Cells)

Frame Relay and ATM QoS standards were defined and used (by
ITU-T and FRF) before Internet Engineering Task Force (IETF) QoS
standards were introduced and standardized. In Frame Relay, for
instance, the forward explicit congestion notification (FECN),
backward explicit congestion notification (BECN), and discard eligible
(DE) fields in the frame header have been used to perform congestion
notification and drop preference notification. Neither Frame Relay
frames nor ATM cells have a field comparable to the 3-bit CoS field
previously discussed on 802.1P frames. A Frame Relay frame has a 1bit DE, and an ATM cell has a 1-bit cell loss priority (CLP) field that
essentially informs the transit switches whether the data unit is not
(DE or CLP equal 0) or whether it is (DE or CLP equal 1) a good
candidate for dropping, should the need for dropping arise. Figure 3-2
displays the position of the DE field in the Frame Relay frame header.
Figure 3-2 DE Field on Frame Relay Frame Header

Layer 2 1/2 QoS: MPLS EXP Field

MPLS packets are IP packets that have one or more 4-byte MPLS
headers added. The IP packet with its added MPLS header is
encapsulated in a Layer 2 protocol data unit (PDU) such as Ethernet
before it is transmitted. Therefore, the MPLS header is often called the
SHIM or layer 2 1/2 header. Figure 3-3 displays an MPLS-IP packet
encapsulated in an Ethernet frame. The EXP (experimental) field
within the MPLS header is used for QoS purposes. The EXP field was
designed as a 3-bit field to be compatible with the 3-bit IP precedence
field on the IP header and the 3-bit PRI (CoS) field in the 802.1Q
header.
Figure 3-3 EXP Field in the MPLS Header

By default, as an IP packet enters an MPLS network, the edge router

copies the three most significant bits of the type of service (ToS) byte
of the IP header to the EXP field of the MPLS header. The three most
significant bits of the ToS byte on the IP header are called the IP
precedence bits. The ToS byte of the IP header is now called the
DiffServ field; the six most significant bits of the DiffServ field are
called the DSCP.

Instead of allowing the EXP field of MPLS to be automatically

copied from IP precedence, the administrator of the MPLS edge router
can configure the edge router to set the EXP to a desired value. This
way, the customer of an MPLS service provider can set the IP
precedence or DSCP field to a value he wants, and the MPLS provider
can set the EXP value on the MPLS header to a value that the service
provider finds appropriate, without interfering with the customer IP
header values and settings.