NetworkingCCNA

CCNA QoS: DSCP, PHB, Trust Boundaries & Queuing Explained

Q: What is WRED and when is it used?

WRED (Weighted Random Early Detection) proactively drops lower-priority packets before a queue fills completely. As queue depth grows, WRED starts randomly dropping lower-DSCP packets — this signals TCP senders to slow down before a full congestion event occurs. WRED is applied to AF-class traffic where some drop is acceptable, preventing queue full tail-drop from affecting all flows simultaneously.

Quality of Service (QoS) is how networks prioritize traffic to ensure time-sensitive applications like voice and video receive the bandwidth and low latency they need, even when the network is congested. The CCNA 200-301 exam tests QoS models (best-effort, IntServ, DiffServ), DSCP markings, per-hop behavior, trust boundaries, and queuing mechanisms. This guide covers each concept with the clarity you need for both the exam and real network deployments.

10 min

5 sections · 6 exam key points

5 practice questions

Why QoS is needed

Without QoS, a network treats all packets identically — a large file transfer competes equally with a VoIP call. When a link is congested, the router drops or delays packets based solely on arrival order (tail drop). For bulk data this is fine — TCP retransmits. For voice, a 150 ms one-way delay budget means a dropped or late packet is simply gone; the conversation degrades.

QoS solves this by classifying traffic, marking it with a priority indicator, and then treating high-priority traffic preferentially at each network device — providing more bandwidth, lower queuing delay, and earlier service.

The three QoS models: Best-effort (no QoS — all packets treated equally), IntServ (Integrated Services — RSVP signals per-flow reservations end-to-end; complex, doesn't scale), DiffServ (Differentiated Services — traffic is marked with DSCP per class at the network edge; each device applies PHB based on the marking; scalable and the dominant model in use today).

Classification and marking: DSCP and CoS

Before a packet can be prioritized, it must be classified — identified as voice, video, signaling, or data — and marked with a value that downstream devices can read.

DSCP (Differentiated Services Code Point) is the 6-bit field in the IP header's ToS byte used to mark packets in DiffServ. DSCP values range 0–63. Key values: CS0 (0) = best-effort, AF11-AF43 = Assured Forwarding classes, EF (46) = Expedited Forwarding for voice, CS6 (48) = network control traffic.

Expedited Forwarding (EF, DSCP 46) is the marking for VoIP RTP streams. It guarantees the lowest latency and jitter treatment at each hop. Assured Forwarding (AF) classes provide guaranteed minimum bandwidth with drop precedence — AF41 is higher priority than AF43 within the same class.

CoS (Class of Service) is the 3-bit field in an 802.1Q VLAN tag used to mark Layer 2 Ethernet frames. CoS 5 = voice, CoS 3 = call signaling, CoS 0 = best-effort. CoS is only preserved when a trunk carries the VLAN tag; it's lost when frames are forwarded over access ports or Layer 3 hops. DSCP persists across Layer 3 boundaries.

Trust boundaries

A trust boundary is the point in the network where QoS markings from upstream devices are either trusted or re-marked. Devices inside the trust boundary have their DSCP/CoS markings honored by downstream network devices. Devices outside have their markings ignored or overwritten.

The Cisco best-practice trust boundary: trust the IP phone's DSCP markings but not the PC connected through the phone. The switch port connected to a Cisco IP phone can be configured to trust CoS from the phone but re-mark (or ignore) CoS from the PC. This prevents users from marking their own traffic as EF to gain priority.

On access layer switches: `mls qos trust dscp` on ports connecting to phones and servers that are authorized to mark traffic. On ports connecting to untrusted endpoints (user PCs), the switch re-marks all traffic to CS0 (DSCP 0) regardless of what the PC sends.

The trust boundary design matters because every device in the QoS path applies its PHB based on the DSCP marking. If a PC marks all its traffic as EF, it would receive voice-class treatment throughout the network — defeating the purpose of QoS entirely.

Per-Hop Behavior (PHB) and queuing

Per-Hop Behavior (PHB) is the forwarding treatment applied to a traffic class at each router or switch based on its DSCP marking. The key PHBs defined in DiffServ: Default PHB (CS0) = best-effort FIFO. Expedited Forwarding PHB (EF) = low latency, low jitter, low loss; served before all other queues. Assured Forwarding PHB (AF) = guaranteed minimum bandwidth with configurable drop precedence.

Queuing mechanisms implement PHB in hardware. FIFO (First In, First Out) is the default — no prioritization. Priority Queuing (PQ) has four queues (High, Medium, Normal, Low); the high-priority queue is always serviced first, risking starvation of lower queues. Weighted Fair Queuing (WFQ) divides bandwidth proportionally among flows. Class-Based WFQ (CBWFQ) extends WFQ with configurable bandwidth guarantees per traffic class. Low Latency Queuing (LLQ) adds a strict priority queue to CBWFQ — voice goes to the strict priority queue for guaranteed service while other classes share CBWFQ guarantees.

LLQ is the recommended queuing mechanism for networks carrying voice. The strict priority queue (SPQ) serves voice traffic before anything else, ensuring the sub-10 ms one-way queuing delay that VoIP requires.

Policing and shaping

Policing and shaping both enforce a traffic rate limit, but they handle excess traffic differently.

Policing drops (or re-marks) packets that exceed the configured rate immediately. It's applied at ingress (incoming) to limit traffic entering the network. Policing is abrupt — it causes TCP retransmissions and can cause audio/video glitches if applied to real-time traffic. ISPs use policing at their edge to enforce customer rate limits.

Shaping buffers excess packets and transmits them when the rate falls below the limit, smoothing out bursts. Shaping is applied at egress (outgoing) and is more TCP-friendly because it delays rather than drops. The trade-off: shaping introduces latency (buffering delay) and requires memory for the buffer queue.

For CCNA: policing = drop excess (ingress, no buffering). Shaping = delay excess (egress, buffering). Use policing to limit inbound traffic; use shaping to smooth outbound traffic to match a downstream rate limit.

Key DSCP markings

Marking	DSCP value	PHB	Traffic type
CS0 / Default	0	Best-effort	General data
AF11	10	Assured Forwarding	Bulk data, low priority
AF21	18	Assured Forwarding	Data, medium priority
AF31	26	Assured Forwarding	Call signaling (some deployments)
AF41	34	Assured Forwarding	Interactive video (high)
CS3	24	Class Selector	Call signaling (Cisco recommendation)
EF	46	Expedited Forwarding	VoIP RTP (voice bearer)
CS6	48	Class Selector	Network control (OSPF, BGP)

Key exam facts — CCNA

DiffServ uses DSCP marking + PHB at each hop — scalable, dominant QoS model
EF (DSCP 46): Expedited Forwarding — voice RTP, lowest latency/jitter treatment
Trust boundary: honor DSCP from phones/servers, re-mark from user PCs to CS0
LLQ = CBWFQ + strict priority queue — recommended for voice
Policing: drops excess (ingress, no buffering). Shaping: delays excess (egress, buffering)
CoS = Layer 2 (802.1Q tag, 3-bit). DSCP = Layer 3 (IP header, 6-bit) — DSCP survives L3 hops

Common exam traps

QoS creates more bandwidth

QoS does not increase available bandwidth — it prioritizes existing bandwidth. High-priority traffic gets served first; low-priority traffic waits or is dropped. QoS only matters when a link is congested.

Shaping and policing both drop excess traffic

Policing drops (or re-marks) excess packets immediately. Shaping buffers excess packets and transmits them later, smoothing the traffic rate without dropping. Shaping is gentler on TCP; policing enforces a strict hard limit.

CoS and DSCP markings are preserved throughout the network automatically

CoS is a Layer 2 field in the 802.1Q tag — it's removed when a frame is forwarded out an access port. DSCP persists across Layer 3 boundaries, but devices can re-mark it. Trust boundary configuration ensures markings are preserved where appropriate.

Practice questions — QoS Fundamentals

These questions are representative of what you will see on CCNA exams. The correct answer and explanation are shown immediately below each question.

Q1.A VoIP RTP stream should be marked with which DSCP value to receive the lowest latency treatment at every hop?

A.CS0 (DSCP 0)

B.AF41 (DSCP 34)

C.EF (DSCP 46)

D.CS6 (DSCP 48)

Explanation: EF (Expedited Forwarding, DSCP 46) is defined for traffic requiring the lowest latency, jitter, and loss — specifically VoIP RTP streams. Each router applies the Expedited Forwarding PHB, serving EF-marked traffic from a strict priority queue before all other traffic.

Q2.A switch port connects to a user PC. Which QoS action should the switch take on traffic from this PC?

A.Trust the PC's DSCP markings

B.Re-mark all traffic to EF for best service

C.Re-mark all traffic to CS0 (DSCP 0) — ignore the PC's markings

D.Apply CoS 5 to all PC traffic

Explanation: User PCs should not be trusted to self-mark QoS — a user could mark all traffic as EF to receive voice priority. The trust boundary policy re-marks (or ignores) traffic from user PCs to CS0 (best-effort). Only authorized devices like IP phones and servers are trusted.

Q3.Which queuing mechanism combines a strict priority queue for voice with bandwidth-guaranteed queues for other traffic classes?

A.FIFO

B.Priority Queuing (PQ)

C.Class-Based WFQ (CBWFQ)

D.Low Latency Queuing (LLQ)

Explanation: LLQ (Low Latency Queuing) adds a strict priority queue to CBWFQ. Voice traffic goes into the strict priority queue for guaranteed low-latency service. Other traffic classes receive minimum bandwidth guarantees via CBWFQ. LLQ is the recommended queuing mechanism for voice networks.

Q4.An ISP enforces a customer's 100 Mbps rate limit by dropping packets that exceed this rate. Which QoS mechanism is the ISP using?

A.Traffic shaping

B.Traffic policing

C.WRED

D.LLQ

Explanation: Traffic policing drops (or re-marks) packets that exceed the configured rate, applied at ingress. ISPs use policing to enforce customer rate limits. Traffic shaping buffers excess packets rather than dropping them, smoothing the rate — used when TCP-friendly behavior is preferred.

Q5.Which field carries QoS markings that survive Layer 3 routing across the network?

A.802.1Q CoS (3-bit)

B.Ethernet preamble

C.DSCP in the IP header (6-bit)

D.TCP port number

Explanation: DSCP is in the IP header's ToS byte and survives Layer 3 hops — it's preserved in the IP packet as it's routed from device to device. CoS is a Layer 2 field in the 802.1Q VLAN tag and is stripped when frames are forwarded on access ports or across Layer 3 boundaries.

Frequently asked questions — QoS Fundamentals

What is the difference between IntServ and DiffServ QoS models?

IntServ (Integrated Services) reserves bandwidth per flow using RSVP signaling — every device along the path must process and maintain per-flow state. It's fine-grained but doesn't scale to large networks. DiffServ marks packets with DSCP at the edge and applies PHB (per-hop behavior) at each device based on the marking — no per-flow state required. DiffServ scales to the internet and is the dominant model.

What is a trust boundary and where should it be placed?

A trust boundary is where the network decides to honor or ignore upstream QoS markings. Cisco best practice: place the trust boundary at the first network device the endpoint connects to (the access layer switch). Trust markings from authorized devices (IP phones, servers). Re-mark traffic from user PCs to CS0 (best-effort) to prevent users from self-assigning high priority.

What is the difference between traffic policing and traffic shaping?

Policing drops (or re-marks) packets that exceed the rate limit immediately — applied at ingress, no buffering required, can cause TCP retransmissions. Shaping buffers excess packets and transmits them when rate drops below the limit — applied at egress, smoother for TCP, introduces buffering latency. Use policing for hard enforcement; shaping for smooth rate limiting.

Why is EF (DSCP 46) used for voice and what does it guarantee?

EF (Expedited Forwarding) defines a PHB that provides low delay, low jitter, and low packet loss — exactly what VoIP requires. EF-marked packets are served from a strict priority queue at each hop, ahead of all other traffic. The CCNA target for voice: one-way delay < 150 ms, jitter < 30 ms, packet loss < 1%.

What is WRED and when is it used?