QoS Components for CCNP ENCOR: How I Think About Cisco QoS in Real Enterprises
1. Introduction: What QoS Is and Is Not
QoS—what is it, really? Not a bandwidth machine. Not a miracle switch. When I teach it, I begin there, because that one correction prevents a great deal of pain later on. QoS does not create bandwidth; it manages contention for the bandwidth already available. And for CCNP 350-401 ENCOR, that distinction matters more than people first realize, because many “QoS fixed it” stories are actually stories about bad marking, no trust boundary, the wrong interface direction, or forgetting to shape to the true bottleneck.
More precisely: classification, marking, trust enforcement, and policing can be active all the time, while scheduling, queueing, and drop behavior become most visible when contention appears. Egress queues exist whether or not a link is busy (yes, even when traffic is calm), but QoS treatment becomes obvious only when multiple classes compete for limited transmission opportunity.
And in enterprise networks? That distinction is everything. Voice bearer traffic is exquisitely sensitive to delay, jitter, and loss; signaling is less fragile than RTP bearer traffic, though it still benefits from low loss and reasonable delay; interactive video wants predictable throughput and low jitter; business applications such as ERP or important SaaS flows need consistency; guest traffic, backups, and bulk transfers should be the first to yield when the link tightens. That, in the end, is QoS’s real job: to produce predictable behavior at the congestion point you actually control.
Can QoS fix congestion everywhere? No. It cannot directly repair congestion in an unmanaged provider cloud, the public internet, or a remote domain that ignores your markings. You can control treatment where your policy is applied—there and only there. Beyond that, you need preserved markings, compatible policy, and often a service agreement.
2. QoS Service Models: Best Effort, IntServ, and DiffServ — and why DiffServ is the one you’ll actually see in most enterprise networks
Best effort is basically the default way IP traffic gets handled: everything’s treated the same, there’s no reservation, and nobody’s getting special treatment just because the packet is important. IntServ, on the other hand, leans on RSVP-style signaling and keeps state for each individual flow so it can reserve resources ahead of time. Is it theoretical? No. Is it common in enterprise campus and WAN designs? Also no—because maintaining per-flow state simply does not scale cleanly. DiffServ is the model to anchor on for ENCOR: traffic is classified into behavior aggregates, marked with DSCP values, and treated according to a per-hop behavior, or PHB.
Why DiffServ? Because it scales. Devices do not track every flow individually; they act on classes. The default PHB is best effort. EF, or Expedited Forwarding, is associated with low-delay treatment and is commonly used for voice bearer. AF, or Assured Forwarding, defines classes with drop precedence. And here is where candidates often slip: AF21 and AF31 are not interchangeable labels for “important traffic.” They are different AF classes with different drop precedence semantics.
DSCP uses six bits in the IP DS field, while the other two bits are reserved for ECN. CoS is a Layer 2 802.1p priority value, and it lives in the PCP bits of an 802.1Q tag. CoS matters only on tagged Ethernet frames. At Layer 2/Layer 3 boundaries, CoS-to-DSCP and DSCP-to-CoS mappings may be required to preserve intent—because otherwise, the meaning can drift away, quietly.
| Model | Mechanism | Why It Matters |
|---|---|---|
| Best Effort | No differentiation | Default network behavior |
| IntServ | RSVP, per-flow reservation/state | Precise but operationally heavy |
| DiffServ | Classify, mark, apply PHB by class | Scalable enterprise QoS model |
3. Core QoS Components
Classification identifies traffic. Marking labels it. Queuing decides who goes next. Congestion avoidance decides when some traffic should be dropped early. Policing enforces a rate by dropping or remarking excess. Shaping buffers excess and releases it at a controlled rate. Simple words; critical distinctions. Exam-critical, in fact.
How is traffic classified? By ACLs, existing DSCP or CoS values, NBAR2 application signatures, VLAN or interface context, and sometimes protocol metadata. NBAR2 is useful, yes—but support and protocol recognition depth depend on the platform and software, and encryption can reduce visibility. If traffic is inside IPsec or another overlay, classification may need to happen before encapsulation (which, of course, is where the visibility still exists).
Marking is usually DSCP at Layer 3 and CoS at Layer 2. But marking alone does nothing unless downstream devices trust and honor it. In campus designs, that usually means remarking or resetting untrusted edge traffic and preserving valid markings from trusted devices such as IP phones. Legacy IP precedence still appears in theory discussions (because old habits die slowly), but DSCP is the modern focus.
Queuing is primarily an egress function because packets wait to be transmitted out an interface. FIFO is simple. Classic WFQ mattered historically on slower links and software-forwarding platforms. For modern Cisco enterprise study, focus on CBWFQ and LLQ. CBWFQ gives classes bandwidth guarantees under congestion. LLQ adds a strict priority queue for delay-sensitive traffic, typically voice bearer. On Cisco, that priority treatment is bounded; the priority class is effectively rate-limited so it cannot starve every other traffic class forever. That nuance matters. priority percent 20 does not mean voice always gets 20%; it means the priority class can transmit preferentially up to that configured allowance under congestion, subject to platform behavior.
Congestion avoidance is not the same thing as queuing. Tail drop simply drops packets when the queue is full. WRED starts dropping earlier, usually based on thresholds and probability, to signal TCP senders before the queue completely fills. That makes WRED much more relevant to TCP-based classes than to voice. In many modern enterprise designs, WRED is not emphasized for small low-latency classes and may be platform-specific—or omitted entirely.
Policing and shaping are often confused, so let’s separate them cleanly. Policing is commonly supported on ingress and, on many platforms, also on egress. It uses token-bucket logic with concepts such as CIR, Bc, and sometimes Be. Conforming traffic is transmitted; exceeding or violating traffic is dropped or remarked depending on policy. Shaping is typically egress-only because it buffers traffic before sending it. It also uses token-bucket concepts, but instead of discarding excess immediately, it delays it to conform to the target rate. That is why shaping is common at WAN edges and policing is common for abuse control, guest traffic, or strict caps.
Link-efficiency features such as compression, fragmentation, and LFI are mostly legacy or low-speed-link topics now. They still matter conceptually for exam prep because they address serialization delay, but they are far less common on modern Ethernet WAN links. Compression is also less attractive today because much traffic is already compressed and CPU cost can outweigh benefit. Useful to know; not usually the centerpiece.
4. DSCP, CoS, and Common Enterprise Markings
Here is the compact reference every ENCOR candidate should know cold. DSCP is the value that tells the network how DiffServ should treat that packet in the IP header. CoS is the 3-bit 802.1p priority field you’ll see in a tagged Ethernet frame. At trust boundaries, switches and routers may map one to the other.
| Marking | Value | Typical Use |
|---|---|---|
| BE | DSCP 0 | Default traffic |
| CS1 | DSCP 8 | Scavenger, backup, guest bulk |
| AF21 | DSCP 18 | Lower-priority assured data class |
| CS3 | DSCP 24 | Call signaling/control |
| AF31 | DSCP 26 | Business-critical data |
| AF41 | DSCP 34 | Interactive video |
| EF | DSCP 46 | Voice bearer |
AF values deserve one extra sentence. The first digit indicates the AF class, and the second digit indicates drop precedence. So AF31 and AF33 are in the same AF class but with different drop preference under congestion. That is different from class selector values such as CS3.
5. How Cisco MQC Implements QoS
MQC is the framework that makes Cisco QoS readable: class-map defines the match, policy-map defines the action, and service-policy attaches the policy to an interface and direction. In practice, ingress policies are often used for classification, marking, and policing. Egress policies are where queuing and shaping usually live.
Here is a cleaner branch WAN example with hierarchical QoS. The parent shapes to the actual controllable bottleneck rate; the child allocates treatment within that shaped rate.
class-map match-any VOICE match dscp ef class-map match-any SIGNALING match dscp cs3 class-map match-any VIDEO match dscp af41 class-map match-any CRITICAL-DATA match dscp af31 class-map match-any SCAVENGER match dscp cs1 policy-map CHILD-QOS class VOICE priority percent 15 class SIGNALING bandwidth percent 5 class VIDEO bandwidth percent 20 class CRITICAL-DATA bandwidth percent 25 class SCAVENGER bandwidth percent 5 class class-default bandwidth percent 30 policy-map PARENT-SHAPE class class-default shape average 20000000 service-policy CHILD-QOS interface GigabitEthernet0/0/0 service-policy output PARENT-SHAPE
If the parent shaper is 20 Mb/s, the child percentages are calculated within that shaped rate, not the physical interface speed. So a 15 percent LLQ allowance is based on 20 Mb/s. Foundational HQoS point. Common exam trap. Easy to miss if you rush.
If you need to cap guest or backup traffic, teach that separately with policing instead of mixing contradictory signals into the main policy:
policy-map GUEST-POLICE class class-default police cir 2000000 bc 62500 conform-action transmit exceed-action drop
That is easier to read: one policy schedules, another policy caps. It also reinforces the difference between shaping and policing—buffering versus dropping, in plain terms.
6. Trust Boundaries and End-to-End Design
A trust boundary is where you decide whether an incoming marking is valid. In Cisco campus designs, a classic example is trusting the IP phone but not the attached PC. The exact implementation depends on platform and features; on Catalyst switches you may see device-aware trust behavior, AutoQoS, or explicit trust configuration. The idea stays the same: accept markings from known voice devices, remark untrusted endpoint traffic at the edge, and preserve valid markings through the rest of the domain.
Be precise about CoS here. A PC plugged into a normal access port usually isn’t sending tagged Ethernet frames with 802.1Q CoS the way an IP phone or a trunk link would. That’s why I think of CoS as a Layer 2, tagged-domain concept, while DSCP is the Layer 3 marking that tends to survive routed hops much better.
Wireless is a lot more nuanced than a lot of people expect, honestly. DSCP is commonly mapped to WMM access categories, but controller/AP policy, SSID QoS settings, and platform behavior may preserve, rewrite, or normalize markings. Validate it. Do not assume wired markings automatically emerge unchanged over WLAN.
Provider and overlay boundaries matter too. MPLS, GRE, DMVPN, IPsec, and SD-WAN designs may preserve DSCP, copy it to an outer header, or remark it depending on configuration and platform. If traffic is encrypted, deep classification methods may lose visibility unless classification occurs pre-encapsulation. That’s why QoS can’t be treated like a one-interface checkbox; it’s really an end-to-end design with several translation points along the way.
7. Platform and Hardware Caveats
One of the most important real-world corrections is this: similar MQC syntax does not guarantee identical forwarding behavior. Catalyst switches often implement QoS in ASIC hardware with platform-specific queue counts, buffer models, trust defaults, and counter visibility. ISR and ASR routers may use different forwarding architectures and expose different verification commands. So learn the concepts—but always verify platform support and hardware behavior for the exact model and software release in use.
This matters for ENCOR because the exam expects conceptual understanding, not memorization of one universal queue architecture. And in production, that matters because a policy that behaves one way on a router can show totally different counters or queue details on a campus switch.
8. Verification and Troubleshooting — where the theory finally meets the real network
Honestly, verification is where real QoS work actually starts. Begin with the basics: Is the policy attached to the correct interface and direction? Are packets matching the intended class? Are markings present at the point where classification occurs? Are drops happening in a queue or in a policer? Different failure signatures. Different fixes.
show policy-map interface <int> is usually the first stop. If a voice class shows matched packets and low or no drops, classification is probably correct. If voice is marked EF on the endpoint but the WAN edge shows zero packets in the VOICE class, check trust and remarking upstream. If the class matches but shows priority drops, you may have overfilled the LLQ with too much traffic or over-marked endpoints into EF. If class-default shows queue drops instead of policer drops, the issue is congestion and queue pressure. If a policer shows exceed drops, the cap itself is the cause.
Platform-specific commands vary. On some IOS XE router platforms, hardware-level QoS commands or forwarding-plane counters can help. On Catalyst, queue and drop visibility depends heavily on model. Treat those commands as examples, not universal expectations.
My workflow is simple:
- Confirm service-policy attachment and direction.
- Verify class matches and packet counters.
- If you need to confirm DSCP or CoS preservation, use packet captures, switch port mirroring, or platform counters—whatever gives you the clearest view of what’s really happening.
- Separate queue drops from policer drops.
- Validate parent shaping rate against the real bottleneck or provider policer.
- Consider platform limits, tunnel behavior, and provider remarking.
Common scenario: voice is EF at the phone, but the WAN edge sees BE. Possible causes include the switch not trusting the phone, remarking at distribution, wireless remap, tunnel copy behavior, or provider rewrite. Another common scenario: “QoS is not working” on a lightly used link. That may simply mean there is no contention, so scheduling differences are not visible yet. Nothing is broken; nothing is under pressure.
9. Design Anti-Patterns and Practical Guidance
The worst QoS designs are usually not too simple; they are too ambitious. Trusting all endpoint markings is an anti-pattern. Putting too many applications in LLQ is an anti-pattern. Failing to shape to the actual provider bottleneck is an anti-pattern. Assuming DSCP survives every hop is an anti-pattern. Building twelve classes nobody can troubleshoot at 2 a.m. is, yes, an anti-pattern too.
A practical branch pattern is straightforward: trust and mark correctly at the access edge, preserve markings through campus, shape at the WAN edge to the actual controllable rate, put voice bearer only in LLQ, protect signaling and interactive video with CBWFQ, give business-critical data an assured class, and push guest or backup traffic into CS1 or a low-priority bucket. If you need a strict cap, police that class explicitly.
Remember one more limitation: QoS helps at the congestion point you control. If the provider is policing below your interface speed and you do not shape below that threshold, the provider’s drop behavior may dominate your carefully built policy.
10. ENCOR Must-Know Distinctions and Exam Tips
For the exam, know these cleanly: classification identifies; marking labels. Queuing schedules transmission; congestion avoidance drops early to influence queue behavior. Policing drops or remarks excess; shaping buffers excess and smooths it. LLQ is strict priority with a bounded allowance; CBWFQ gives bandwidth by class. CoS is Layer 2 in a tagged frame; DSCP is Layer 3 in the IP header. Trust boundaries decide whether markings are believed.
Also know where QoS is commonly applied in practice: access edge for trust and marking, WAN edge for shaping and queuing, and egress as the main place where congestion becomes visible. Be ready for scenario questions where the right answer is not “increase bandwidth” but “fix classification,” “move the trust boundary,” “shape to the provider rate,” or “stop overusing LLQ.”
What to memorize: common DSCP values, the role of each QoS component, and the MQC object model. What to understand: why shaping is used on WAN egress, why endpoint trust is dangerous, why WRED is mainly for TCP classes, and why similar syntax can behave differently across Catalyst, ISR, and ASR platforms.
11. Conclusion
QoS is an end-to-end system of classification, marking, trust, queuing, congestion management, policing, and shaping. DiffServ is the enterprise model that matters most for ENCOR, and MQC is the Cisco framework used to implement it. Keep the mental model clean: QoS does not create bandwidth, it does not fix congestion outside your control, and it does not work if traffic is misclassified or markings are lost.
If you can explain the components, place the trust boundary correctly, build a simple parent/child WAN policy, and verify behavior with counters instead of hope, you are in good shape—for the exam, yes, but also for the field.