QoS fundamentals — making bandwidth feel infinite
12 min
Bandwidth isn't infinite. When traffic exceeds the link capacity, some packets must wait (queue), be shaped (delayed), or be policed (dropped). QoS (Quality of Service) is the toolkit for deciding which packets get what treatment. Real-time traffic (voice, video) cares; bulk transfers tolerate delay; everyone wants the network to "feel fast."
The QoS workflow
- Classify — identify what kind of traffic a packet is (voice, video, web, file copy).
- Mark — write a tag into the packet header so downstream devices don't have to re-classify.
- Queue — sort marked traffic into multiple per-interface queues with different scheduling priorities.
- Shape / Police — control the rate of a traffic class either by delaying excess (shaping) or dropping it (policing).
Marking — DSCP and CoS
| Field | Lives in | Bits | Used at | |---|---|---|---| | DSCP (Differentiated Services Code Point) | IP header (ToS byte) | 6 | L3 — end-to-end across routers | | IPP (IP Precedence) | IP header (ToS byte) | 3 | Legacy — first 3 bits of DSCP | | CoS / 802.1p | 802.1Q VLAN tag | 3 | L2 — only on tagged trunks | | MPLS EXP / TC | MPLS label | 3 | Within an MPLS network |
Common DSCP code points to memorize:
| Name | DSCP | Use | |---|---|---| | EF (Expedited Forwarding) | 46 | Voice | | AF41 / AF42 / AF43 | 34 / 36 / 38 | Video, mission-critical | | AF31..AF33 | 26 / 28 / 30 | Streaming, transactional | | AF21..AF23 | 18 / 20 / 22 | Bulk OK class | | AF11..AF13 | 10 / 12 / 14 | Background | | CS5 / CS6 / CS7 | 40 / 48 / 56 | Network control, routing | | Default (BE) | 0 | Best effort — everything not classified |
Queuing — multiple lines at the cashier
Each interface has multiple queues. The scheduler picks which queue to serve next.
| Strategy | What | |---|---| | FIFO | One queue. First in, first out. No QoS at all. | | PQ (Priority Queuing) | Strict priority — high-priority queue serviced 100% until empty, then next class. Risk of starvation. | | CBWFQ (Class-Based Weighted Fair Queuing) | Each class gets a guaranteed % of bandwidth. No starvation. | | LLQ (Low-Latency Queuing) | CBWFQ + one strict-priority queue with a policed cap — best of both. Standard for voice. |
For voice: LLQ with the voice class capped at 33% (or whatever your design allows) and policed so it can't starve everyone else.
Shaping vs policing
| | Shaping | Policing | |---|---|---| | When over rate | Buffer the excess and send later | Drop (or remark) the excess | | Effect on TCP | Smooths — gentle | Causes retransmits — harsh | | Where used | Egress, often on customer-facing links | Ingress, often on provider-facing | | Memory cost | High (needs buffers) | Low |
A customer who paid for 10 Mbps gets a 10 Mbps shaped egress so they always see ≤10 Mbps. The provider also polices the customer at 10 Mbps ingress in case they exceed.
Trust boundaries
A packet arrives with a DSCP marking. Do you trust it? An end-user device that marks its own traffic EF (voice priority) shouldn't be trusted — they'll abuse it. Trust boundary: the point at which you start respecting incoming markings. Typically:
- Access ports from end users: untrusted. The switch re-marks everything to a default (often DSCP 0).
- Access ports from IP phones (after CDP/LLDP verification): trusted for voice DSCP.
- Inter-switch trunks and uplinks: trusted (you control those devices).
Simple LLQ config
[object Object],[object Object],[object Object]What to remember
- QoS workflow: classify → mark → queue → shape/police.
- DSCP is the universal L3 mark. EF = voice, AF classes for everything else.
- LLQ is the standard scheduler for voice+everything-else.
- Shaping delays, policing drops. Shape egress, police ingress.
- Define a trust boundary so end users can't paint their packets as priority traffic.