The Three Things People Call "QoS"

Quality of Service is one of those terms that gets used to mean several different things at once. Someone says "we need to add QoS" and they might mean mark the voice traffic, police the guest WiFi, or shape the WAN link to fit an SLA. These are different operations with different effects, and applying the wrong one solves nothing.

The three core mechanisms are marking, policing, and shaping. They're related but distinct, and each has a specific place in a QoS design.

Marking: Classification Is Everything

Before you can treat traffic differently, you have to identify it. Marking assigns a value โ€” usually a DSCP (Differentiated Services Code Point) value โ€” to packets so that every device in the network knows how to treat them.

DSCP is a 6-bit field in the IP header. The most common values you'll see:

  • EF (Expedited Forwarding / DSCP 46): Voice and real-time traffic. Lowest latency, lowest jitter, lowest drop probability.
  • AF41 (Assured Forwarding / DSCP 34): Interactive video. High priority, some drop tolerance.
  • CS3 (DSCP 24): Call signaling.
  • Default (DSCP 0): Best effort. No guarantees.

Marking should happen at the network edge โ€” as close to the source as possible. If you let endpoints mark their own traffic and trust those markings throughout the network, users will mark everything as high priority and you've gained nothing. Trust boundaries exist for this reason.

! Cisco IOS-XE: Mark voice traffic with DSCP EF
class-map match-any VOICE-TRAFFIC
 match protocol rtp audio
!
policy-map MARK-VOICE
 class VOICE-TRAFFIC
  set dscp ef
!

Policing: The Hard Limit

Policing enforces a rate limit by dropping or re-marking packets that exceed the configured rate. It's immediate โ€” there's no buffering, no delay. If a traffic flow exceeds the policed rate, the excess packets are dropped right there.

This makes policing appropriate for enforcing contracts at network edges. Your ISP polices your traffic at the ingress โ€” if you send more than your contracted rate, they drop the excess. You use policing to enforce limits on traffic coming into your network from untrusted sources, or to rate-limit specific flows that might otherwise consume too much bandwidth.

The impact on the user experience is hard. Drops cause retransmissions for TCP traffic (which compounds the problem) and for real-time traffic like voice, drops are simply gone โ€” there's no retransmission mechanism. That's why you don't police voice traffic; you shape it or prioritize it.

! Police guest WiFi to 10Mbps โ€” drop anything over
policy-map POLICE-GUEST
 class class-default
  police rate 10000000 bps
   conform-action transmit
   exceed-action drop

Shaping: The Soft Limit

Shaping also enforces a rate limit, but instead of dropping excess traffic, it buffers it and transmits it later. The effect is that the average throughput is limited to the shaped rate, but individual packets aren't dropped โ€” they're just delayed.

Shaping is used at the WAN edge, typically to match your outbound rate to your actual contracted speed. If your router can physically send 1Gbps but your WAN circuit is 100Mbps, without shaping your router will burst to 1Gbps, the provider will drop the excess at their edge, and TCP will back off โ€” slowly, inefficiently. With shaping, you rate-limit locally to 100Mbps, the traffic stays in your buffer, TCP behaves better, and you get more predictable throughput.

The tradeoff is latency. Buffering adds delay. For real-time traffic (voice, video), too much shaping buffer causes quality problems. You need to tune the buffer and make sure real-time traffic is prioritized out of the queue before the delay-tolerant traffic.

! Shape WAN traffic to 100Mbps to match circuit speed
policy-map SHAPE-WAN
 class class-default
  shape average 100000000

Putting It Together: A Typical WAN QoS Design

In a typical enterprise WAN deployment:

  1. Mark at the edge โ€” classify traffic as it enters the network and apply DSCP values
  2. Shape outbound at the WAN interface โ€” match the shaping rate to your contracted bandwidth
  3. Within the shaped queue, prioritize with queuing โ€” voice gets strict priority, interactive video gets guaranteed bandwidth, everything else is best effort
  4. Police untrusted ingress โ€” if you're accepting traffic from untrusted sources (guest traffic, unmanaged devices), police it at ingress before it enters your QoS domain

This ordering matters. You mark first. You shape at WAN egress. You police at ingress from untrusted sources. Applying these in the wrong order, or applying policing where you need shaping, is where most QoS problems come from.