DSCP (Differentiated Services Code Point) is the 6-bit Layer 3 marking that tells every router in a path how to treat a given packet. It lives in the IP header (the same byte that used to hold IP Precedence in the original IPv4 spec) and is the dominant QoS marking standard in modern enterprise and service-provider networks. If you have ever set set dscp ef in a Cisco policy-map and wondered what that 6-bit value actually does on the wire, this is the byte-level reference.
This article walks through the history (TOS to IP Precedence to DSCP), the byte format, the standardized PHB (Per-Hop Behavior) values, the DSCP-to-CoS-to-MPLS-EXP mapping, and the trust-boundary discipline that makes DSCP-based QoS work in production. If you are studying for CCNP, designing a QoS rollout, or troubleshooting why your voice traffic is not getting priority, this is the foundation.
From TOS to IP Precedence to DSCP
The byte at offset 1 in the IPv4 header has been called several things across the protocol's history:
| Era | Name | Format | Standard |
|---|---|---|---|
| 1981 | Type of Service (ToS) | 3-bit precedence + 4-bit ToS + 1 unused | RFC 791 |
| 1992 | Same byte; renamed to TOS field | 3-bit IP Precedence + 4-bit TOS bits + 1 unused | RFC 1349 |
| 1998 | DiffServ field (DSCP + ECN) | 6-bit DSCP + 2-bit ECN | RFC 2474, RFC 3168 |
The 1998 redefinition was the important one. The IETF realized the original 8 IP Precedence values were too coarse, and the 4 ToS bits were essentially unused. They redefined the same byte to carry 6 bits of DSCP plus 2 bits of ECN (Explicit Congestion Notification). The 6 DSCP bits give 64 possible values - enough to express granular per-class behavior across diverse service classes.
In IPv6, the same field exists as the 8-bit Traffic Class field with the same DSCP/ECN split. End-to-end QoS works identically across IPv4 and IPv6.
The Byte Format
+---+---+---+---+---+---+---+---+
| DSCP | ECN |
| 6 bits | 2bits|
+---+---+---+---+---+---+---+---+
| C | C | C | D | D | D | E | E |
+---+---+---+---+---+---+---+---+
Class Selector + Drop Precedence + ECN
The 6 DSCP bits split conceptually into two parts:
- Class Selector (CS): bits 7-5 (3 bits) - which class of service. Maps directly to the legacy IP Precedence values; setting bits 4-3 to zero gives a backwards-compatible CS value.
- Drop Precedence: bits 4-3 (2 bits) - within a class, which packets get dropped first under congestion.
- Bit 2 reserved (always 0 in current PHBs).
The ECN bits (bits 1-0) are not part of QoS classification; they let routers signal congestion to TCP endpoints without dropping packets.
Per-Hop Behaviors (PHBs): The Standardized DSCP Values
The IETF standardized a set of PHBs that map to specific DSCP values. Every QoS-aware device should treat traffic with these markings consistently. Three PHB families exist:
Default (Best Effort)
| Name | DSCP (binary) | DSCP (decimal) | Use |
|---|---|---|---|
| BE / Default | 000000 | 0 | No QoS preference; default for unmarked traffic |
Class Selector (CS) - Backwards Compatible with IP Precedence
| Name | DSCP (binary) | DSCP (decimal) | Old IP Prec | Use |
|---|---|---|---|---|
| CS0 | 000000 | 0 | 0 (Routine) | Default; same as BE |
| CS1 | 001000 | 8 | 1 (Priority) | Scavenger / lower than best-effort |
| CS2 | 010000 | 16 | 2 (Immediate) | Network management (OAM) |
| CS3 | 011000 | 24 | 3 (Flash) | Signaling (SIP, H.323) |
| CS4 | 100000 | 32 | 4 (Flash Override) | Real-time interactive (gaming) |
| CS5 | 101000 | 40 | 5 (Critical) | Broadcast video |
| CS6 | 110000 | 48 | 6 (Internetwork Control) | Routing protocols (OSPF, BGP, EIGRP) |
| CS7 | 111000 | 56 | 7 (Network Control) | Network control plane |
CS6 is what most routing protocols mark themselves with by default. show ip ospf neighbor and equivalent: under the hood, OSPF Hellos carry DSCP CS6 (48). This is why a misconfigured QoS policy that drops CS6 traffic causes routing protocols to flap.
Assured Forwarding (AF) - For Bandwidth-Guaranteed Classes
AF defines four classes (AF1-AF4), each with three drop precedence levels:
| Class | Low Drop | Med Drop | High Drop | Typical use |
|---|---|---|---|---|
| AF1 | AF11 (10) | AF12 (12) | AF13 (14) | Bulk data (email, file transfer) |
| AF2 | AF21 (18) | AF22 (20) | AF23 (22) | Transactional / business apps |
| AF3 | AF31 (26) | AF32 (28) | AF33 (30) | Multimedia streaming (one-way) |
| AF4 | AF41 (34) | AF42 (36) | AF43 (38) | Video conferencing (two-way) |
The naming is logical: AFxy where x is class and y is drop precedence (1=low/most likely to be kept, 3=high/most likely to be dropped). Within a class, all three drop precedence levels share queueing; under congestion, the higher drop-precedence packets are discarded first.
Drop precedence pairs naturally with WRED (Weighted Random Early Detection): set thresholds so AF13 packets get dropped earlier than AF11 in the same class.
Expedited Forwarding (EF) - For Voice and Strict-Priority
| Name | DSCP (binary) | DSCP (decimal) | Use |
|---|---|---|---|
| EF | 101110 | 46 | Voice (VoIP RTP); strict priority queueing |
EF is the priority class. Traffic marked EF goes to the LLQ priority queue at every congested egress and is served before everything else. Use EF only for traffic that genuinely needs sub-millisecond latency variance: VoIP RTP voice payload, possibly real-time control loops.
Because the priority queue is served first, you must police EF at the policy level - if voice traffic explodes (a misbehaving SIP gateway, a DDoS, a misconfiguration), unbounded EF would starve everything else. Cisco's LLQ has a built-in policer for the priority class.
Cisco's Mapping: DSCP to CoS to MPLS EXP
Inside a heterogeneous network, the same flow may be tagged with DSCP at Layer 3, CoS at Layer 2, and MPLS EXP at the MPLS service provider boundary. Cisco maintains default mappings between these markings, which you can override via QoS maps.
| DSCP class | DSCP decimal | Default CoS | MPLS EXP |
|---|---|---|---|
| EF | 46 | 5 | 5 |
| CS5 | 40 | 5 | 5 |
| AF41 | 34 | 4 | 4 |
| AF31 | 26 | 3 | 3 |
| CS3 | 24 | 3 | 3 |
| AF21 | 18 | 2 | 2 |
| AF11 | 10 | 1 | 1 |
| CS1 | 8 | 1 | 1 |
| BE | 0 | 0 | 0 |
The default DSCP-to-CoS mapping is the top 3 bits of the DSCP value (bits 7-5). EF (101110) becomes CoS 5 (101). AF41 (100010) becomes CoS 4 (100). This is the Class Selector value of the DSCP.
In switched Layer 2 segments where the 802.1Q tag exists, CoS is what gets honored. Packets crossing a Layer 3 routing hop lose their CoS (the 802.1Q tag is stripped) but retain DSCP (it lives in the IP header). The standard Cisco pattern: trust DSCP at the Layer 3 boundary, derive CoS from DSCP automatically. See 802.1Q VLAN Tag Explained for where CoS lives in the frame.
Setting DSCP on Cisco IOS XE
The MQC pattern for marking traffic with DSCP:
! Classify traffic
class-map match-any VOICE-RTP
match protocol rtp audio
class-map match-any VIDEO
match protocol rtp video
class-map match-any TRANSACTIONAL
match access-group name SALESFORCE-ACL
! Mark traffic
policy-map MARK-INGRESS
class VOICE-RTP
set dscp ef
class VIDEO
set dscp af41
class TRANSACTIONAL
set dscp af21
class class-default
set dscp default
! Apply at ingress
interface GigabitEthernet0/0/1
service-policy input MARK-INGRESSVerify with:
Router# show policy-map interface GigabitEthernet0/0/1
Router# show class-map VOICE-RTPThe full MQC walkthrough is in (article forthcoming).
DSCP and Trust Boundaries
The temptation to trust incoming DSCP markings from end hosts is the single most common QoS configuration mistake. Hosts can mark every packet as DSCP EF and starve the legitimate voice traffic. Always re-mark or re-validate at access ports.
The Cisco default for access ports is "untrusted" - incoming DSCP is rewritten to 0 (BE) unless you explicitly trust the device. Common patterns:
| Source | Trust setting |
|---|---|
| Generic PC | No trust; mark everything to BE |
| Cisco IP phone (in voice VLAN) | Trust DSCP/CoS for voice VLAN; mark data VLAN to BE |
| Trusted application server | Trust DSCP set by the application |
| Inter-switch trunk | Trust DSCP and CoS |
| WAN edge inbound from ISP | Re-mark or zero (the ISP's DSCP is not your DSCP) |
Implementation on the access port:
! Trust the IP phone but not the PC
interface GigabitEthernet1/0/5
switchport mode access
switchport access vlan 10
switchport voice vlan 20
mls qos trust device cisco-phone ! Conditional trust
spanning-tree portfast
spanning-tree bpduguard enableCisco's "conditional trust" automatically detects whether a Cisco IP phone is connected (via CDP) and trusts only when the phone is present. If the phone is unplugged, trust drops automatically.
DSCP in IPv6
IPv6 carries DSCP in the 8-bit Traffic Class field (top 6 bits = DSCP, bottom 2 = ECN), exactly like IPv4. All the standardized PHBs and DSCP values work identically. set dscp ef in a Cisco policy-map applies to both IPv4 and IPv6 traffic that matches the class, and the marking is preserved end-to-end.
IP Precedence: When You Still See It
IP Precedence is the legacy 3-bit predecessor of DSCP. Cisco still supports it for backwards compatibility, and you may see it in older configurations. Mapping:
| IP Precedence | Name | Equivalent DSCP CS |
|---|---|---|
| 0 | Routine | CS0 |
| 1 | Priority | CS1 |
| 2 | Immediate | CS2 |
| 3 | Flash | CS3 |
| 4 | Flash Override | CS4 |
| 5 | Critical | CS5 |
| 6 | Internetwork Control | CS6 |
| 7 | Network Control | CS7 |
For new configurations, always use DSCP. IP Precedence has 8 values; DSCP has 64. There is no functional reason to limit yourself to the legacy field.
Summary
DSCP is the 6-bit Layer 3 marking that drives modern QoS. It lives in the IP header (top 6 bits of the ToS / Traffic Class byte), supports 64 values, and is end-to-end across IPv4 and IPv6. The standardized PHBs (CS, AF, EF) cover every common use case; the AF family adds drop precedence within a class for graceful WRED-driven degradation under congestion.
Master the standardized values (EF=46 for voice, AF41=34 for video conferencing, CS5=40 for streaming video, AF21=18 for transactional, BE=0 for everything else), the Cisco mapping to CoS and MPLS EXP, and the trust-boundary discipline that prevents end hosts from gaming the marking. Bookmark this article alongside the QoS cluster pillar as your byte-level DSCP reference.