Blog Viewer

Expert Advice: What are the different packet classification methods? Which method is recommended for complex and large networks?

By tmoovana posted 05-02-2016 13:08



The following article was created from our online Tech Cafe event with Miguel Barreiros on QoS-enabled Networks.


What are different packet classification methods? Which method is recommended for complex and large networks?


There are two types of packet classification methods. They are behavior aggregate (BA) classification and multi-field (MF) classification.


Behavior Aggregate Classifiers

The behavior aggregate (BA) classifier maps a quality of service (QoS) value in the packet header to a forwarding class and loss priority. The BA classification is comparatively simpler and easier to implement. You can define a “core-ba-classifier”, and then replicate it across the network facing ports. This way, it is simple and easy to maintain.

For more information about BA, see Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic.


Multifield Classifiers

Multifield classification (MF) uses a standard stateless firewall filter to set the forwarding class or PLP for packets entering or exiting the interface based on multiple fields in the IP packet. You can configure an MF classifier that specifies match conditions based on CoS values (such as DSCP value, IP precedence value, MPLS EXP bits, or IEEE 802.1p bits), other packet values (such as IP address fields, the IP protocol type field, or the port number in the UDP or TCP pseudoheader field), or a combination of these.

For example, if you want to map a TCP destination port X to a class of service Z, then you also need to specify rules to state what is not TCP or what is TCP but not destination port X. However, sometimes you might have to review the packet header when the packet marking is insufficient. For example, in the case of VOIP devices that send all traffic with the same marking, you want to separate control packets from data packets.


When packet marking itself is not reliable, MF is the recommended option. For more information, see Multifield Classification.


Sample Scenario

Typically, BA is used at core facing ports (any port that does not face a CPE), where packets are trusted and looks at the packet marking to map to a class of service. If packets enter the network from the CPE that is not trusted, the markings use the rewrite rules in the egress from the device where they are received to the next network device that will receive them.

At customer facing ports, you can use BA or MF or a combination of both. MF is applied after BA so that you can do the first round of classification using BA and then fine tune with MF when required.


For example:


  1. DSCP A – COS 1 (applied using BA)
  2. DSCP B – COS 2 (applied using BA)
  3. DSCP B + TCP port X – COS 3, all others don’t touch it (packet arriving with DSCP B and this header are assigned to COS 3. For all others, COS assignment is unaffected, which means BA output is not changed.)

Now coming back to trust borders, you cannot completely trust the traffic markings and headers you receive.


There are several sub scenarios to this:


  1. Only one class of service is defined. This is easy and you need just one MF filter that states “then COS A”.
  2. Several classes of service are defined. If there is a rate per COS specified, then use MF. This needs just one term per COS with a policer attached to it.

In large scale deployments, several classes of service are available. Depending on the classes of service defined, the network customer is instructed about the DSCP markings that the CPE needs to use when sending traffic into the network, and that it should be enforced through policing at ingress. It is still possible that packet markings can be wrong, so they need to be rewritten before sending the traffic upstream. This ensures that the packet marking is trustable and the next network device is not fooled by wrong packet markings.