

Search...

Table of Contents
CCIE Routing & Switching

Unit 1: Preparation
Unit 2: Switching
Unit 3: IP Routing
Unit 4: RIP
Unit 5: EIGRP
Unit 6: OSPF
Unit 7: BGP
Unit 8: Multicast
Unit 9: IPv6
Unit 10: Quality of Service
IP Precedence and DSCP values

Classi cation on Cisco IOS Router

Marking on Cisco IOS Router

QoS Pre-Classify on Cisco IOS

Why do we need QoS on Switches

QoS Trust Boundary on Switches

Classi cation and Marking on Switches

Queueing on Switches

CBWFQ not supported on sub-interfaces

Policing Explained

QoS Policing Con guration Example

Shaping explained

Tra c Shaping on Cisco IOS

Peak Tra c Shaping on Cisco IOS

Shaping with Burst up to Interface Bandwidth

PPP Multilink Link Fragmention and Interleaving

Introduction to RSVP

RSVP DSBM (Designated Subnetwork Bandwidth Manager)

Block Websites with NBAR

Unit 11: Security

Unit 12: System Management
Unit 13: Network Services
 Unit 14: MPLS

You are here: Home » Cisco » CCIE Routing & Switching

How to configure QoS trust boundary on

Cisco Switches
17 votes

When we con gure QoS on our Cisco switches we need to think about our trust boundary. Simply
said this basically means on which device are we going to trust the marking of the packets and
Ethernet frames entering our network. If you are using IP phones you can use those for marking
and con gure the switch to trust the tra c from the IP phone. If you don’t have any IP phones or
you don’t trust them, we can con gure the switch to do marking as well. In this lesson I’ll show you
how to do both! First let me show you the di erent QoS trust boundaries:

In the picture above the trust boundary is at the Cisco IP phone, this means that we won’t remark
any packets or Ethernet frames anymore at the access layer switch. The IP phone will mark all
tra c. Note that the computer is outside of the QoS trust boundary. This means that we don’t trust
the marking of the computer. We can remark all its tra c on the IP phone if we want. Let’s take a
look at another picture:
In the picture above we don’t trust whatever marking the IP phone sends to the access layer switch.
This means we’ll do classi cation and marking on the access layer switches. I have one more
example for you…

Above you can see that we don’t trust anything before the distribution layer switches. This is
something you won’t see very often but it’s possible if you don’t trust your access layer switches.
Maybe someone else does management for the access layer switches and you want to prevent
them to send packets or Ethernet frames that are marked towards your distribution layer switches.

Let’s take a look at a switch to see how we can con gure this trust boundary. I have a Cisco Catalyst
3560 that I will use for these examples. Before you do anything with QoS, don’t forget to enable it
globally on your switch rst:

3560Switch(config)#mls qos

Something you need to be aware of is that as soon as you enable QoS on your switch it will erase
the marking of all packets that are received! If you don’t want this to happen you can use the
following command:

3560Switch(config)#no mls qos rewrite ip dscp

Let’s continue by looking at the the rst command. We can take a look at the QoS settings for the
interface with the show mls qos interface command. This will show you if you trust the marking of
your packets or frames:

3560Switch#show mls qos interface fastEthernet 0/1

FastEthernet0/1
trust state: not trusted
trust mode: not trusted
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none

Above you can see that we don’t trust anything at the moment. This is the default on Cisco
switches.  We can trust packets based on the DSCP value, frames on the CoS value or we can trust
the IP phone. Here are some examples:

3560Switch(config-if)#mls qos trust cos

Just type mls qos trust cos to ensure the interface trusts the CoS value of all frames entering this
interface. Let’s verify our con guration:

3560Switch#show mls qos interface fastEthernet 0/1

FastEthernet0/1
trust state: trust cos
trust mode: trust cos
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none

By default your switch will overwrite the DSCP value of the packet inside your frame according to
the cos-to-dscp map. If you don’t want this you can use the following command:

3560Switch(config-if)#mls qos trust cos pass-through

The keyword pass-through will ensure that your switch won’t overwrite the DSCP value. Besides
the CoS value we can also trust the DSCP value:

3560Switch(config-if)#mls qos trust dscp

Using the command above it will not trust the CoS value but the DSCP value of the packets arriving
at the interface. Here’s what it will look like:
 3560Switch#show mls qos interface fastEthernet 0/1
FastEthernet0/1
trust state: trust dscp
trust mode: trust dscp
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none

Trusting the Cos or DSCP value on the interface will set your trust boundary at the switch level.
What if we want to set our trust boundary at the Cisco IP phone? We need another command for
that!

3560Switch(config-if)#mls qos trust device cisco-phone

Use the mls qos trust device cisco-phone command to tell your switch to trust all CoS values that
it receives from the Cisco IP phone:

3560Switch#show mls qos interface FastEthernet0/1

FastEthernet0/1
trust state: not trusted
trust mode: not trusted
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: cisco-phone

Maybe you are wondering how the switch knows the di erence between a Cisco IP phone and
another vendor? CDP (Cisco Discovery Protocol) is used for this. Now we trust the CoS value of the
Cisco IP phone but what about the computer behind it? We have to do something about it…here’s
one way to deal with it:

3560Switch(config-if)#switchport priority extend cos

The command above will overwrite the CoS value of all Ethernet frames received from the
computer that is behind the IP phone. You’ll have to set a CoS value yourself. Of course we can also
trust the computer, there’s another command for that:

3560Switch(config-if)#switchport priority extend trust

This will trust all the CoS values on the Ethernet frames that we receive from the computer.

The commands above will let you trust tra c but if we don’t trust anything we can also decide to
mark or remark packets and Ethernet frames on the switch. This is quite easy to do with the
following command:
 3560Switch(config-if)#mls qos cos 4

Just type mls qos cos to set a CoS value yourself. In the example above I will set a CoS value of 4 to
all untagged frames. Any frame that is already tagged will not be remarked with this command.

3560Switch#show mls qos interface FastEthernet0/1

FastEthernet0/1
trust state: not trusted
trust mode: not trusted
COS override: dis
default COS: 4
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none

Above you can see that the default CoS will be 4 but override (remarking) is disabled. Marking
Ethernet frames with this command is useful when you have a computer or server that is unable to
mark its own tra c. In case the Ethernet frame already has a CoS value but we want to remark it,
we’ll have to do this:

3560Switch(config-if)#mls qos cos override

Use the keyword override to tell the switch to remark all tra c. If you receive Ethernet frames that
already have a CoS value then they will be remarked with whatever CoS value you con gured. Let’s
verify it:

3560Switch#show mls qos interface FastEthernet 0/1

FastEthernet0/1
trust state: not trusted
trust mode: not trusted
COS override: ena
default COS: 4
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none

Override (remarking) has been enabled. As a result all tagged and untagged Ethernet frames will
have a CoS value of 4. That’s all there is to trusting the CoS, DSCP or Cisco IP phone and (re)marking
your tra c. If this lesson was useful to you please leave a comment!

Rate this Lesson:

« Previous Lesson
Why do we need QoS on Switches
Next Lesson
Classi cation and Marking on
Switches
»
Home › Forums › How to con gure QoS trust boundary on Cisco Switches

This topic contains 39 replies, has 16 voices, and was last updated by   Rene Molenaar 2 weeks, 5
days ago.

Viewing 15 posts - 1 through 15 (of 39 total)

123→
Author
Posts  | Subscribe
June 17, 2013 at 01:47 #15591 Reply

Vin
Hi,
Nice explanation

We have a setup that a video device is connected to a switch (no qos) and marking done in the
router AF41.
Here , the packet will be marking as Default when it goes from switch to router . Router will mark
the packet as AF41. When there is a reply packet from the Router it will be AF41 and it send it to
Switch as well.

Switch sends a packet to router : Default

Router sends a reply packet to switch : AF41

With same setup ,When we Qos enabled globally in the switch

Packet from switch to router :Default

Reply packet from Router to Switch :Default marking.

Which Scenario you will suggest.

June 19, 2013 at 15:30 #15592 Reply

Rene Molenaar
Keymaster
Hi Vin,

It depends on your network, if you don’t do any queuing on the switch then it’s ne to mark on the
router. If you implement on the queuing on the switch(es) then I would also mark there.

Keep in mind that enabling QoS globally on the switches will impact your marking. Catalyst IOS
switches will remark tra c according to the Cos-to-DSCP or DSCP-to-Cos map.
Rene

February 5, 2014 at 11:49 #15593 Reply

Nusret
Thank you very much for the lesson!
BTW, is it possible to remark priority of only frames that belong to a particular VLANs while keep
others without remarking?

March 10, 2014 at 14:10 #15594 Reply

Rene Molenaar
Keymaster
You are welcome and yes you can do that.

June 20, 2014 at 16:36 #15595 Reply

John
Very nice lesson!

Do you have any recommendations on using an Askerisk based phone system with current Cisco
3560’s. All the SWs are all set with QoS for the current Cisco phone system. Will the markings be the
same?

June 25, 2014 at 07:51 #15596 Reply

Rene Molenaar
Keymaster
Thanks John!

I’m not sure if Asterisk sends any DSCP values by default but I believe you can con gure them in
the sip.conf le like this:

tos_sip=cs3 ; Sets TOS for SIP packets.

tos_audio=ef ; Sets TOS for RTP audio packets.
tos_video=af41 ; Sets TOS for RTP video packets.
tos_text=af41 ; Sets TOS for RTP text packets.

Using CS3 for SIP and EF for RTP audio is common but make sure your phones use the same
marking.

October 12, 2015 at 12:45 #18233 Reply

Mohammad Taslim M
Participant
Hi Rene,

Thank you for the explanations. I’m very new to QoS. So, it becomes very hard for me to read
through the lesson. Is there any way to produce some videos on this topic ( like the one we did for
other lessons)

Thank you

BR
Taslim

October 13, 2015 at 18:49 #18838 Reply

Rene Molenaar
Keymaster
Hi Taslim,

For sure, QoS is a di cult topic. In the next few weeks I plan to add more material and I will also
add videos for the remaining topics.

Rene

December 22, 2015 at 01:19 #20422 Reply

Joey B
Participant
Rene,

What about trusting DSCP values on the uplink to a router from a switch. Would the router
interface use the command “mls qos trrust dscp” to trust ingress tra c from the distribution
switch, which connects downstream to an Access switch?  (distribution switch trusts dscp from
access switch).

Joey

mls qos trust dscp” to trust ingress tra c from the switch?

December 22, 2015 at 09:19 #20425 Reply

Rene Molenaar
Keymaster
Hi Joey,

You don’t have to do anything on the router, it will just forward these marked IP packets unlike the
switches who want to rewrite everything. No need to trust it.

Rene

January 14, 2016 at 07:58 #20923 Reply

Chad B
Participant
Hi Rene,

Thank you for the explanations, Can you please add more explanation about how the DSCP
Mutation Map works,  I have two questions about this topic.

Question 1:

3560Switch(config-if)#mls qos cos 4

this command is to set up the COS value to Untagged frames. Does Untagged frames mean Voice
Frames ?

Question 2:

3560Switch(config-if)#mls qos cos override

and

3560Switch#show mls qos interface FastEthernet 0/1

FastEthernet0/1
trust state: not trusted
trust mode: not trusted
COS override
default COS: 4
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none

all tagged and tagged frames are markes and COS 4

My question is how do we mark tagged frames with di erent COS marking to untagged frames

Thanks

Chad
January 14, 2016 at 13:25 #20930 Reply

Rene Molenaar
Keymaster
Hi Chad,

The “mls qos cos” command will set a COS value when there is no current marking. It will be
applied to all frames with no marking…doesn’t matter if it carries voice tra c or something else.
When the frame is already marked then this command won’t do anything.

When you set “mls qos cos override” then the switch will overwrite the current marking. In my
example, it will set the COS value to 4…marked and unmarked frames.

If you want to “untag” frames then you could use “mls cos 0” together with “mls qos cos override”.
This will mark everything to 0.

Hope this helps.

Rene

February 15, 2016 at 19:58 #22152 Reply

Tamas S
Participant
Hi Rene,

if I set “mls qos trust device-phone” and nothing else. Does the switch trust all tra c from PC,
which is connected to Phone as well?

How does the Cisco Phone handle the PC tra c in default mode?

February 16, 2016 at 00:20 #22154 Reply

Andrew P
Moderator
Tamas,
“mls qos trust device cisco-phone” will not result in tra c being trusted sent by the PC attached to
the phone. You need to follow it up with
(config-if)#switchport priority extend trust

By default, when tra c is sent by a PC attached to the phone, the switchport port will reset this to
the default CoS value (usually zero, unless you have con gured it otherwise). By the way, if you
aren’t running CDP on the switch, this will also happen, even if you have con gured the rst two
commands I mentioned. The reason is that the switch depends on CDP to identify the Cisco-phone
properly.

–Andrew
February 16, 2016 at 12:15 #22159 Reply

Tamas S
Participant
Thanks Andrew, – just to complete the picture for me:

So I suppose “switchport priority extend trust” is only active with “mls qos trust device cisco-phone”,
right?

If the pc would be attached to the port directly, its COS/DSCP marking would be set to 0 (unless set
di erently). Correct?

Unless I would set “mls qos trust cos/dscp”. But then I even wouldn’t need the whole cisco phone
trust stu . As every packet would be trusted.

Thanks for clari cation!

Author
Posts

Viewing 15 posts - 1 through 15 (of 39 total)

123→
Reply To: How to con gure QoS trust boundary on Cisco Switches
b i link b-quote del img ul ol li code close tags ¶

Please put con gurations in between `backticks` or use the CODE button.
To place inline images, please use a image share service (such as TinyPic or Imgur) and use the IMG
button!

Notify me of follow-up replies via email

Maximum le size allowed is 2048 KB.

Attachments:
Choose File No file chosen

Add another le

Submit
About NetworkLessons.com
Hello There! I'm René Molenaar (CCIE #41726), Your Personal Instructor of
Networklessons.com. I'd like to teach you everything about Cisco, Wireless and
Security. I am here to Help You Master Networking!

Read my story

Social Fans

  
14,351 8,735 1,589
FANS FOLLOWERS SUBSCRIBERS

Highest Rated Lessons

MPLS Layer 3 VPN Con guration
(35 votes)

Cisco Portfast Con guration

(27 votes)

Introduction to DMVPN
(21 votes)

EIGRP Router ID
(20 votes)

How to con gure OSPF Virtual Link

(19 votes)

New Lessons

Voice VLAN
Introduction to Wireless LAN
Network Topologies
Broadcast Domain
Collision Domain

Disclaimer
Privacy Policy
Support

How to con gure QoS trust boundary on Cisco Switches written by Rene Molenaar average rating 4.6/5 - 17 user
ratings
© 2013 - 2016 NetworkLessons.com 7656