Professional Documents
Culture Documents
Search...
Table of Contents
CCIE Routing & Switching
Unit 1: Preparation
Unit 2: Switching
Unit 3: IP Routing
Unit 4: RIP
Unit 5: EIGRP
Unit 6: OSPF
Unit 7: BGP
Unit 8: Multicast
Unit 9: IPv6
Unit 10: Quality of Service
IP Precedence and DSCP values
Queueing on Switches
Policing Explained
Shaping explained
Introduction to RSVP
When we con gure QoS on our Cisco switches we need to think about our trust boundary. Simply
said this basically means on which device are we going to trust the marking of the packets and
Ethernet frames entering our network. If you are using IP phones you can use those for marking
and con gure the switch to trust the tra c from the IP phone. If you don’t have any IP phones or
you don’t trust them, we can con gure the switch to do marking as well. In this lesson I’ll show you
how to do both! First let me show you the di erent QoS trust boundaries:
In the picture above the trust boundary is at the Cisco IP phone, this means that we won’t remark
any packets or Ethernet frames anymore at the access layer switch. The IP phone will mark all
tra c. Note that the computer is outside of the QoS trust boundary. This means that we don’t trust
the marking of the computer. We can remark all its tra c on the IP phone if we want. Let’s take a
look at another picture:
In the picture above we don’t trust whatever marking the IP phone sends to the access layer switch.
This means we’ll do classi cation and marking on the access layer switches. I have one more
example for you…
Above you can see that we don’t trust anything before the distribution layer switches. This is
something you won’t see very often but it’s possible if you don’t trust your access layer switches.
Maybe someone else does management for the access layer switches and you want to prevent
them to send packets or Ethernet frames that are marked towards your distribution layer switches.
Let’s take a look at a switch to see how we can con gure this trust boundary. I have a Cisco Catalyst
3560 that I will use for these examples. Before you do anything with QoS, don’t forget to enable it
globally on your switch rst:
3560Switch(config)#mls qos
Something you need to be aware of is that as soon as you enable QoS on your switch it will erase
the marking of all packets that are received! If you don’t want this to happen you can use the
following command:
Above you can see that we don’t trust anything at the moment. This is the default on Cisco
switches. We can trust packets based on the DSCP value, frames on the CoS value or we can trust
the IP phone. Here are some examples:
Just type mls qos trust cos to ensure the interface trusts the CoS value of all frames entering this
interface. Let’s verify our con guration:
By default your switch will overwrite the DSCP value of the packet inside your frame according to
the cos-to-dscp map. If you don’t want this you can use the following command:
The keyword pass-through will ensure that your switch won’t overwrite the DSCP value. Besides
the CoS value we can also trust the DSCP value:
Using the command above it will not trust the CoS value but the DSCP value of the packets arriving
at the interface. Here’s what it will look like:
3560Switch#show mls qos interface fastEthernet 0/1
FastEthernet0/1
trust state: trust dscp
trust mode: trust dscp
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
Trusting the Cos or DSCP value on the interface will set your trust boundary at the switch level.
What if we want to set our trust boundary at the Cisco IP phone? We need another command for
that!
Use the mls qos trust device cisco-phone command to tell your switch to trust all CoS values that
it receives from the Cisco IP phone:
Maybe you are wondering how the switch knows the di erence between a Cisco IP phone and
another vendor? CDP (Cisco Discovery Protocol) is used for this. Now we trust the CoS value of the
Cisco IP phone but what about the computer behind it? We have to do something about it…here’s
one way to deal with it:
The command above will overwrite the CoS value of all Ethernet frames received from the
computer that is behind the IP phone. You’ll have to set a CoS value yourself. Of course we can also
trust the computer, there’s another command for that:
This will trust all the CoS values on the Ethernet frames that we receive from the computer.
The commands above will let you trust tra c but if we don’t trust anything we can also decide to
mark or remark packets and Ethernet frames on the switch. This is quite easy to do with the
following command:
3560Switch(config-if)#mls qos cos 4
Just type mls qos cos to set a CoS value yourself. In the example above I will set a CoS value of 4 to
all untagged frames. Any frame that is already tagged will not be remarked with this command.
Above you can see that the default CoS will be 4 but override (remarking) is disabled. Marking
Ethernet frames with this command is useful when you have a computer or server that is unable to
mark its own tra c. In case the Ethernet frame already has a CoS value but we want to remark it,
we’ll have to do this:
Use the keyword override to tell the switch to remark all tra c. If you receive Ethernet frames that
already have a CoS value then they will be remarked with whatever CoS value you con gured. Let’s
verify it:
Override (remarking) has been enabled. As a result all tagged and untagged Ethernet frames will
have a CoS value of 4. That’s all there is to trusting the CoS, DSCP or Cisco IP phone and (re)marking
your tra c. If this lesson was useful to you please leave a comment!
This topic contains 39 replies, has 16 voices, and was last updated by Rene Molenaar 2 weeks, 5
days ago.
Vin
Hi,
Nice explanation
We have a setup that a video device is connected to a switch (no qos) and marking done in the
router AF41.
Here , the packet will be marking as Default when it goes from switch to router . Router will mark
the packet as AF41. When there is a reply packet from the Router it will be AF41 and it send it to
Switch as well.
Rene Molenaar
Keymaster
Hi Vin,
It depends on your network, if you don’t do any queuing on the switch then it’s ne to mark on the
router. If you implement on the queuing on the switch(es) then I would also mark there.
Keep in mind that enabling QoS globally on the switches will impact your marking. Catalyst IOS
switches will remark tra c according to the Cos-to-DSCP or DSCP-to-Cos map.
Rene
Nusret
Thank you very much for the lesson!
BTW, is it possible to remark priority of only frames that belong to a particular VLANs while keep
others without remarking?
Rene Molenaar
Keymaster
You are welcome and yes you can do that.
John
Very nice lesson!
Do you have any recommendations on using an Askerisk based phone system with current Cisco
3560’s. All the SWs are all set with QoS for the current Cisco phone system. Will the markings be the
same?
Rene Molenaar
Keymaster
Thanks John!
I’m not sure if Asterisk sends any DSCP values by default but I believe you can con gure them in
the sip.conf le like this:
Using CS3 for SIP and EF for RTP audio is common but make sure your phones use the same
marking.
Thank you for the explanations. I’m very new to QoS. So, it becomes very hard for me to read
through the lesson. Is there any way to produce some videos on this topic ( like the one we did for
other lessons)
Thank you
BR
Taslim
Rene Molenaar
Keymaster
Hi Taslim,
For sure, QoS is a di cult topic. In the next few weeks I plan to add more material and I will also
add videos for the remaining topics.
Rene
Joey B
Participant
Rene,
What about trusting DSCP values on the uplink to a router from a switch. Would the router
interface use the command “mls qos trrust dscp” to trust ingress tra c from the distribution
switch, which connects downstream to an Access switch? (distribution switch trusts dscp from
access switch).
Joey
mls qos trust dscp” to trust ingress tra c from the switch?
You don’t have to do anything on the router, it will just forward these marked IP packets unlike the
switches who want to rewrite everything. No need to trust it.
Rene
Chad B
Participant
Hi Rene,
Thank you for the explanations, Can you please add more explanation about how the DSCP
Mutation Map works, I have two questions about this topic.
Question 1:
this command is to set up the COS value to Untagged frames. Does Untagged frames mean Voice
Frames ?
Question 2:
and
My question is how do we mark tagged frames with di erent COS marking to untagged frames
Thanks
Chad
January 14, 2016 at 13:25 #20930 Reply
Rene Molenaar
Keymaster
Hi Chad,
The “mls qos cos” command will set a COS value when there is no current marking. It will be
applied to all frames with no marking…doesn’t matter if it carries voice tra c or something else.
When the frame is already marked then this command won’t do anything.
When you set “mls qos cos override” then the switch will overwrite the current marking. In my
example, it will set the COS value to 4…marked and unmarked frames.
If you want to “untag” frames then you could use “mls cos 0” together with “mls qos cos override”.
This will mark everything to 0.
Rene
Tamas S
Participant
Hi Rene,
if I set “mls qos trust device-phone” and nothing else. Does the switch trust all tra c from PC,
which is connected to Phone as well?
How does the Cisco Phone handle the PC tra c in default mode?
Andrew P
Moderator
Tamas,
“mls qos trust device cisco-phone” will not result in tra c being trusted sent by the PC attached to
the phone. You need to follow it up with
(config-if)#switchport priority extend trust
By default, when tra c is sent by a PC attached to the phone, the switchport port will reset this to
the default CoS value (usually zero, unless you have con gured it otherwise). By the way, if you
aren’t running CDP on the switch, this will also happen, even if you have con gured the rst two
commands I mentioned. The reason is that the switch depends on CDP to identify the Cisco-phone
properly.
–Andrew
February 16, 2016 at 12:15 #22159 Reply
Tamas S
Participant
Thanks Andrew, – just to complete the picture for me:
So I suppose “switchport priority extend trust” is only active with “mls qos trust device cisco-phone”,
right?
If the pc would be attached to the port directly, its COS/DSCP marking would be set to 0 (unless set
di erently). Correct?
Unless I would set “mls qos trust cos/dscp”. But then I even wouldn’t need the whole cisco phone
trust stu . As every packet would be trusted.
Author
Posts
Please put con gurations in between `backticks` or use the CODE button.
To place inline images, please use a image share service (such as TinyPic or Imgur) and use the IMG
button!
Attachments:
Choose File No file chosen
Add another le
Submit
About NetworkLessons.com
Hello There! I'm René Molenaar (CCIE #41726), Your Personal Instructor of
Networklessons.com. I'd like to teach you everything about Cisco, Wireless and
Security. I am here to Help You Master Networking!
Read my story
Social Fans
14,351 8,735 1,589
FANS FOLLOWERS SUBSCRIBERS
Introduction to DMVPN
(21 votes)
EIGRP Router ID
(20 votes)
New Lessons
Voice VLAN
Introduction to Wireless LAN
Network Topologies
Broadcast Domain
Collision Domain
Disclaimer
Privacy Policy
Support
How to con gure QoS trust boundary on Cisco Switches written by Rene Molenaar average rating 4.6/5 - 17 user
ratings
© 2013 - 2016 NetworkLessons.com 7656