QoS trust boundary on Cisco Switches

When configuring QoS on our Cisco switches we need to think about our trust boundary. Simply said this basically means on which device are we going to trust the marking of the packets and Ethernet frames entering our network. If you are using IP phones, you can use those for marking and configure the switch to trust the traffic from the IP phone. If you don’t have any IP phones or don’t trust them, we can also configure the switch to do the marking. In this lesson, I’ll show you how to do both! First, let me show you the different QoS trust boundaries:

Trust Boundary Phone

In the picture above the trust boundary is at the Cisco IP phone, this means that we won’t remark any packets or Ethernet frames anymore at the access layer switch. The IP phone will mark all traffic. Note that the computer is outside of the QoS trust boundary. This means that we don’t trust the marking of the computer. We can remark all its traffic on the IP phone if we want. Let’s take a look at another picture:

Trust Boundary Access Switch

In the picture above, we don’t trust whatever marking the IP phone sends to the access layer switch. This means we’ll do classification and marking on the access layer switches. I have one more example for you…

Trust Boundary Distribution Layer

Above you can see that we don’t trust anything before the distribution layer switches. This is something you won’t see very often, but it’s possible if you don’t trust your access layer switches. Maybe someone else does the management for the access layer switches and you want to prevent them to send packets or Ethernet frames that are marked towards your distribution layer switches.

Let’s take a look at a switch to see how we can configure this trust boundary. I have a Cisco Catalyst 3560 that I will use for these examples. Before you do anything with QoS, don’t forget to enable it globally on your switch first:

3560Switch(config)#mls qos

Something you need to be aware of is that as soon as you enable QoS on your switch, it will erase the marking of all packets that are received! If you don’t want this to happen, you can use the following command:

3560Switch(config)#no mls qos rewrite ip dscp

Let’s continue by looking at the first command. We can take a look at the QoS settings for the interface with the show mls qos interface command. This will show you if you trust the marking of your packets or frames:

3560Switch#show mls qos interface fastEthernet 0/1
 FastEthernet0/1
 trust state: not trusted
 trust mode: not trusted
 COS override: dis
 default COS: 0
 DSCP Mutation Map: Default DSCP Mutation Map
 Trust device: none

Above you can see that we don’t trust anything at the moment. This is the default on Cisco switches.  We can trust packets based on the DSCP value, frames on the CoS value, or we can trust the IP phone. Here are some examples:

3560Switch(config-if)#mls qos trust cos

Just type mls qos trust cos to ensure the interface trusts the CoS value of all frames entering this interface. Let’s verify our configuration:

3560Switch#show mls qos interface fastEthernet 0/1
 FastEthernet0/1
 trust state: trust cos
 trust mode: trust cos
 COS override: dis
 default COS: 0
 DSCP Mutation Map: Default DSCP Mutation Map
 Trust device: none

By default, your switch will overwrite the DSCP value of the packet inside your frame according to the cos-to-dscp map. If you don’t want this, you can use the following command:

3560Switch(config-if)#mls qos trust cos pass-through 

The keyword pass-through will ensure that your switch won’t overwrite the DSCP value. Besides the CoS value, we can also trust the DSCP value:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now!

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 800 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)
527 Sign Ups in the last 30 days
satisfaction-guaranteed

  • 100% Satisfaction Guaranteed!
  • You may cancel your monthly membership at any time.
  • No Questions Asked!

Forum Replies

  1. Hi,
    Nice explanation

    We have a setup that a video device is connected to a switch (no qos) and marking done in the router AF41.
    Here , the packet will be marking as Default when it goes from switch to router . Router will mark the packet as AF41. When there is a reply packet from the Router it will be AF41 and it send it to Switch as well.

    Switch sends a packet to router : Default
    Router sends a reply packet to switch : AF41

    With same setup ,When we Qos enabled globally in the switch

    Packet from switch to router :Default
    Reply packet from Router to Switch :Def

    ... Continue reading in our forum

  2. Hi Vin,

    It depends on your network, if you don’t do any queuing on the switch then it’s fine to mark on the router. If you implement on the queuing on the switch(es) then I would also mark there.

    Keep in mind that enabling QoS globally on the switches will impact your marking. Catalyst IOS switches will remark traffic according to the Cos-to-DSCP or DSCP-to-Cos map.

    Rene

  3. Thank you very much for the lesson!
    BTW, is it possible to remark priority of only frames that belong to a particular VLANs while keep others without remarking?

  4. You are welcome and yes you can do that.

  5. Very nice lesson!

    Do you have any recommendations on using an Askerisk based phone system with current Cisco 3560’s. All the SWs are all set with QoS for the current Cisco phone system. Will the markings be the same?

99 more replies! Ask a question or join the discussion by visiting our Community Forum