How to configure QoS trust boundary on Cisco Switches

When we configure QoS on our Cisco switches we need to think about our trust boundary. Simply said this basically means on which device are we going to trust the marking of the packets and Ethernet frames entering our network. If you are using IP phones you can use those for marking and configure the switch to trust the traffic from the IP phone. If you don’t have any IP phones or you don’t trust them, we can configure the switch to do marking as well. In this lesson I’ll show you how to do both! First let me show you the different QoS trust boundaries:

Trust Boundary Phone

In the picture above the trust boundary is at the Cisco IP phone, this means that we won’t remark any packets or Ethernet frames anymore at the access layer switch. The IP phone will mark all traffic. Note that the computer is outside of the QoS trust boundary. This means that we don’t trust the marking of the computer. We can remark all its traffic on the IP phone if we want. Let’s take a look at another picture:

Trust Boundary Access Switch

In the picture above we don’t trust whatever marking the IP phone sends to the access layer switch. This means we’ll do classification and marking on the access layer switches. I have one more example for you…

Trust Boundary Distribution Layer

Above you can see that we don’t trust anything before the distribution layer switches. This is something you won’t see very often but it’s possible if you don’t trust your access layer switches. Maybe someone else does management for the access layer switches and you want to prevent them to send packets or Ethernet frames that are marked towards your distribution layer switches.

Let’s take a look at a switch to see how we can configure this trust boundary. I have a Cisco Catalyst 3560 that I will use for these examples. Before you do anything with QoS, don’t forget to enable it globally on your switch first:

3560Switch(config)#mls qos

Something you need to be aware of is that as soon as you enable QoS on your switch it will erase the marking of all packets that are received! If you don’t want this to happen you can use the following command:

3560Switch(config)#no mls qos rewrite ip dscp

Let’s continue by looking at the the first command. We can take a look at the QoS settings for the interface with the show mls qos interface command. This will show you if you trust the marking of your packets or frames:

3560Switch#show mls qos interface fastEthernet 0/1
 FastEthernet0/1
 trust state: not trusted
 trust mode: not trusted
 COS override: dis
 default COS: 0
 DSCP Mutation Map: Default DSCP Mutation Map
 Trust device: none

Above you can see that we don’t trust anything at the moment. This is the default on Cisco switches.  We can trust packets based on the DSCP value, frames on the CoS value or we can trust the IP phone. Here are some examples:

3560Switch(config-if)#mls qos trust cos

Just type mls qos trust cos to ensure the interface trusts the CoS value of all frames entering this interface. Let’s verify our configuration:

3560Switch#show mls qos interface fastEthernet 0/1
 FastEthernet0/1
 trust state: trust cos
 trust mode: trust cos
 COS override: dis
 default COS: 0
 DSCP Mutation Map: Default DSCP Mutation Map
 Trust device: none

By default your switch will overwrite the DSCP value of the packet inside your frame according to the cos-to-dscp map. If you don’t want this you can use the following command:

3560Switch(config-if)#mls qos trust cos pass-through 

The keyword pass-through will ensure that your switch won’t overwrite the DSCP value. Besides the CoS value we can also trust the DSCP value:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Full Access to our 651 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

515 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Forum Replies

  1. Jose,
    Great to hear–we are thrilled to have you aboard! I hope you will learn a lot.

    --Andrew

  2. Hi Rohini,

    For any non-Cisco phones, you can use mls qos trust cos to use the CoS marking that the phone sends.

    You also might want to look at LLDP, it’s an alternative to CDP which is supported by a couple of vendors.

    Rene

  3. Steve,
    MLS QOS is an older platform method of QOS implementation. In your case, your 3850 switch is much newer, and uses the “modular quality of service command line interface (MQC)” architecture instead of the MLS one.

    This basically means that implementing QoS on your newer switch is pretty much just like implementing QoS on a router. In retrospect, it was kind of dumb for Cisco to have different syntax for a router vs a switch.

    You might want to check out the network lesson on QoS Marking to get started. There are quite a few network lessons on QoS here.

    ... Continue reading in our forum

  4. Hi Rene/ Andrew,

    I have Cisco 7600 router, i try to mark the incoming traffic with DSCP63, the packet looks mark with DSCp63 when show policy map interface.

    But when the traffic forward out the port with policy map, i match the ip with dscp 63, seem it can’t match anything.

    Can you please advise.

    Thanks

    Davis

  5. sorry Dordrecht not Denmark I guess that’s in the Netherlands. Now that I am doing networking I will be taking my first trip out of the USA and I will have to travel to all these branch offices all over Europe. Norway, France, Itally, Netherlands and more so that’s going to be a big experience to me as well as I basically was just a country boy from the US that’s never really been anywhere lol. My world geography knowledge is crappy I am going to have to get better at it.

56 more replies! Ask a question or join the discussion by visiting our Community Forum