Cisco Phone Not Trusted

Unanswered Question

I have been investigating issues where certain phones traffic is not passing QoS parameters across the LAN. I started walking back through the network and got all the way to the access switch where I did a "show mls qos inter fa XX" and found the following.


trust state: not trusted

trust mode: trust cos

trust enabled flag: dis

COS override: dis

default COS: 0

DSCP Mutation Map: Default DSCP Mutation Map

Trust device: cisco-phone

qos mode: port-based

This port appears in "show cdp nei"

SEP0019E7290456 Fas 3/0/22 46 H P IP Phone 7Port 1

Here is the configuration on the port:

interface FastEthernet3/0/22

switchport access vlan 2

switchport mode access

switchport voice vlan 12

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

mls qos trust device cisco-phone

mls qos trust cos

auto qos voip cisco-phone

no mdix auto

spanning-tree portfast


I have been going through the switch line by line and I have not found anything that would indicate why 90% of the ports on the switch are in a not trusted state, but 10% are.

Here is the output of the "show mls qos" command

QoS is enabled

QoS ip packet dscp rewrite is enabled

Can anyone offer any assistance before I open a TAC case?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
smahbub Wed, 07/25/2007 - 07:09

According to the configuration which you have provided a cisco phone is trusted because of the command " mls qos trust device cisco-phone "

shikamarunara Wed, 07/25/2007 - 07:46

The syntax of "mls qos trust device cisco-phone" refers to the packet classification the phone does for voice and the data packets it passes through for any PC connected to it. If you have LAN QOS implemented in the network, this should be one of a few commands on each switchport that a phone is connected to.


AJAZ NAWAZ Wed, 07/25/2007 - 12:06


"I have been going through the switch line by line and I have not found anything that would indicate why 90% of the ports on the switch are in a not trusted state, but 10% are.


Are all the ports that are connected to phones configured in exactly the same way and with identical configuration?

If the answer is yes there are two things you can do, or perhaps three.

1) Reset a phone to see if it makes a difference

2) Reload the switch - see if it fixes

3) If after completing the above mentioned and most obvious actions - raise a TAC case, it definately sounds like SW related defect.

By the way what version of code do you have loaded on the Cisco switch that is connected to the phones...?


I did get a resolution to this. Cisco told me to reboot the switch and it fixed it.

Unfortunately it happens again. It appears to be a degredation in the state of the ports. We are now seeing this on connections to routers, gateways, servers, and phones. This is causing a big issue because no matter what I do there is no way to get the trust state back without taking an outage on the switch during a reboot.

I am going to get a TAC case opened again and see if there are any more resolutions to this now. I have been working with my consulting group to find a published bug or a software upgrade solution, but nothing yet.

Aaron Dhiman Thu, 12/13/2007 - 09:35

Why do you have "trust cost" and "trust device"? Also, what does "sh cdp neigh" show?

joeharb Thu, 12/13/2007 - 09:38

we have mls qos trust device cisco-phone

have tried mls qos trust cos and dscp

show cdp neighbors shows the phone on port.


Aaron Dhiman Thu, 12/13/2007 - 16:44

Have you tried to configure a port in "trunk" mode? Also, what is the switch model?

MARTIN STREULE Thu, 12/13/2007 - 13:49

This turns on trust:

mls qos trust cos

This actually turns off trust if there is no IP phone (hence "conditional trust"):

mls qos trust device cisco-phone

This command itself never turns on trust.

There is a lot of documentation, but actually it's not really good...

Even in the newest BCMSN book there are wrong examples...

..and then there is the SW...

I know of issues with ATAs. ATAs will end up in the Voice VLAN, but are not trusted if there is the "mls qos trust device cisco-phone".

Probably this issue is also there with other phone types.

Do you have this problem only with some phone types?



joeharb Fri, 12/14/2007 - 05:53

Odd thing...take out the mls qos trust device command and now it appears to be working: The original problem was that I wasn't seeing any matches on the policy map on the I am:

Customer_Switch#show cdp neighbors

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID

SEP000D65C2DC7A Fas 0/11 128 H P Cisco SystPort 1

SEP000D65C2CFA2 Fas 0/4 170 H P Cisco SystPort 1

SEP000D65BC9575 Fas 0/5 166 H P Cisco SystPort 1

SEP000D65C2E06B Fas 0/8 131 H P Cisco SystPort 1

SEP000D65E61447 Fas 0/7 173 H P Cisco SystPort 1

SEP000D65E61449 Fas 0/10 164 H P Cisco SystPort 1

Customer_RoutFas 0/1 121 R 1760 Fas 0/0

Customer_Switch#show run

Customer_Switch#show running-config int fas 0/11

Building configuration...

Current configuration : 215 bytes


interface FastEthernet0/11

switchport trunk encapsulation dot1q

switchport trunk native vlan 210

switchport mode trunk

switchport voice vlan 192

no ip address

mls qos trust dscp

spanning-tree portfast


Customer_Switch#sho mls qo

Customer_Switch#sho mls qos int

Customer_Switch#sho mls qos interface fas

Customer_Switch#sho mls qos interface fastEthernet 0/11


trust state: trust dscp

trust mode: trust dscp

COS override: dis

default COS: 0

DSCP Mutation Map: Default DSCP Mutation Map

trust device: none


Service-policy output: outgoing

Class-map: Voicertp (match-all)

269381 packets, 19284602 bytes

30 second offered rate 27000 bps, drop rate 0 bps

Match: ip dscp ef


Strict Priority

Output Queue: Conversation 264

Bandwidth 384 (kbps) Burst 9600 (Bytes)

(pkts matched/bytes matched) 615/42932

(total drops/bytes drops) 0/0

Class-map: Voicesignal (match-any)

7242 packets, 398049 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: ip dscp cs3

7242 packets, 398049 bytes

30 second rate 0 bps


Output Queue: Conversation 265

Bandwidth 70 (kbps) Max Threshold 64 (packets)

(pkts matched/bytes matched) 30/1668

(depth/total drops/no-buffer drops) 0/0/0


This Discussion