I was told that routers automatically trust dscp markings on inbound packets, while switches do not.
Thusly, on catalyst switches you must explicitly enter the trust dscp command on every switch interface where you want to trust dscp(or cos), while on routers, you do not have to do this.
Is this true? My belief is, for security reasons, that you must enter this command on every trusted interface on both Cisco switches AND routers.
A router will not re-write DSCP markings unless configured to do so with a policy map. So in that sense routers trust DSCP, but there is no explicit trust DSCP command like switches use.
What effect the DSCP markings have on router egress traffic will depending upon the queuing method applied to the interfaces. WFQ (fair queue) or CBWFQ (class based weighted fair queue), depending on specific configuration, may use DSCP to determine what happens when congestion occurs.
Please rate helpful posts.