03-23-2008 08:16 AM - edited 03-05-2019 09:55 PM
Hi,
what is the difference between these 2 configurations:
interface FastEthernet0/1
...
switchport priority extend cos 1
mls qos trust device cisco-phone
mls qos trust cos
....
interface FastEthernet0/2
...
switchport priority extend cos 1
mls qos trust device cisco-phone
....
Is "mls qos trust cos" necessary when I use "mls qos trust device cisco-phone"?I saw those two commands together in many configurations.
Does "mls qos trust cos" command configured on Fa0/1 create an unsecure scenario if a user connect his PC bypassing the IPPhone?
Could you confirm that "switchport priority extend cos 1" command is useful only when you have to remark the frame on the IPPhone, before it reaches the switch?
I don't have an IPphone, so I can't test this scenario.
Comments/considerations and links are Welcome!
Refer to:
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide, 12.1(22)EA2
Catalyst 2950 and Catalyst 2955 Switch Command Reference, 12.1(22)EA5
03-23-2008 04:08 PM
Hi
The 3 commands are doing 3 separate things and so are necessary for different reasons.
1) mls qos trust cos. This is telling the switch to trust any CoS markings that are in the 802.1q vlan tag because the phone will be prioritising voice packets. Without this command then the CoS settings from the phone will be ignored.
2) mls qos trust device cisco-phone. This is not about trusting the CoS markings that are received on the port. It is about making sure that the device connected to the port is a Cisco IP phone. If it isn't a Cisco IP phone, identfied by using CDP, then this command disable the "mls qos trust cos" setting. Obviously with non Cisco IP phones this command is useless.
3) The "mls qos trust device cisco-phone" command stops a user connecting a PC directly into the switch port and setting their own CoS settings.
The "switchport priority extend cos 1" command is there to prevent a user setting their own CoS settings on the PC when the PC is still connected to the IP phone rather than directly into the switch port.
The other way to approach all this is not to trust CoS settings and mark them yourself on the switch. We do this where i work but then we don't use Cisco IP phones.
HTH
Jon
03-24-2008 09:09 AM
HI Jon,
Thanks for your reply.
I agree, but I'm still confused about point 2.
What happens if "mls qos trust device cisco-phone" is appliend on interfase without "mls qos trust cos". You are saying that "mls qos trust device cisco-phone" is useless if used without "mls qos trust cos".
Below, is the "show mls qos int fa0/1" with both commands(1) and without "mls qos trust cos"(2):
(1)
#do sh mls qos int fa0/1
FastEthernet0/1
trust state: not trusted
trust mode: trust cos<========
COS override: dis
default COS: 0
pass-through: none
trust device: cisco-phone
(2)
#sh mls qos int fa0/1
FastEthernet0/1
trust state: not trusted
trust mode: not trusted<=========
COS override: dis
default COS: 0
pass-through: none
trust device: cisco-phone
Bye
Marco
03-24-2008 10:29 AM
Marco
Yes, i believe that without "mls qos trust cos" statement then the "mls qos trust device cisco-phone" is not doing anything and if you look at (2) it is showing that there is no trust on that port which means all packets will be marked to default CoS of 0.
From the link
"With the trusted setting, you also can use the trusted boundary feature..." ie. "mls qos trust device cisco-phone" is really only meaningful if you are trusting the CoS settings in the first place.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide