QoS on 2950. Trusted Boundary w/wo IPphone/Commands behaviour

Marcofbbr · ‎03-23-2008

Hi,

what is the difference between these 2 configurations:

interface FastEthernet0/1

...

switchport priority extend cos 1

mls qos trust device cisco-phone

mls qos trust cos

....

interface FastEthernet0/2

...

switchport priority extend cos 1

mls qos trust device cisco-phone

....

Is "mls qos trust cos" necessary when I use "mls qos trust device cisco-phone"?I saw those two commands together in many configurations.

Does "mls qos trust cos" command configured on Fa0/1 create an unsecure scenario if a user connect his PC bypassing the IPPhone?

Could you confirm that "switchport priority extend cos 1" command is useful only when you have to remark the frame on the IPPhone, before it reaches the switch?

I don't have an IPphone, so I can't test this scenario.

Comments/considerations and links are Welcome!

Refer to:

Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide, 12.1(22)EA2

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea2/configuration/guide/swqos.html#wp1093778

Catalyst 2950 and Catalyst 2955 Switch Command Reference, 12.1(22)EA5

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea5/command/reference/cli1.html#wp1949190

Jon Marshall · ‎03-23-2008

Hi

The 3 commands are doing 3 separate things and so are necessary for different reasons.

1) mls qos trust cos. This is telling the switch to trust any CoS markings that are in the 802.1q vlan tag because the phone will be prioritising voice packets. Without this command then the CoS settings from the phone will be ignored.

2) mls qos trust device cisco-phone. This is not about trusting the CoS markings that are received on the port. It is about making sure that the device connected to the port is a Cisco IP phone. If it isn't a Cisco IP phone, identfied by using CDP, then this command disable the "mls qos trust cos" setting. Obviously with non Cisco IP phones this command is useless.

3) The "mls qos trust device cisco-phone" command stops a user connecting a PC directly into the switch port and setting their own CoS settings.

The "switchport priority extend cos 1" command is there to prevent a user setting their own CoS settings on the PC when the PC is still connected to the IP phone rather than directly into the switch port.

The other way to approach all this is not to trust CoS settings and mark them yourself on the switch. We do this where i work but then we don't use Cisco IP phones.

HTH

Jon

Marcofbbr · ‎03-24-2008

HI Jon,

Thanks for your reply.

I agree, but I'm still confused about point 2.

What happens if "mls qos trust device cisco-phone" is appliend on interfase without "mls qos trust cos". You are saying that "mls qos trust device cisco-phone" is useless if used without "mls qos trust cos".

Below, is the "show mls qos int fa0/1" with both commands(1) and without "mls qos trust cos"(2):

(1)

#do sh mls qos int fa0/1

FastEthernet0/1

trust state: not trusted

trust mode: trust cos<========

COS override: dis

default COS: 0

pass-through: none

trust device: cisco-phone

(2)

#sh mls qos int fa0/1

FastEthernet0/1

trust state: not trusted

trust mode: not trusted<=========

COS override: dis

default COS: 0

pass-through: none

trust device: cisco-phone

Bye

Marco

Jon Marshall · ‎03-24-2008

Marco

Yes, i believe that without "mls qos trust cos" statement then the "mls qos trust device cisco-phone" is not doing anything and if you look at (2) it is showing that there is no trust on that port which means all packets will be marked to default CoS of 0.

From the link

"With the trusted setting, you also can use the trusted boundary feature..." ie. "mls qos trust device cisco-phone" is really only meaningful if you are trusting the CoS settings in the first place.

Jon