COS trust

Unanswered Question
Jul 29th, 2008
User Badges:


When you use "mls qos trust device cisco-phone" command in switch interface, will it effectively perform two functions:

1. Trust COS settings coming from the Phone and perform cos-dscp mapping accordingly (based on COS=5) or do you additionally need "mls qos trust cos" command?

2. Untrust DSCP coming from Pc connected to the back of IP Phone like if "switchport priority extend cos 0" command was also entered (when it is not)?

So in summary when you enter both commands:

mls qos trust device cisco-phone

mls qos trust cos

are you effectively trusting COS only when IP Phone is connected and not trusting it otherwise and also when IP Phone IS connected you still set COS=0/DSCP=0 for PC traffic?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Ayodeji Okanlawon Wed, 07/30/2008 - 01:18
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 IP Telephony


With the mls qos trust device cisco-phone

You tell the switch to extend trust to ip phone devices. Hence all the DSCP markings received from the IP phones are trusted.

While anything received from any other device such as the PC is not.

With the mls qos trust cos or mls qos trust dscp, Trust is extended to any device connected to that interface of the switch. So if you connect a PC to that interface whatever DSCP/COS the PC passes is trusted.

The mls qos trust cos is usually used between the trunk ports between an access layer switch and a distribution layer switch so as to trust the dscp or Cos received by from the distribution layer switch. If oyu used this command on a port connecting to a pc all its dcscp/cos markings will be trusted!

So in summary

1. mls qos trust device cisco-phone trusts dscp markings received form ip phones

2. Untrusts any dscp received form any other device even if the switchport priority extend cos 0 is not ocnfigured.

The switchport priority extend cos 0 is used to change the dscp received from the pc to a value configurted. with 0 all dscp received form the pc will be remarked to 0. Though this is only required as an additional measure.

dknov Wed, 07/30/2008 - 09:11
User Badges:


Thank you for your reply. When mls qos trust device cisco-phone command is used is switchport priority extend cos 0 implied, or in other words with using mls qos trust device cisco-phone automatically untrust values coming from PC attached to the IP Phone on the port you configure this command?

Observing the behavior it would appear that mls qos trust device cisco-phone command sets the port to conditional trust ONLY in case IP Phone is detected with CDP, but WHAT to trust is not set, so using just this command seems pointless if you do not configure "mls qos trust X" as well. If you don't configure "mls qos trust X" trust state still shows untrusted even when the IP Phone detected and mls qos trust device cisco-phone command is used and it changes ONLY when you add "mls qos trust X" to the interface config.

It would appear to achieve a real prioritization you need both commands on the interface. What do you think?

And if so, my question is what happens to the traffic coming from PC as far as trust is concerned when both of those commands are configured?



Ayodeji Okanlawon Wed, 07/30/2008 - 14:14
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 IP Telephony


You need to be careful in using the mls qos trust cos command.

Trust boundaries on catalyst switch can based upon cos, dscp or cisco IP phone device.

When a cisco IP phone is connected to a fast ethernet interface if a switch, you need to be able to trust the IP phone without trusting packets received form the attached PC. If you trust cos or dscp on the interface, you are trusting all packets received on that ineterface. If the PC has the capability to mark its traffic, how will the switch know who to trust and who not to trust. Infact with the mls qos trust cos and dscp, the switch willt trust the marked packets from the pc as well...

To trust the markings only from the cisco IP phone use only the mls qos trust device-cisco-phone.

Enabling trust based upon device-cisco-phone tells the switch to detect an attached cisco IP Phone and extend the trust boundary to the cisco IP phone. Voice signalling marked with cos 3 and media cos 5 will be trusted by the switch.

Hope I have answered your questions

MARTIN STREULE Sat, 01/03/2009 - 08:44
User Badges:
  • Silver, 250 points or more

Check this out:

"If the telephone is not detected, the trusted boundary feature disables the trusted setting on the switch port and prevents misuse of a high-priority queue."

"mls qos trust device cisco-phone" disables trust if no Cisco phone is detected.

You need to enter the "mls qos trust ..." on the interface.

Tip: do a lab and use the "show mls qos interface xxx" command to verify what's happening.




This Discussion