07-29-2008 11:26 PM - edited 03-13-2019 05:31 PM
Hi,
When you use "mls qos trust device cisco-phone" command in switch interface, will it effectively perform two functions:
1. Trust COS settings coming from the Phone and perform cos-dscp mapping accordingly (based on COS=5) or do you additionally need "mls qos trust cos" command?
2. Untrust DSCP coming from Pc connected to the back of IP Phone like if "switchport priority extend cos 0" command was also entered (when it is not)?
So in summary when you enter both commands:
mls qos trust device cisco-phone
mls qos trust cos
are you effectively trusting COS only when IP Phone is connected and not trusting it otherwise and also when IP Phone IS connected you still set COS=0/DSCP=0 for PC traffic?
Thanks,
David
07-30-2008 01:18 AM
David,
With the mls qos trust device cisco-phone
You tell the switch to extend trust to ip phone devices. Hence all the DSCP markings received from the IP phones are trusted.
While anything received from any other device such as the PC is not.
With the mls qos trust cos or mls qos trust dscp, Trust is extended to any device connected to that interface of the switch. So if you connect a PC to that interface whatever DSCP/COS the PC passes is trusted.
The mls qos trust cos is usually used between the trunk ports between an access layer switch and a distribution layer switch so as to trust the dscp or Cos received by from the distribution layer switch. If oyu used this command on a port connecting to a pc all its dcscp/cos markings will be trusted!
So in summary
1. mls qos trust device cisco-phone trusts dscp markings received form ip phones
2. Untrusts any dscp received form any other device even if the switchport priority extend cos 0 is not ocnfigured.
The switchport priority extend cos 0 is used to change the dscp received from the pc to a value configurted. with 0 all dscp received form the pc will be remarked to 0. Though this is only required as an additional measure.
07-30-2008 09:11 AM
Hi,
Thank you for your reply. When mls qos trust device cisco-phone command is used is switchport priority extend cos 0 implied, or in other words with using mls qos trust device cisco-phone automatically untrust values coming from PC attached to the IP Phone on the port you configure this command?
Observing the behavior it would appear that mls qos trust device cisco-phone command sets the port to conditional trust ONLY in case IP Phone is detected with CDP, but WHAT to trust is not set, so using just this command seems pointless if you do not configure "mls qos trust X" as well. If you don't configure "mls qos trust X" trust state still shows untrusted even when the IP Phone detected and mls qos trust device cisco-phone command is used and it changes ONLY when you add "mls qos trust X" to the interface config.
It would appear to achieve a real prioritization you need both commands on the interface. What do you think?
And if so, my question is what happens to the traffic coming from PC as far as trust is concerned when both of those commands are configured?
Thanks,
David
07-30-2008 02:14 PM
David,
You need to be careful in using the mls qos trust cos command.
Trust boundaries on catalyst switch can based upon cos, dscp or cisco IP phone device.
When a cisco IP phone is connected to a fast ethernet interface if a switch, you need to be able to trust the IP phone without trusting packets received form the attached PC. If you trust cos or dscp on the interface, you are trusting all packets received on that ineterface. If the PC has the capability to mark its traffic, how will the switch know who to trust and who not to trust. Infact with the mls qos trust cos and dscp, the switch willt trust the marked packets from the pc as well...
To trust the markings only from the cisco IP phone use only the mls qos trust device-cisco-phone.
Enabling trust based upon device-cisco-phone tells the switch to detect an attached cisco IP Phone and extend the trust boundary to the cisco IP phone. Voice signalling marked with cos 3 and media cos 5 will be trusted by the switch.
Hope I have answered your questions
01-03-2009 08:44 AM
Check this out:
"If the telephone is not detected, the trusted boundary feature disables the trusted setting on the switch port and prevents misuse of a high-priority queue."
"mls qos trust device cisco-phone" disables trust if no Cisco phone is detected.
You need to enter the "mls qos trust ..." on the interface.
Tip: do a lab and use the "show mls qos interface xxx" command to verify what's happening.
Cheers,
Martin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide