Conditional Trust Policies

Unanswered Question
Jul 30th, 2008
User Badges:


I'm looking to deploy conditional QoS on access switches to enable users to move around without an administrative overhead of changing the port trust dependent up on device. However I want to make sure that any compromised or misconfigured devices dont have the potential to impact other users. Therefore, I've added a service policy to set the dscp values and police the traffic as required. This means that the voice and data vlans can be controlled and marked as required. My question is what happens if the device connected to the port isn't a trusted device, is the same service policy still applied to the interface? What I'm concerned about is if the device is untrusted but has a softphone client then I want to ensure that this traffic has its dscp set corretly. I'm guessing that I'd need to specify the data vlans subnet and UDP VoIP ports in an acl to match the correct traffic as opposed to just the voice vlan subnet and UDP VoIP ports in an acl if an IP Phone was connected and trusted? Any thoughts appreciated.

Thanks in advance


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mchin345 Tue, 08/05/2008 - 14:13
User Badges:
  • Silver, 250 points or more

With the help of command "mls qos trust device cisco-phone " command which is the simplest method to implement a "conditional-trust" policy. It supported on several other Cisco platforms.


This Discussion