show mls qos int fo/1 commmand

Answered Question
Jan 4th, 2009

hi every body!

i have few questions about the command :

switch# show mls qos int fastethernet 0/1

trust state: trust cos

trust mode: trust cos

trust enabled flag: ena

trust device: none

1)Trust state: trust cos is it because the of the command mls qos trust cos?

2) trust mode: trust cos is it because of the command mls qos trust cos ?

3)trust enabled: ena which command cause this?

4)trust device: none

what does it shows? when could trust device could show" cisc0-phone?

--------------------------------------

thanks a lot!

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 5 years 3 months ago

Sarah

1) Yes

2) Yes. When you use the "mls qos trust cos" command you are basically unconditionally trusting whatever CoS values are received in packets on that port.

When you use the "mls qos trust device cisco-phone" you are setting up a conditional trust ie. the condition being that there must be a Cisco IP Phone connected into that port for the switch to trust the CoS markings.

This is to stop someone unplugging the phone, connecting their PC directly to the port and then setting CoS/DSCP markings in the packets to get preferential treatment.

Jon

Correct Answer by Jon Marshall about 5 years 3 months ago

Sarah

"Trust state was trust cos before, but after you configured the switch to trust cisco phone, i find trust state : not trusted

what happened here?"

You are going to make a very good network person :-)

From the 3550 configuration doc -

The trusted boundary feature prevents security problems if users disconnect their PCs from networked Cisco IP phones and connect them to the switch port to take advantage of trusted CoS or DSCP settings. You must globally enable the Cisco Discovery Protocol (CDP) on the switch and on the port connected to the IP phone. If the telephone is not detected, trusted boundary disables the trusted setting on the switch or routed port (sets the trust state to not trusted) and prevents misuse of a high-priority queue.

Unfortunately i don't have a Cisco phone handy so it will mark it as untrusted but if we plugged a Cisco phone in then CDP should detect it and change the state to trusted.

Jon

Correct Answer by Jon Marshall about 5 years 3 months ago

Sarah

I keep promising to fire up my switches so i just did. On a 3550 there is no "trust flag" field but here is output

mls qos enabled globally but no trust enabled on interface

==========================================================

SW1#sh run int fa0/5

Building configuration...

Current configuration : 107 bytes

!

interface FastEthernet0/5

switchport access vlan 2

switchport mode access

spanning-tree portfast

end

SW1#sh mls qos int fa0/5

FastEthernet0/5

trust state: not trusted

trust mode: not trusted

COS override: dis

default COS: 0

DSCP Mutation Map: Default DSCP Mutation Map

Trust device: none

Configure fa0/5 to trust cos

===========================

SW1(config)#int fa0/5

SW1(config-if)#mls qos trust cos

SW1#sh mls qos int fa0/5

FastEthernet0/5

trust state: trust cos

trust mode: trust cos

COS override: dis

default COS: 0

DSCP Mutation Map: Default DSCP Mutation Map

Trust device: none

Then tell interface to trust a cisco phone

==========================================

SW1(config-if)#mls qos trust device cisco-phone

SW1#sh mls qos int fa0/5

FastEthernet0/5

trust state: not trusted

trust mode: trust cos

COS override: dis

default COS: 0

DSCP Mutation Map: Default DSCP Mutation Map

Trust device: cisco-phone

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
Correct Answer
Jon Marshall Sun, 01/04/2009 - 12:20

Sarah

I keep promising to fire up my switches so i just did. On a 3550 there is no "trust flag" field but here is output

mls qos enabled globally but no trust enabled on interface

==========================================================

SW1#sh run int fa0/5

Building configuration...

Current configuration : 107 bytes

!

interface FastEthernet0/5

switchport access vlan 2

switchport mode access

spanning-tree portfast

end

SW1#sh mls qos int fa0/5

FastEthernet0/5

trust state: not trusted

trust mode: not trusted

COS override: dis

default COS: 0

DSCP Mutation Map: Default DSCP Mutation Map

Trust device: none

Configure fa0/5 to trust cos

===========================

SW1(config)#int fa0/5

SW1(config-if)#mls qos trust cos

SW1#sh mls qos int fa0/5

FastEthernet0/5

trust state: trust cos

trust mode: trust cos

COS override: dis

default COS: 0

DSCP Mutation Map: Default DSCP Mutation Map

Trust device: none

Then tell interface to trust a cisco phone

==========================================

SW1(config-if)#mls qos trust device cisco-phone

SW1#sh mls qos int fa0/5

FastEthernet0/5

trust state: not trusted

trust mode: trust cos

COS override: dis

default COS: 0

DSCP Mutation Map: Default DSCP Mutation Map

Trust device: cisco-phone

Jon

sarahr202 Sun, 01/04/2009 - 13:31

Thanks a lot Jon! You just saved me headache. My book, of which I am not a great fan of, shows the out put of the command but did not go into any details.

Towards the end of your post,let me quote

SW1(config-if)#mls qos trust device cisco-phone

SW1#sh mls qos int fa0/5

FastEthernet0/5

trust state: not trusted

trust mode: trust cos

COS override: dis

default COS: 0

DSCP Mutation Map: Default DSCP Mutation Map

Trust device: cisco-phone

-------------------------------------

Trust state was trust cos before, but after you configured the switch to trust cisco phone, i find trust state : not trusted

what happened here?

thanks a lot!

Correct Answer
Jon Marshall Sun, 01/04/2009 - 15:25

Sarah

"Trust state was trust cos before, but after you configured the switch to trust cisco phone, i find trust state : not trusted

what happened here?"

You are going to make a very good network person :-)

From the 3550 configuration doc -

The trusted boundary feature prevents security problems if users disconnect their PCs from networked Cisco IP phones and connect them to the switch port to take advantage of trusted CoS or DSCP settings. You must globally enable the Cisco Discovery Protocol (CDP) on the switch and on the port connected to the IP phone. If the telephone is not detected, trusted boundary disables the trusted setting on the switch or routed port (sets the trust state to not trusted) and prevents misuse of a high-priority queue.

Unfortunately i don't have a Cisco phone handy so it will mark it as untrusted but if we plugged a Cisco phone in then CDP should detect it and change the state to trusted.

Jon

sarahr202 Sun, 01/04/2009 - 17:32

I am going to focus on two things.

trust state: not trusted

trust device: cisco-phone

1) trust device: cisco-phone indicates the port is configured with " mls qos trust device cisco-phone" right or wrong?

2) trust state: not trusted indicates that device plugged in is not the cisco-phone, thus trust state: not trusted right or wrong?

thanks a lot Jon and have a good night!

Correct Answer
Jon Marshall Mon, 01/05/2009 - 02:55

Sarah

1) Yes

2) Yes. When you use the "mls qos trust cos" command you are basically unconditionally trusting whatever CoS values are received in packets on that port.

When you use the "mls qos trust device cisco-phone" you are setting up a conditional trust ie. the condition being that there must be a Cisco IP Phone connected into that port for the switch to trust the CoS markings.

This is to stop someone unplugging the phone, connecting their PC directly to the port and then setting CoS/DSCP markings in the packets to get preferential treatment.

Jon

Actions

Login or Register to take actions

This Discussion

Posted January 4, 2009 at 11:56 AM
Stats:
Replies:5 Avg. Rating:5
Views:384 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard