cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
921
Views
0
Helpful
5
Replies

show mls qos int fo/1 commmand

sarahr202
Level 5
Level 5

hi every body!

i have few questions about the command :

switch# show mls qos int fastethernet 0/1

trust state: trust cos

trust mode: trust cos

trust enabled flag: ena

trust device: none

1)Trust state: trust cos is it because the of the command mls qos trust cos?

2) trust mode: trust cos is it because of the command mls qos trust cos ?

3)trust enabled: ena which command cause this?

4)trust device: none

what does it shows? when could trust device could show" cisc0-phone?

--------------------------------------

thanks a lot!

3 Accepted Solutions

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Sarah

I keep promising to fire up my switches so i just did. On a 3550 there is no "trust flag" field but here is output

mls qos enabled globally but no trust enabled on interface

==========================================================

SW1#sh run int fa0/5

Building configuration...

Current configuration : 107 bytes

!

interface FastEthernet0/5

switchport access vlan 2

switchport mode access

spanning-tree portfast

end

SW1#sh mls qos int fa0/5

FastEthernet0/5

trust state: not trusted

trust mode: not trusted

COS override: dis

default COS: 0

DSCP Mutation Map: Default DSCP Mutation Map

Trust device: none

Configure fa0/5 to trust cos

===========================

SW1(config)#int fa0/5

SW1(config-if)#mls qos trust cos

SW1#sh mls qos int fa0/5

FastEthernet0/5

trust state: trust cos

trust mode: trust cos

COS override: dis

default COS: 0

DSCP Mutation Map: Default DSCP Mutation Map

Trust device: none

Then tell interface to trust a cisco phone

==========================================

SW1(config-if)#mls qos trust device cisco-phone

SW1#sh mls qos int fa0/5

FastEthernet0/5

trust state: not trusted

trust mode: trust cos

COS override: dis

default COS: 0

DSCP Mutation Map: Default DSCP Mutation Map

Trust device: cisco-phone

Jon

View solution in original post

Sarah

"Trust state was trust cos before, but after you configured the switch to trust cisco phone, i find trust state : not trusted

what happened here?"

You are going to make a very good network person :-)

From the 3550 configuration doc -

The trusted boundary feature prevents security problems if users disconnect their PCs from networked Cisco IP phones and connect them to the switch port to take advantage of trusted CoS or DSCP settings. You must globally enable the Cisco Discovery Protocol (CDP) on the switch and on the port connected to the IP phone. If the telephone is not detected, trusted boundary disables the trusted setting on the switch or routed port (sets the trust state to not trusted) and prevents misuse of a high-priority queue.

Unfortunately i don't have a Cisco phone handy so it will mark it as untrusted but if we plugged a Cisco phone in then CDP should detect it and change the state to trusted.

Jon

View solution in original post

Sarah

1) Yes

2) Yes. When you use the "mls qos trust cos" command you are basically unconditionally trusting whatever CoS values are received in packets on that port.

When you use the "mls qos trust device cisco-phone" you are setting up a conditional trust ie. the condition being that there must be a Cisco IP Phone connected into that port for the switch to trust the CoS markings.

This is to stop someone unplugging the phone, connecting their PC directly to the port and then setting CoS/DSCP markings in the packets to get preferential treatment.

Jon

View solution in original post

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

Sarah

I keep promising to fire up my switches so i just did. On a 3550 there is no "trust flag" field but here is output

mls qos enabled globally but no trust enabled on interface

==========================================================

SW1#sh run int fa0/5

Building configuration...

Current configuration : 107 bytes

!

interface FastEthernet0/5

switchport access vlan 2

switchport mode access

spanning-tree portfast

end

SW1#sh mls qos int fa0/5

FastEthernet0/5

trust state: not trusted

trust mode: not trusted

COS override: dis

default COS: 0

DSCP Mutation Map: Default DSCP Mutation Map

Trust device: none

Configure fa0/5 to trust cos

===========================

SW1(config)#int fa0/5

SW1(config-if)#mls qos trust cos

SW1#sh mls qos int fa0/5

FastEthernet0/5

trust state: trust cos

trust mode: trust cos

COS override: dis

default COS: 0

DSCP Mutation Map: Default DSCP Mutation Map

Trust device: none

Then tell interface to trust a cisco phone

==========================================

SW1(config-if)#mls qos trust device cisco-phone

SW1#sh mls qos int fa0/5

FastEthernet0/5

trust state: not trusted

trust mode: trust cos

COS override: dis

default COS: 0

DSCP Mutation Map: Default DSCP Mutation Map

Trust device: cisco-phone

Jon

Thanks a lot Jon! You just saved me headache. My book, of which I am not a great fan of, shows the out put of the command but did not go into any details.

Towards the end of your post,let me quote

SW1(config-if)#mls qos trust device cisco-phone

SW1#sh mls qos int fa0/5

FastEthernet0/5

trust state: not trusted

trust mode: trust cos

COS override: dis

default COS: 0

DSCP Mutation Map: Default DSCP Mutation Map

Trust device: cisco-phone

-------------------------------------

Trust state was trust cos before, but after you configured the switch to trust cisco phone, i find trust state : not trusted

what happened here?

thanks a lot!

Sarah

"Trust state was trust cos before, but after you configured the switch to trust cisco phone, i find trust state : not trusted

what happened here?"

You are going to make a very good network person :-)

From the 3550 configuration doc -

The trusted boundary feature prevents security problems if users disconnect their PCs from networked Cisco IP phones and connect them to the switch port to take advantage of trusted CoS or DSCP settings. You must globally enable the Cisco Discovery Protocol (CDP) on the switch and on the port connected to the IP phone. If the telephone is not detected, trusted boundary disables the trusted setting on the switch or routed port (sets the trust state to not trusted) and prevents misuse of a high-priority queue.

Unfortunately i don't have a Cisco phone handy so it will mark it as untrusted but if we plugged a Cisco phone in then CDP should detect it and change the state to trusted.

Jon

I am going to focus on two things.

trust state: not trusted

trust device: cisco-phone

1) trust device: cisco-phone indicates the port is configured with " mls qos trust device cisco-phone" right or wrong?

2) trust state: not trusted indicates that device plugged in is not the cisco-phone, thus trust state: not trusted right or wrong?

thanks a lot Jon and have a good night!

Sarah

1) Yes

2) Yes. When you use the "mls qos trust cos" command you are basically unconditionally trusting whatever CoS values are received in packets on that port.

When you use the "mls qos trust device cisco-phone" you are setting up a conditional trust ie. the condition being that there must be a Cisco IP Phone connected into that port for the switch to trust the CoS markings.

This is to stop someone unplugging the phone, connecting their PC directly to the port and then setting CoS/DSCP markings in the packets to get preferential treatment.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: