01-04-2009 11:56 AM - edited 03-04-2019 03:19 AM
hi every body!
i have few questions about the command :
switch# show mls qos int fastethernet 0/1
trust state: trust cos
trust mode: trust cos
trust enabled flag: ena
trust device: none
1)Trust state: trust cos is it because the of the command mls qos trust cos?
2) trust mode: trust cos is it because of the command mls qos trust cos ?
3)trust enabled: ena which command cause this?
4)trust device: none
what does it shows? when could trust device could show" cisc0-phone?
--------------------------------------
thanks a lot!
Solved! Go to Solution.
01-04-2009 12:20 PM
Sarah
I keep promising to fire up my switches so i just did. On a 3550 there is no "trust flag" field but here is output
mls qos enabled globally but no trust enabled on interface
==========================================================
SW1#sh run int fa0/5
Building configuration...
Current configuration : 107 bytes
!
interface FastEthernet0/5
switchport access vlan 2
switchport mode access
spanning-tree portfast
end
SW1#sh mls qos int fa0/5
FastEthernet0/5
trust state: not trusted
trust mode: not trusted
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
Configure fa0/5 to trust cos
===========================
SW1(config)#int fa0/5
SW1(config-if)#mls qos trust cos
SW1#sh mls qos int fa0/5
FastEthernet0/5
trust state: trust cos
trust mode: trust cos
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
Then tell interface to trust a cisco phone
==========================================
SW1(config-if)#mls qos trust device cisco-phone
SW1#sh mls qos int fa0/5
FastEthernet0/5
trust state: not trusted
trust mode: trust cos
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: cisco-phone
Jon
01-04-2009 03:25 PM
Sarah
"Trust state was trust cos before, but after you configured the switch to trust cisco phone, i find trust state : not trusted
what happened here?"
You are going to make a very good network person :-)
From the 3550 configuration doc -
The trusted boundary feature prevents security problems if users disconnect their PCs from networked Cisco IP phones and connect them to the switch port to take advantage of trusted CoS or DSCP settings. You must globally enable the Cisco Discovery Protocol (CDP) on the switch and on the port connected to the IP phone. If the telephone is not detected, trusted boundary disables the trusted setting on the switch or routed port (sets the trust state to not trusted) and prevents misuse of a high-priority queue.
Unfortunately i don't have a Cisco phone handy so it will mark it as untrusted but if we plugged a Cisco phone in then CDP should detect it and change the state to trusted.
Jon
01-05-2009 02:55 AM
Sarah
1) Yes
2) Yes. When you use the "mls qos trust cos" command you are basically unconditionally trusting whatever CoS values are received in packets on that port.
When you use the "mls qos trust device cisco-phone" you are setting up a conditional trust ie. the condition being that there must be a Cisco IP Phone connected into that port for the switch to trust the CoS markings.
This is to stop someone unplugging the phone, connecting their PC directly to the port and then setting CoS/DSCP markings in the packets to get preferential treatment.
Jon
01-04-2009 12:20 PM
Sarah
I keep promising to fire up my switches so i just did. On a 3550 there is no "trust flag" field but here is output
mls qos enabled globally but no trust enabled on interface
==========================================================
SW1#sh run int fa0/5
Building configuration...
Current configuration : 107 bytes
!
interface FastEthernet0/5
switchport access vlan 2
switchport mode access
spanning-tree portfast
end
SW1#sh mls qos int fa0/5
FastEthernet0/5
trust state: not trusted
trust mode: not trusted
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
Configure fa0/5 to trust cos
===========================
SW1(config)#int fa0/5
SW1(config-if)#mls qos trust cos
SW1#sh mls qos int fa0/5
FastEthernet0/5
trust state: trust cos
trust mode: trust cos
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
Then tell interface to trust a cisco phone
==========================================
SW1(config-if)#mls qos trust device cisco-phone
SW1#sh mls qos int fa0/5
FastEthernet0/5
trust state: not trusted
trust mode: trust cos
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: cisco-phone
Jon
01-04-2009 01:31 PM
Thanks a lot Jon! You just saved me headache. My book, of which I am not a great fan of, shows the out put of the command but did not go into any details.
Towards the end of your post,let me quote
SW1(config-if)#mls qos trust device cisco-phone
SW1#sh mls qos int fa0/5
FastEthernet0/5
trust state: not trusted
trust mode: trust cos
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: cisco-phone
-------------------------------------
Trust state was trust cos before, but after you configured the switch to trust cisco phone, i find trust state : not trusted
what happened here?
thanks a lot!
01-04-2009 03:25 PM
Sarah
"Trust state was trust cos before, but after you configured the switch to trust cisco phone, i find trust state : not trusted
what happened here?"
You are going to make a very good network person :-)
From the 3550 configuration doc -
The trusted boundary feature prevents security problems if users disconnect their PCs from networked Cisco IP phones and connect them to the switch port to take advantage of trusted CoS or DSCP settings. You must globally enable the Cisco Discovery Protocol (CDP) on the switch and on the port connected to the IP phone. If the telephone is not detected, trusted boundary disables the trusted setting on the switch or routed port (sets the trust state to not trusted) and prevents misuse of a high-priority queue.
Unfortunately i don't have a Cisco phone handy so it will mark it as untrusted but if we plugged a Cisco phone in then CDP should detect it and change the state to trusted.
Jon
01-04-2009 05:32 PM
I am going to focus on two things.
trust state: not trusted
trust device: cisco-phone
1) trust device: cisco-phone indicates the port is configured with " mls qos trust device cisco-phone" right or wrong?
2) trust state: not trusted indicates that device plugged in is not the cisco-phone, thus trust state: not trusted right or wrong?
thanks a lot Jon and have a good night!
01-05-2009 02:55 AM
Sarah
1) Yes
2) Yes. When you use the "mls qos trust cos" command you are basically unconditionally trusting whatever CoS values are received in packets on that port.
When you use the "mls qos trust device cisco-phone" you are setting up a conditional trust ie. the condition being that there must be a Cisco IP Phone connected into that port for the switch to trust the CoS markings.
This is to stop someone unplugging the phone, connecting their PC directly to the port and then setting CoS/DSCP markings in the packets to get preferential treatment.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: