Trust Boundaries

Unanswered Question
Jan 29th, 2009

Hi all,

Can you please help me clear this up.

I am confused about DSCP trust boundaries. I understand that COS is Layer 2 and it is stripped off at the router.

But what about DSCP? The IP portion of the packet is not stripped so why whould there be a need to trust DSCP?

Is the DSCP cleared at the switch if DSCP is not trusted? i.e. a phone marks a packet with EF. What happens to that marking with a) mls qos trust dscp and b) not trusted.

Thanks for your help,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Nicholas Matthews Thu, 01/29/2009 - 22:51


If you have mls qos enabled on the switch, every port is untrusted by default.

If you have mls qos enabled on the switch, and you have 'mls qos trust dscp', then all values are trusted.

So in essence, mls qos + mls qos trust dscp is the same thing as not having mls qos enabled at all.



avillalva Sun, 02/01/2009 - 15:41

Thanks Nick,

What does the trust and untrust mean for a physical packet? i.e. if mls qos is enabled and my port is untrusted, does that mean any DSCP values set by an end node are cleared? An example would be an IP phone attached to an untrusted port. The phone sets the dscp to EF, once the packet traverses the switch will the DSCP be reset 00.



This Discussion