I need to set access ports on a 4500 Sup 6E as untrusted. They trust dscp by default and the config guide appears to say ports can only be set as untrusted if the "trusted boundary" feature is enabled, see below. I presume that this means apply the command "qos trust device cisco-phone" If I configure the command on a disconnected port the port goes into the untrusted state. However most of the ports have phones attached so if I confgure this command on a connected port it detects the phone and sets the port to trust, not what I want. QoS is globally enabled on the 4500 with Sup6E by default and all ports trust by default.
Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide
Configuring QoS on Supervisor Engine 6-E
The MQC model does not support the trust feature, which is available in the switch qos model on Supervisor Engines II-Plus through V-10GE. In the MQC model supported on the Supervisor Engine 6-E, the incoming traffic is considered trusted by default. Only when the
trusted boundary feature is enabled on an interface can the port enter untrusted mode. In this mode, the switch marks the DSCP value of an IP packet and the CoS value of the VLAN tag on the Ethernet frame as “0”.
Device is running ip base 12.2 (53)SG1, line card is WS-X4548-GB-RJ45V.
I have a marking policy map applied on the ports to set dscp values but do not want to trust received markings from the phones. Any ideas?
I think the only way is to use 'trust boundary'. As you already found out, a port with trust phone will become "untrusted" when phone is not attached.
As I already mentioned, you can alway use policy-map to remark the DSCP/COS. The policy-map has higher priority, it can overwrite packet's DSCP/COS value even port is in trust state.