Interface trust boundary on 4500 Sup 6E

Answered Question
Sep 8th, 2010

Hi there

I need to set access ports on a 4500 Sup 6E as untrusted. They trust dscp by default and the config guide appears to say ports can only be set as untrusted if the "trusted boundary" feature is enabled, see below. I presume that this means apply the command "qos trust device cisco-phone" If I configure the command on a disconnected port the port goes into the untrusted state. However most of the ports have phones attached so if I confgure this command on a connected port it detects the phone and sets the port to trust, not what I want. QoS is globally enabled on the 4500 with Sup6E by default and all ports trust by default.


Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide
Release 12.2(53)SG

Configuring QoS on Supervisor Engine 6-E

The MQC model does not support the trust feature, which is available in the switch qos model on Supervisor Engines II-Plus through V-10GE. In the MQC model supported on the Supervisor Engine 6-E, the incoming traffic is considered trusted by default. Only when the
trusted boundary feature is enabled on an interface can the port enter untrusted mode. In this mode, the switch marks the DSCP value of an IP packet and the CoS value of the VLAN tag on the Ethernet frame as “0”.

Device is running ip base 12.2 (53)SG1, line card is WS-X4548-GB-RJ45V.

I have a marking policy map applied on the ports to set dscp values but do not want to trust received markings from the phones. Any ideas?

Thanks

I have this problem too.
0 votes
Correct Answer by Lei Tian about 6 years 2 months ago

Hi ED,

I think the only way is to use 'trust boundary'. As you already found out, a port with trust phone will become "untrusted" when phone is not attached.

As I already mentioned, you can alway use policy-map to remark the DSCP/COS. The policy-map has higher priority, it can overwrite packet's DSCP/COS value even port is in trust state.

Regards,

Lei Tian

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Lei Tian Wed, 09/08/2010 - 09:23

Hi,

Can you 'set ip dscp 0' for untrust traffic?

Regards,

Lei Tian

Service Delivery Wed, 09/08/2010 - 10:01

Hi there

On closer inspection of the policy map, class default is configured to "set dscp default" Will this set dscp to 0 for all unmatched traffic? I am not currently able to do proper testing of packets across these ports.

class class-default
  set dscp default

I do also need to set the port operational state to untrusted as the trust boundary must be at the access layer not at end device

Many thanks for your response

Lei Tian Wed, 09/08/2010 - 12:45

Yes, set dscp default will set the dscp to interface default value, which is 0 by default. 

If the 4500 is positioning at access layer, and you don't want trust the coming packet, you can classify/mark the packet based on the traffic type. If the 4500 is positioning at dist/core layer, then you can just trust the marking. As you said, classification and marking should be done on access layer.

Regards,

Lei Tian

Service Delivery Thu, 09/09/2010 - 03:57

Hi there

Thanks for replying. If the current config is marking unmatched packets as dscp 0 then it's doing what's required I guess.

Any ideas what to configure to literally make the port untrusted so when you do "sh qos int gx/x" the Operational Port State shows as untrusted?

Regards

ED

Correct Answer
Lei Tian Thu, 09/09/2010 - 20:11

Hi ED,

I think the only way is to use 'trust boundary'. As you already found out, a port with trust phone will become "untrusted" when phone is not attached.

As I already mentioned, you can alway use policy-map to remark the DSCP/COS. The policy-map has higher priority, it can overwrite packet's DSCP/COS value even port is in trust state.

Regards,

Lei Tian

Actions

This Discussion

Related Content