mls qos trust with service-policy

Unanswered Question
Oct 3rd, 2010

If I need to police the RTP packet via the MQC as follow:

class-map rtp

match ip dscp ef

policy-map rtp

class rtp

police 64000 8000

then under the interfae mode we will the service policy  but in the same time I need to use " mls qos trust cos" like the following:

int fax/y

mls qos trust cos

service-policy input rtp

now, the command "mls qos trust cos" will remark the dscp vlaue to zero, then does this mean that my class-map will not match the traffic which is marked with dscp EF?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Steven Holl Mon, 10/04/2010 - 08:26


First, you want to avoid policing RTP traffic.  When that size is exceeded, it will hard drop traffic.  Since RTP is UDP, that traffic will never come back and doesn't recover like TCP traffic.

The only times I feel its acceptable to have RTP through a policer are:

* If you need to limit a link speed (parent class) and the device can only police, but can't shape.  Shaping is always preferred for the parent class when applicable, though.

* If you are applying a policed limit that exceeds the maximum bandwidth intended for this device to stream for audio, to prevent DoS, flooding, etc via RTP.

Looking at your config, I see you are policing to 64k, which is the max a single endpoint would transmit out (although with overhead on Ethernet, it's more like 80k for g711ulaw).  Make sure this policy only goes on links with a single endpoint.  You wouldn't want to apply this to a trunk, since if you had two calls over the trunk, you'd see ~50% packet loss for each stream.

Trusting COS only works on trunks.  If this is a typical routed interface, you want to trust DSCP.  DSCP won't be touched by a L2 switch.  A L3 switch (if 'mls qos' is enabled) will overwrite the DSCP value to 0 unless you have a trust configured.  If you trust DSCP, the DSCP value will stay maintained.  If you trust COS, it will rewrite the DSCP value to whatever the COS value maps to with the COS-to-DSCP map.

The short answer is that since your class map uses DSCP, if you can trust on DSCP at the switch (mls qos trust dscp), do it.  If it won't let you do that, or you have some requirements to trust COS instead, then trust COS, and make sure that cos 5 maps to DSCP ef (46).

Jonathan Major Wed, 04/17/2013 - 18:08

Great reply, this is a super old post but I'd just like to add that 2960's running LAN Base can rewrite, and match on DSCP. As far as policing goes I like to police access ports to 128k (dscp 46) per port to prevent any flooding. Also, I'm not sure if this is best pratice or not, but since I'm really only concerned with protecting my priority queue my exceed action isn't set to drop, but rath to remark the dscp value to 0. So it looks like this.

  Policy Map InIn_Users

    Class VOICE

      set dscp ef

      police 128000 24000 exceed-action policed-dscp-transmit

    Class SIGNAL

      set dscp cs3

    Class class-default

      set dscp default

mls qos map policed-dscp 46 to 0

Just my own thoughts for anyone that cares or stumbles on this later.


This Discussion

Related Content