01-17-2007 04:50 PM - last edited on 03-25-2019 07:33 PM by ciscomoderator
Hi My quetsion is aounr dht trust boundry setup of catos.
When you enable qos globaly it sets all ports to untrust. What I have onsite is cisco ip phones adn notrel handsets. Both will be plugging into the cat switch.
I want a universal config that will untrust everything that enters the port but trusts cisco phones markings and the marks the traffic from the nortel hansets to the same markings. Is this possiblke on the same interface and if so what should the config look like.
Thanks in advance.
Paul
01-17-2007 08:54 PM
on cisco phone ports configure,
a. the trust state of phones to trust cos (trust cos is not supported on some sup engine/pfc combinations, instead you will have to use a qos acl as shown in the example.).
b. You can also set detection of cisco-phone on those ports.
c. Also set the port trust extension to the PC port to Untrusted.
set qos enable
set port qos 3/1-2 trust-device cisco-ipphone
set port qos 3/1-2 trust-ext untrusted
set qos acl ip TrustCOS trust-cos ip any any
commit qos acl all
set qos acl map TrustCOS 3/1-2
For a nortel phone, you may configure everything else as shown above except the 'trust-device cisco-ipphone' command.
The above configs only trust the marking of the packets from the phone and zero out the marking of the packets from the pc. If you want to remark it to the same setting, you may have to use a qos acl.
set qos acl ip MarkPackets dscp 24 tcp any any eq 2000.
commit qos acl all.
set qos acl map MarkPackets 3/1-2
The above acl marks all skinny packets to dscp 24 on port 3/1-2. You can define similar statements for the nortel phone based on the port they use and apply that to an acl.
HTH
Sankar.
PS: please remember to rate posts!
01-17-2007 10:08 PM
If I put that syntax onto evry port and i plug a cisco phone in the port it will work as per your description. If i plug a nortel phone into the same port , what will happen. I am after a universal config so the phone can be plugged in and moved if needed without any changes to the config.
I understand from the config above that any traffic from the cisco phone will be trusted adn any traffic from pc (either plugged directly or via the phone) will be marked as 0 but what happens if I plug a nortel phone into the same port.
Would it be better to set the trust boundry at the port and not trust anything (which is the default once qos is enabled )and then run the policy maps to classify all voice traffic from cisco phones (rtp traffic ports number 16XXX and above) and nortel phones ( rtp traffic port XXXX)with the correct cos and dscp values.
This way i can trust dcsp on all links throughout the network as I know both phone types are covered.
Cheers
Paul
01-18-2007 04:52 PM
What happens if i put this config on all ports and a nortel phone gets plugged in. Will it mark the nortel packet cos to 5 or not.
Paul
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: