I have a 3560 to which I am tasked with attaching Nortel phones. Nortel recommends trusting dscp on the edge ports. I set up a policy map with ACLs to match dscp 46 for the test. I can't get a match. I then set the physical port up to trust dscp.
In both cases I can see that packets marked for dscp 46 hit the ingress side of the port, but on the egress side they exit as dscp=0.
Here is the PBR set up:
ip access-list extended signaling
permit ip any any dscp cs5
ip access-list extended voice
permit ip any any dscp ef
class-map match-any voice
match access-group name voice
class-map match-any signaling
match access-group name signaling
policy-map qos
class voice
trust dscp
class signaling
trust dscp
Why would the switch mark packets as dscp=46, then egress them as dscp=6, if the policy map is attached to the interface, or even if "mls qos trust dscp" is applied directly?