Trust boundary and DSCP rewrite

Kelvin Willacey · ‎07-16-2013

I have users with PCs connected to cisco phones and 'auto qos voip cisco-phone' configured on the access ports. In this case the DSCP values will only be trusted once the phone is detected via CDP. Is there anyway to extend the trust to the PC as it will have a video application that is capable of marking traffic? Will I end up having to edit the existing policy map and mark the traffic?

There seems to be quite a few opinions as to what happens if a switch's uplink port is configured to trust DSCP but the switch on the other end is not configured to do so. Will it rewrite the DSCP value or will it leave it be? Can anyone point me to documentation if possible, thanks.

cadet alain · ‎07-16-2013

Hi,

QoS should be configured end to end, this Cisco guide should answer most of the questions you're asking yourself.

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/QoSDesign.html

Regards

Alain

Don't forget to rate helpful posts.

Kelvin Willacey · ‎07-16-2013

Thanks. I am still a little confused. Since the PC will not be able to do COS and the port has 'mls qos trust cos' configured on it as apart of the auto qos configuration, even if I were to extend the trust to the PC it would not do much good, right? The switch is only trusting COS and the PC is marking with DSCP. Will the DSCP still be trusted by the switch?

paul driver · ‎07-16-2013

Hello

The other switch will only rewrite if qos is enaled on it and you havnt trusted qos or diasble dscp re-write.

Also by default lan qos voice for media traffic is marked with a cos 5 and dscp EF 46

On cisco switches the cos to dscp marking differ cos 5 = 40, So this needs to be changed - unless auto -qos is enabled as you say it is then this setting is changed automaticaly.

sh mls qos maps cos-dscp
   Cos-dscp map:
        cos:   0 1 2 3 4 5 6 7
     --------------------------------
       dscp:   0 8 16 24 32 40 48 56

conf t
mls qos map cos-dscp 0 8 16 24 32 46 48 56

sh mls qos maps cos-dscp
   Cos-dscp map:
        cos:   0 1 2 3 4 5 6 7
     --------------------------------
       dscp:   0 8 16 24 32 46 48 56

hope this helps

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joseph W. Doherty · ‎07-16-2013

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Perhaps the easiest method is to just trust DSCP on the user switch's edge port. If the VoIP phone and PC are marking ToS correctly, then you only need to worry about correct QoS treatment for your marked packets.

With regard to your question about one switch that trusts linked to another switch that doesn't trust, results depend on the platform. Most of the Cisco Catalyst switches, default is QoS is disabled, and when QoS is disabled they pass ToS along as it. However, on those same switches, when you enable QoS, they will rewrite ToS to zero unless you configure them otherwise. (NB: the later 4500 Sup7s, I recall, work like a router, i.e. by default they always pass the ToS unless you configure them otherwise.)

Kelvin Willacey · ‎07-17-2013

Thanks pdriver and Joseph for the input. On the switches I am working with DSCP rewrite seems to be enabled regardless of if qos is enabled based on the output of 'show mls qos', so if qos is enabled on a switch I would either need to disable rewrite or configure trust on the uplink port? And in the case of a switch that does not have qos enabled I would either need to disable rewrite or enable qos and configure trust on the uplink port?

Since auto qos applies 'mls qos trust cos' to the port are you saying I should just remove this and trust DSCP and it won't affect the phones? Does it also mean I would also need to remove 'mls qos trust device cisco-phone' so that the switch will trust the markings from the PC?

Kelvin Willacey · ‎07-17-2013

I was able to do a lab and got confirmation on the DSCP rewrite. As pdriver and Joseph said once qos is enabled and there is no trust on the uplink port then the DSCP value get's rewritten to 0 otherwise it gets passed along, I guess I had to see if for myself since DSCP rewrite is enabled even if qos is not.

I don't necessarily want to just trust DSCP on the access ports, even though the likely hood of a malicious user marking their packets to get higher priority is low. Does that leave me with only one option, which is to mark the traffic on ingress on each switchport?