Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Trust/Untrust DSCP value

I am reading through a QOS Document and they want me to trust the DSCP value from an IP phone (Siemens) but untrust the PC DSCP value.  How can I trust one thing but not the other?

Any ideas?

I am using a 2960 Cisco switch with IP base IOS.

Thank you

2 REPLIES

Trust/Untrust DSCP value

Hi Peter,

you generally will have

Switch(2960) ->  IP Phone -> PC

Although the perimeter of the trust area is reccomended to be the switch itself, you can have a certain level of control on the IP Phone since indeed it is another switch that is trunking back to your cisco 2960.

Can you control the host off the PC? No way, because you can simulate everything from the PC and when you will do some security studies you will see an incredible amount of attacks using exactly this philosophy "if i can trust the IP phone i can trust the PC"

HTH

Alessio

Trust/Untrust DSCP value

peter.williams@waiglobal.com wrote:

I am reading through a QOS Document and they want me to trust the DSCP value from an IP phone (Siemens) but untrust the PC DSCP value.  How can I trust one thing but not the other?

Any ideas?

I am using a 2960 Cisco switch with IP base IOS.

Thank you

Hello,

Normally  you can configure the Cisco IP phone to forward traffic with an IEEE 802.1p priority, and configure the switch to trust or override the traffic priority assigned by an IP phone.

The switch can process data traffic which comes from the device attached to the access port on the IP phone. You can configure the switch ports which send CDP packets that instruct the attached IP phone to configure the mode (trusted or untrusted mode) for the access port on the phone.

In trusted mode, the access port on the IP phone passes the traffic from the PC without any change. In untrusted mode, the access port on the IP phone receives all traffic in IEEE 802.1Q frames which contain a configured Layer 2 CoS value

When you enable the voice VLAN on the port, all untagged traffic is sent according to default CoS priority. Before you enable voice VLAN, enable the QoS on the switch by issuing the

mls qos  global configuration command and configure the port's trust state to  trust by issuing the mls qos trust cos interface configuration command.


Hope to Help !!

Ganeshh Iyer

Rate i it Helps ...

493
Views
10
Helpful
2
Replies