Command:

mls qos trust


Mode:

Switch(config-if)#


Syntax:

mls qos trust [cos [pass-through dscp] | device cisco-phone | dscp]
no mls qos trust [cos [pass-through dscp] | device cisco-phone | dscp]

 

Syntax Description:

cos (Optional) Classify ingress packets with packet CoS values. For untagged packets, the port default CoS value is used.
cos pass-through dscp (Optional) Configure the interface to classify ingress packets by trusting the CoS value and to send packets without modifying the DSCP value (pass-through mode).
device cisco-phone (Optional) Classify ingress packets by trusting the value sent from the Cisco IP phone (trusted boundary).
dscp (Optional) Classify ingress packets with packet DSCP values (most significant 6 bits of the 8-bit service-type field). For non-IP packets, the packet CoS value is set to 0. This keyword is available only if your switch is running the enhanced software image (EI).

 

Command Description:

Use the mls qos trust interface configuration command to configure the port trust state. Ingress traffic can be trusted, and classification is performed by examining the class of service (CoS) or the Differentiated Services Code Point (DSCP) value. Use the no form of this command to return a port to its untrusted state.

Defaults:
The port is not trusted.
Pass-through mode is disabled.
Trusted boundary is disabled.
If no keyword is specified and the switch is running the EI, the default is dscp.

Packets entering a quality of service (QoS) domain are classified at the edge of the QoS domain. When the packets are classified at the edge, the switch port within the QoS domain can be configured to one of the trusted states because there is no need to classify the packets at every switch within the domain. Use this command to specify whether the port is trusted and which fields of the packet to use to classify traffic.

When a port is configured with trust DSCP and the incoming packet is a tagged non-IP packet, the CoS value for the packet is set to 0, and the DSCP-to-CoS map is not applied. For an untagged non-IP packet, the default port CoS value is used.

If DSCP is trusted, the DSCP field of the IP packet is not modified. However, it is still possible that the CoS value of the packet is modified (according to the DSCP-to-CoS map).

If CoS is trusted, the CoS of the packet is not modified, but DSCP can be modified (according to the CoS-to-DSCP map) if it is an IP packet.

To return a port to the untrusted state, use the no mls qos trust interface configuration command.

The trusted boundary feature prevents security problems if users disconnect their PCs from networked Cisco IP phones and connect them into the switch port to take advantage of trusted CoS settings. You must globally enable the Cisco Discovery Protocol (CDP) on both the switch and on the interface connected to the IP phone. If the phone is not detected, trusted boundary disables the trust setting on the switch port and prevents misuse of a high-priority queue.

If trusted boundary is enabled and the no mls qos trust command is entered, the port returns to the untrusted state and cannot be configured to trust if it is connected to a Cisco IP phone.

To disable trusted boundary, use the no mls qos trust device interface configuration command.

In software releases earlier than Release 12.1(11)EA1, the switch is in pass-through mode. It uses the CoS value of incoming packets without modifying the DSCP value and sends the packets from one of the four egress queues. You cannot enable or disable pass-through mode if your switch is running a software release earlier than Release 12.1(11)EA1.

In Release 12.1(11)EA1 or later, pass-through mode is disabled by default. The switch assigns a CoS value of 0 to all incoming packets without modifying the packets. It offers best-effort service to each packet regardless of the packet contents or size and sends it from a single egress queue.

You can enable pass-through mode on a switch running Release 12.1(11)EA1 or later by using the mls qos trust cos pass-through dscp interface configuration command. To disable pass-through mode, use the no mls qos trust cos pass-through interface configuration command.


Example:

This example shows how to configure a port to be a DSCP-trusted port:

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# mls qos trust dscp

This example shows how to specify that the Cisco IP phone is a trusted device:

Switch(config)# interface fastethernet0/1

Switch(config-if)# mls qos trust device cisco-phone

This example shows how to configure the interface to trust the CoS of incoming packets and to send them without modifying the DSCP field:

Switch(config)# interface fastethernet0/1

Switch(config-if)# mls qos trust cos pass-through dscp

You can verify your settings by entering the show mls qos interface privileged EXEC command.


Misconceptions:

In software releases earlier than Release 12.1(11)EA1, the mls qos trust command is available only when the switch is running the EI


Related Commands:

mls qos cos
mls qos map

� Cisco Systems, Inc. 2001, 2002, 2003
World Wide Education

Converted from CHM to HTML with chm2web Pro 2.85 (unicode)