Packets that enter a QoS domain are classified at its edge. Because the packets are classified at the edge, the switch port within the QoS domain can be configured to a trusted state. It is not necessary to classify the packets at every switch within the domain. Use the mlsqostrust command to set the trusted state of an interface and to indicate which fields of the packet are used to classify traffic.
When a port is configured with trust DSCP or trust IP precedence and the incoming packet is a non-IP packet, the CoS-to-DSCP map is used to derive the corresponding DSCP value from the CoS value. The CoS can be the packet CoS for trunk ports or the port default CoS for nontrunk ports.
If the DSCP is trusted, the DSCP field of the IP packet is not modified. However, it is still possible that the CoS value of the packet is modified (according to DSCP-to-CoS map).
If the CoS is trusted, the CoS field of the packet is not modified, but the DSCP can be modified (according to CoS-to-DSCP map) if the packet is an IP packet.
The trusted boundary with Cisco device verification feature, implemented with the devicecisco-phone keywords, prevents security problems if users connect a non-phone device to a switch port that is configured to support a Cisco IP phone. You must globally enable CDP on the switch and on the port connected to the IP phone. If a Cisco IP phone is not detected, QoS does not apply any configured nondefault trust setting, which prevents misuse of a high-priority queue.
If you configure the trust setting for DSCP or IP precedence, the DSCP or IP precedence values in the incoming packets are trusted. If you configure the mlsqoscosoverride interface configuration command on the switch port connected to the IP phone, the switch overrides the CoS of the incoming voice and data packets and assigns the default CoS value to them.
For an inter-QoS domain boundary, you can configure the port to the DSCP-trusted state and apply the DSCP-to-DSCP-mutation map if the DSCP values are different between the QoS domains.
Classification using a port trust state (for example, mls qos trust [cos | dscp | ip-precedence] and a policy map (for example, service-policyinputpolicy-map-name) are mutually exclusive. The last one configured overwrites the previous configuration.
The following conditions apply to the mlsqostrust command running on the Catalyst 6500 series switches or the Cisco 7600 series routers:
- The cos keyword is not supported for pos or atm interface types.
- The trust state does not apply to FlexWAN modules.
- The trust state does not apply to 1q4t LAN ports except for Gigabit Ethernet ports.
- Incoming queue drop thresholds are not implemented when you enter the mlsqostrustcos command on 4-port Gigabit Ethernet WAN modules.
Use the setqos-group command to set the trust state on Catalyst 6500 series switch and Cisco 7600 series router Layer 2 WAN interfaces.
The following example shows how to set the trusted state of an interface to IP precedence:
Router(config-if)# mls qos trust ip-precedence
The following example shows how to configure CDP to detect a Cisco IP phone connected to the port:
Router(config-if)# mls qos trust device cisco-phone