Cisco Catalyst 2360 Software Configuration Manual page 411

Chapter 25 Configuring QoS
Configuring a Trusted Boundary to Ensure Port Security
In a typical network, you connect a device to a switch port, as shown in
you can cascade other devices that generate data packets. The connected device guarantees the quality
through a shared data link by marking the CoS level of some packets as high priority (CoS = 5) and by
marking other packets as low priority (CoS = 0). Traffic sent from the device to the switch is typically
marked with a tag that uses the 802.1Q header. The header contains the VLAN information and the class
of service (CoS) 3-bit field, which is the priority of the packet.
For many configurations, the traffic sent from the device to the switch should be trusted to ensure that
the traffic is properly prioritized over other types of traffic in the network. By using the mls qos trust
cos interface configuration command, you configure the switch port to which the device is connected to
trust the CoS labels of all traffic received on that port.
With the trusted setting, you also can use the trusted boundary feature to prevent misuse of a
high-priority queue if a user bypasses the device and connects the PC directly to the switch. Without
trusted boundary, the CoS labels generated by the PC are trusted by the switch (because of the trusted
CoS setting). By contrast, trusted boundary uses CDP to detect the presence of other devices on a switch
port. If the device is not detected, the trusted boundary feature disables the trusted setting on the switch
port and prevents misuse of a high-priority queue.
In some situations, you can prevent a PC connected to the device from taking advantage of a
high-priority data queue. You can use the switchport priority extend cos interface configuration
command to configure the device through the switch CLI to override the priority of the traffic received
from the PC.
Beginning in privileged EXEC mode, follow these steps to enable trusted boundary on a port:
Command
Step 1 configure terminal
Step 2
cdp run
Step 3
interface interface-id
Step 4 cdp enable
Step 5 mls qos trust cos
Step 6 switchport priority extend {cos
value | trust}
Step 7 end
Step 8
show mls qos interface
Step 9 copy running-config startup-config
To disable the trusted boundary feature, use the no mls qos trust device interface configuration
command.
OL-19808-01
Purpose
Enter global configuration mode.
Enable CDP globally. By default, CDP is enabled.
Specify the port connected to a device, and enter interface configuration
mode.
Valid interfaces include physical ports.
Enable CDP on the port. By default, CDP is enabled.
Configure the switch port to trust the CoS value in traffic received from the
device.
By default, the port is not trusted.
Configure the device through the switch CLI to override the priority of the
traffic received from the PC.
Return to privileged EXEC mode.
Verify your entries.
(Optional) Save your entries in the configuration file.
Catalyst 2360 Switch Software Configuration Guide
Configuring QoS
Figure 25-1 on page 25-5, and
25-7