Cisco Catalyst 3550 Command Reference Manual page 285

Chapter 2 Catalyst 3550 Switch Cisco IOS Commands
Usage Guidelines Packets entering a quality of service (QoS) domain are classified at the edge of the QoS domain. When
the packets are classified at the edge, the switch port within the QoS domain can be configured to one
of the trusted states because there is no need to classify the packets at every switch within the domain.
Use this command to specify whether the port is trusted and which fields of the packet to use to classify
traffic.
When a port is configured with trust DSCP or trust IP precedence and the incoming packet is a non-IP
packet, the CoS-to-DSCP map derives the corresponding DSCP value from the CoS value. The CoS can
be the packet CoS for trunk ports or the port default CoS for nontrunk ports.
If the DSCP is trusted, the DSCP field of the IP packet is not modified. However, it is still possible that
the CoS value of the packet is modified (according to the CP-to-CoS map) unless the pass-through cos
keyword is specified.
If the CoS is trusted, the CoS field of the packet is not modified, but the DSCP can be modified
(according to the CoS-to-DSCP map) if the packet is an IP packet (unless the pass-through dscp
keyword is specified).
If you configure the mls qos trust [cos pass-through dscp | dscp pass-through cos] interface
configuration command and then configure the mls qos trust [cos | dscp] interface configuration
command, pass-through mode is disabled.
If you configure an interface for DSCP pass-through mode by using the mls qos trust cos pass-through
dscp interface configuration command and apply the DSCP-to-DSCP mutation map to the same
interface, the DSCP value changes according to the mutation map.
The trusted boundary feature prevents security problems if users disconnect their PCs from networked
Cisco IP phones and connect them to the switch port to take advantage of trusted CoS or DSCP settings.
You must globally enable the Cisco Discovery Protocol (CDP) on the switch and on the port connected
to the IP phone. If the telephone is not detected, trusted boundary disables the trusted setting on the
switch or routed port (sets the trust state to not trusted) and prevents misuse of a high-priority queue.
If you configure the trust setting for DSCP or IP precedence, the DSCP or IP precedence values in the
incoming packets are trusted. If you configure the mls qos cos override interface configuration
command on the switch port connected to the IP phone, the switch overrides the CoS of the incoming
voice and data packets and assigns the default CoS value to them.
For an inter-QoS domain boundary, you can configure the port to the DSCP-trusted state and apply the
DSCP-to-DSCP-mutation map if the DSCP values are different between the QoS domains.
A classification that uses a port trust state (for example, mls qos trust [cos | dscp | ip-precedence] and
classification that uses a policy map (for example, service-policy input policy-map-name) are mutually
exclusive. The last setting configured overwrites the previous configuration.
Examples
This example shows how to configure a port as an IP-precedence trusted port:
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# mls qos trust ip-precedence
This example shows how to specify that the Cisco IP Phone is a trusted device:
Switch(config)# interface fastethernet0/1
Switch(config-if)# mls qos trust device cisco-phone
You can verify your settings by entering the show mls qos interface privileged EXEC command.
OL-8566-02
Catalyst 3550 Multilayer Switch Command Reference
mls qos trust
2-259