Configuring A Trusted Boundary To Ensure Port Security - Cisco WS-C3560-48PS-S Software Configuration Manual

Configuring Standard QoS

Configuring a Trusted Boundary to Ensure Port Security

In a typical network, you connect a Cisco IP Phone to a switch port, as shown in
page
Phone guarantees the voice quality through a shared data link by marking the CoS level of the voice
packets as high priority (CoS = 5) and by marking the data packets as low priority (CoS = 0). Traffic sent
from the telephone to the switch is typically marked with a tag that uses the 802.1Q header. The header
contains the VLAN information and the class of service (CoS) 3-bit field, which is the priority of the
packet.
For most Cisco IP Phone configurations, the traffic sent from the telephone to the switch should be
trusted to ensure that voice traffic is properly prioritized over other types of traffic in the network. By
using the mls qos trust cos interface configuration command, you configure the switch port to which
the telephone is connected to trust the CoS labels of all traffic received on that port.
With the trusted setting, you also can use the trusted boundary feature to prevent misuse of a
high-priority queue if a user bypasses the telephone and connects the PC directly to the switch. Without
trusted boundary, the CoS labels generated by the PC are trusted by the switch (because of the trusted
CoS setting). By contrast, trusted boundary uses CDP to detect the presence of a Cisco IP Phone (such
as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the
trusted boundary feature disables the trusted setting on the switch port and prevents misuse of a
high-priority queue. Note that the trusted boundary feature is not effective if the PC and Cisco IP Phone
are connected to a hub that is connected to the switch.
In some situations, you can prevent a PC connected to the Cisco IP Phone from taking advantage of a
high-priority data queue. You can use the switchport priority extend cos interface configuration
command to configure the telephone through the switch CLI to override the priority of the traffic
received from the PC.
Beginning in privileged EXEC mode, follow these steps to enable trusted boundary on a port:
Command
Step 1
configure terminal
Step 2
cdp run
Step 3 interface interface-id
Step 4
cdp enable
Step 5
mls qos trust cos
Step 6
mls qos trust device cisco-phone
Step 7 end
Step 8 show mls qos interface
Step 9
copy running-config startup-config
To disable the trusted boundary feature, use the no mls qos trust device interface configuration
command.
Catalyst 3560 Switch Software Configuration Guide
28-34
28-31, and cascade devices that generate data packets from the back of the telephone. The Cisco IP
Purpose
Enter global configuration mode.
Enable CDP globally. By default, CDP is enabled.
Specify the port connected to the Cisco IP Phone, and enter interface
configuration mode.
Valid interfaces include physical ports.
Enable CDP on the port. By default, CDP is enabled.
Configure the port to trust the CoS value in traffic received from the Cisco
IP Phone. By default, the port is not trusted.
Specify that the Cisco IP Phone is a trusted device.
You cannot enable both trusted boundary and auto-QoS (auto qos voip
interface configuration command) at the same time; they are mutually
exclusive.
Return to privileged EXEC mode.
Verify your entries.
(Optional) Save your entries in the configuration file.
Chapter 28 Configuring QoS
Figure 28-11 on
78-16156-01