How to configure QoS trust boundary on Cisco Switches

This topic is to discuss the following lesson:

Nice explanation

We have a setup that a video device is connected to a switch (no qos) and marking done in the router AF41.
Here , the packet will be marking as Default when it goes from switch to router . Router will mark the packet as AF41. When there is a reply packet from the Router it will be AF41 and it send it to Switch as well.

Switch sends a packet to router : Default
Router sends a reply packet to switch : AF41

With same setup ,When we Qos enabled globally in the switch

Packet from switch to router :Default
Reply packet from Router to Switch :Default marking.

Which Scenario you will suggest.

Hi Vin,

It depends on your network, if you don’t do any queuing on the switch then it’s fine to mark on the router. If you implement on the queuing on the switch(es) then I would also mark there.

Keep in mind that enabling QoS globally on the switches will impact your marking. Catalyst IOS switches will remark traffic according to the Cos-to-DSCP or DSCP-to-Cos map.


Thank you very much for the lesson!
BTW, is it possible to remark priority of only frames that belong to a particular VLANs while keep others without remarking?

You are welcome and yes you can do that.

Very nice lesson!

Do you have any recommendations on using an Askerisk based phone system with current Cisco 3560’s. All the SWs are all set with QoS for the current Cisco phone system. Will the markings be the same?

Thanks John!

I’m not sure if Asterisk sends any DSCP values by default but I believe you can configure them in the sip.conf file like this:

tos_sip=cs3                    ; Sets TOS for SIP packets.
tos_audio=ef                   ; Sets TOS for RTP audio packets.
tos_video=af41                 ; Sets TOS for RTP video packets.
tos_text=af41                  ; Sets TOS for RTP text packets.

Using CS3 for SIP and EF for RTP audio is common but make sure your phones use the same marking.

Hi Rene,

Thank you for the explanations. I’m very new to QoS. So, it becomes very hard for me to read through the lesson. Is there any way to produce some videos on this topic ( like the one we did for other lessons)

Thank you


Hi Taslim,

For sure, QoS is a difficult topic. In the next few weeks I plan to add more material and I will also add videos for the remaining topics.



What about trusting DSCP values on the uplink to a router from a switch. Would the router interface use the command “mls qos trrust dscp” to trust ingress traffic from the distribution switch, which connects downstream to an Access switch? (distribution switch trusts dscp from access switch).





mls qos trust dscp" to trust ingress traffic from the switch?

Hi Joey,

You don’t have to do anything on the router, it will just forward these marked IP packets unlike the switches who want to rewrite everything. No need to trust it.


Hi Rene,

Thank you for the explanations, Can you please add more explanation about how the DSCP Mutation Map works, I have two questions about this topic.

Question 1:

3560Switch(config-if)#mls qos cos 4

this command is to set up the COS value to Untagged frames. Does Untagged frames mean Voice Frames ?

Question 2:

3560Switch(config-if)#mls qos cos override


3560Switch#show mls qos interface FastEthernet 0/1
 trust state: not trusted
 trust mode: not trusted
COS override
 default COS: 4
 DSCP Mutation Map: Default DSCP Mutation Map
 Trust device: none

all tagged and tagged frames are markes and COS 4

My question is how do we mark tagged frames with different COS marking to untagged frames



Hi Chad,

The “mls qos cos” command will set a COS value when there is no current marking. It will be applied to all frames with no marking…doesn’t matter if it carries voice traffic or something else. When the frame is already marked then this command won’t do anything.

When you set “mls qos cos override” then the switch will overwrite the current marking. In my example, it will set the COS value to 4…marked and unmarked frames.

If you want to “untag” frames then you could use “mls cos 0” together with “mls qos cos override”. This will mark everything to 0.

Hope this helps.


Hi Rene,

if I set “mls qos trust device-phone” and nothing else. Does the switch trust all traffic from PC, which is connected to Phone as well?

How does the Cisco Phone handle the PC traffic in default mode?

“mls qos trust device cisco-phone” will not result in traffic being trusted sent by the PC attached to the phone. You need to follow it up with
(config-if)#switchport priority extend trust

By default, when traffic is sent by a PC attached to the phone, the switchport port will reset this to the default CoS value (usually zero, unless you have configured it otherwise). By the way, if you aren’t running CDP on the switch, this will also happen, even if you have configured the first two commands I mentioned. The reason is that the switch depends on CDP to identify the Cisco-phone properly.


Thanks Andrew, - just to complete the picture for me:

So I suppose “switchport priority extend trust” is only active with “mls qos trust device cisco-phone”, right?

If the pc would be attached to the port directly, its COS/DSCP marking would be set to 0 (unless set differently). Correct?

Unless I would set “mls qos trust cos/dscp”. But then I even wouldn’t need the whole cisco phone trust stuff. As every packet would be trusted.

Thanks for clarification!

You are exactly right. If you tell the switch to trust the markings that come in from a cisco-phone, even if you extend the trust to a PC attached to a Cisco phone, the Cisco-phone must be present and detected correctly in order for the markings to be trusted. Otherwise, as you said, all markings would be reset to zero (by default).

Can you explain moore about map dscp to cos and cos to dscp? The SWITCH read packets L3? or read dscp? SW is not an element L2?

Hi Oscar,

That is right. The switch will look at the DSCP field in the IP packet and rewrites the CoS value of the L2 frame (cos-to-dscp map). When you use cos-to-dscp, it’s the other way around…the switch reads the CoS value and rewrites the DSCP value in the IP packet.



Can you elaborate on what is your understanding of “tagged and untagged Ethernet frames will have a CoS value of 4” in the explanation above.

Flavour 1:
If tagged/untagged means p-bit marking (cos), I am not seeing this possible without 802.1q (tagged frames), there fore I would not understand to the meaning of tagged/untagged on the context of cos, as only 802.1q tagged can be classified.

Flavour 2:
If tagged/untagged means in this setence marked/unmarked by the untrusted domain then I would deduce that we are always referencing to 802.1q frames

Flavor 3:
? :slight_smile:

I am only referening to layer 2 classification here.

Is it flavor 1, 2 or a 3rd option that I am not seeing?
Can you please help me here?