How to configure QoS trust boundary on Cisco Switches

Hi Laz,

The statement blow has confused me:

I understand your point about classifying traffic based on cos, because it trusts it, but I found the following in a qos FAQ on Cisco’s website:

Q. What is pass-through mode?
A. In pass-through mode, the switch uses the class of service (CoS) value of incoming packets without a modification of the differentiated services code point (DSCP) value. The frame can pass through the switch with both the incoming CoS and DSCP values intact. When you disable pass-through mode and configure the switch port to trust CoS, the DSCP value is derived from the CoS-to-DSCP map. In this case, the DSCP usually changes as a result. In Cisco IOS Software releases earlier than Cisco IOS Software Release 12.1(11)EA1, this derivation of the DSCP value is on by default and you cannot change it. In Cisco IOS Software Release 12.1(11)EA1 and later, you can configure this with the enablement of pass-through mode on the port.

Here is a sample configuration:

interface fastethernet 0/1
switchport mode access
mls qos trust cos pass-through dscp

which implies that using pass-through means the dscp value will remain unaltered for ingress traffic on that port. But you mentioned egress, which has confused me.

Here’s the link to the doc:

Thanks very much for the help,


Hello Sam

I wasn’t clear in my wording, I apologize. My meaning is that pass-through will not alter the DSCP values as traffic passes through the switch. I should have said, “it will allow packets to egress without modifying the DSCP value”. The Cisco documentation is excactly right, which is what I was trying to (somewhat clumsily :stuck_out_tongue: ) say.

I hope this has been helpful!


1 Like

what’s the difference between cos and DSCP? is cos marking at L2 and DSCP at L3?

Hello Abdulrahman

Fundamentally, you are correct. CoS is a value that exists within the VLAN tag at Layer 2 and is used to prioritize frames that traverse a trunk. Particular frames of specific VLANs are given priorities within that VLAN tag. You can find out more about the contents of the tag at the following lesson:

CoS uses three bits, and can thus have values between 0 and 7.

Now DSCP operates at Layer 3, and is part of the DS field in the IP header. The DS field contains 8 bits and can thus have values between 0 and 255. The values are not simply used in this range, but depending on how they are interpreted, allow you to deliver a more granular and customized prioritization of packets. In addition, unlike CoS which exists only on a particular trunk link, DSCP is something that remains within the packet from end to end, so an IP packet can be prioritized accordingly throughout its journey.

Keep in mind that DSCP values can be changed by network devices along the way, so even if you set these values when you send out the packet, if it traverses a network that you do not administer, those values can be changed.

I hope this has been helpful!


1 Like

I have read conflicting information in regards to congestion with QoS. Seems some think that FIFO is the case when there is no congestion - regardless of qos. The other side of the aisle thinks it ALWAYS is classifying, queuing regardless of congestion (so i guess FIFO in their respective queues during no congestion).

Anyone care to expand on this?

Hello Curtis

We must keep in mind that any QoS mechanisms employed will only kick in when there is congestion. Imagine a GigabitEthernet port on a router or switch receiving traffic at rates well below 1Gbps. As soon as a packet arrives, it is processed and forwarded. The packet never enters any queues. Such packets are served on a first come first serve basis simply because the bandwidth is available to serve it immediately. If you have no packets in queues, QoS mechanisms are not activated, simply because they are unneeded.

Queues will begin to fill up only when traffic arrives on an interface at a rate greater than the speed of the port. Once you have queues that are non-zero in size, only then will QoS mechanisms be applied.

For more info, take a look at this NetworkLessons note on QoS.

I hope this has been helpful!


hello Rene please can you explain to me concretely when do I have to apply this QoS Course module if I am ever called to work for a company, the methodology to adopt is which one, what is it that we apply the most, is it the marking; the classification, in short, I am a little confused by this course, especially since it is vast. I want a tangible example in life, please. can’t find my concern nonsense. I’m getting ready for my CCNP exam, what do I absolutely need to understand in order to be effective in the field?

I am confused by this course, please can you help me understand more explicitly with concrete examples

In order to understand QoS as a whole, you must first understand the need for such a feature. Typically, QoS is necessary in the following scenarios:

  1. When you have services that can be adversely affected by network congestion, such as real-time services including VoIP or videoconferencing
  2. When you are called to rate limit a specific interface (such as your connection to the ISP) you must use either policing or shaping with the appropriate parameters to ensure that your network is performing as expected

QoS must always be applied based on the specifications of what you want to achieve. Once that is clearly defined, you can then use the various mechanisms and features (Layer 2 QoS with CoS, Layer 3 QoS with DSCP, policing, shaping, queuing etc…) to achieve that goal.

For example, the administration of your company may say that they want to ensure that VoIP and videoconferencing traffic should always have priority internally as well as over the Internet, while it is acceptable for web, VoD, and social media traffic can suffer somewhat if the network is congested. You will use the QoS tools available to you to deliver that level of service on your network.

I hope this has been helpful!


thank you very much for the explanation.

1 Like

Dear Mr Rene,

The below lines in lesson Qos Trust boundary in cisco switch

Maybe you wonder how the switch knows the difference between a Cisco IP phone and another vendor. CDP (Cisco Discovery Protocol) is used for this. Now we trust the CoS value of the Cisco IP phone, but what about the computer behind it? We have to do something about it…here’s one way to deal with it:

3560Switch(config-if)#switchport priority extend cos

this command we need to run in every interface of the port

why these commands not running on IOU L2 15.9 ? I cannot find an image for 3560 running these commands. Do u suggest something?

Hello Sulthan

The switchport priority extend cos command is an interface configuration mode command and affects only the interface on which it is applied. You must apply this command on a per interface basis.

I hope this has been helpful!


Hello Konstantinos

The QoS in this lesson is Multilayer Switch QoS or MLS QoS. This has been largely replaced by IOS Modular QoS Command Line Interface (MQC) in newer switches, including the IOU L2 you are using. This has different syntax and has a different application methodology.

Take a look at this post that explains more:

I hope this has been helpful!


gns3 does not support catalyst 35xx series, only iou. i cannot find these commands anywhere, can u provide me an image wth the same commands for gns3?

Hello Konstantinos

the MLS QoS is not available in the IOSv images used by GNS3. From the little research that I did, it is not possible to run an IOS image that supports the MLS commands. Unfortunately, you can only run MQC on GNS3, and it’s not available on Cisco’s CML either.

I hope this has been helpful!


Am I correct in thinking that for CoS value to be passed through multiple switches, they all need incoming traffic interfaces configured as CoS trusted?

Switch3(config-if)#mls qos
Switch3(config-if)#mls qos trust cos

And at least one switch at the front of the line must assign CoS value? If not using Cisco IP Phones.

Switch2(config-if)#mls qos
Switch2(config-if)#mls qos cos 5

Hello Robert

Yes, this is the case. You must also ensure that you have configured trunk links between all the switches in question since the CoS values are actually contained within the 802.1Q tags exchanged by switches. If there is an access port between switches, no tag will be included in the frame.

I hope this has been helpful!


1 Like


I’m confused by the begining of the lesson. We start with:
3560Switch(config)#no mls qos rewrite ip dscp
because the default behavior of a switch is to erase DCSP (meaning setting the DSCP field at 0?)
So we apply this command, and we keep DSCP.

Then we say “By default, your switch will overwrite the DSCP value of the packet inside your frame according to the cos-to-dscp map.”

Does it means we have like a first default behavior that erase DCSP, and a second default behavior that overwite DSCP with CoS value?

Thanks for your help,

Hello David

Here’s a slightly different way of thinking about it. When you issue the mls qos command on a switch, it will, by default, not trust any DSCP or CoS values on packets/frames it receives. It will therefore set the DSCP and CoS values of those packets/frames to zero. Now in order to change this behavior and keep the DSCP values on the packets received, we can issue the global configuration command no mls qos rewrite ip dscp.

Now, the next command that Rene added, and on the interface this time, is mls qos trust cos. This command simply says that we will trust the CoS values on that particular interface. Now switches have a default cos-to-dscp map, where particular CoS values correspond to DSCP values. If no additional commands are issued, then this cos-to-dscp mapping will be applied by default on all traffic on this particular interface. You can exempt traffic from this mapping by issuing the mls trust cos pass-through.

Yes, but the first default behavior pertains to the whole switch globally when the mls qos command is applied, and the second default behavior pertains to a specific interface and only when the mls qos trust cos command is issued on the interface. These are two different scenarios, but they are related. Does that make sense?

I hope this has been helpful!


1 Like