How to configure QoS trust boundary on Cisco Switches

Lessons Discussion
105

Hello David

Here’s a slightly different way of thinking about it. When you issue the mls qos command on a switch, it will, by default, not trust any DSCP or CoS values on packets/frames it receives. It will therefore set the DSCP and CoS values of those packets/frames to zero. Now in order to change this behavior and keep the DSCP values on the packets received, we can issue the global configuration command no mls qos rewrite ip dscp.

Now, the next command that Rene added, and on the interface this time, is mls qos trust cos. This command simply says that we will trust the CoS values on that particular interface. Now switches have a default cos-to-dscp map, where particular CoS values correspond to DSCP values. If no additional commands are issued, then this cos-to-dscp mapping will be applied by default on all traffic on this particular interface. You can exempt traffic from this mapping by issuing the mls trust cos pass-through.

Yes, but the first default behavior pertains to the whole switch globally when the mls qos command is applied, and the second default behavior pertains to a specific interface and only when the mls qos trust cos command is issued on the interface. These are two different scenarios, but they are related. Does that make sense?

I hope this has been helpful!

Laz

1 Like
106

Thanks Laz,

I think it’s clear, let me rephrase it once again to be sure I understood:

If I can trust all interfaces on my switch, then i will use:

3560Switch(config)#mls qos 
3560Switch(config)#no mls qos rewrite ip dscp

In that case The switch will not modify the DSCP field for any frame on any interface.

If I want to erase DSCP on all incoming frames but set DSCP according to cos-to-dscp mapping on Interface Gi0/1, then i will use:

3560Switch(config)#mls qos 
3560Switch(config)#interface Gi0/1
3560Switch(config-if)#mls qos trust cos

If I want to erase DSCP on all incoming frames except on Gi0/2 interface where i will keep the received DSCP value, then i will use:

3560Switch(config)#mls qos 
3560Switch(config)#interface Gi0/2
3560Switch(config-if)#mls qos trust cos pass-through

Thanks for your help;

107

Hello David

Well, not quite. Although they are related, trusting and not modifying DSCP field are two different things. You can instruct a switch to never modify the DSCP field using this command, but that does not mean that a particular interface will trust traffic. This command is simply an exception to the untrusting of traffic. You must individually configure interfaces to trust or untrust, and those characteristics affect not only DSCP, but also CoS values. So you see, you have a more granular control over how traffic is handled.

In this case, you are essentially saying that you only trust CoS values, and yes, by default, all DSCP values will be rewritten using the cos-to-dscp map.

The above commands (assuming you haven’t issued the no mls qos rewrite ip dscp command, will keep the CoS values as they are, but will erase the DSCP values.

I hope this has been helpful!

Laz