2-313
Catalyst 3750 Metro Switch Command Reference
OL-9645-10
Chapter 2 Catalyst 3750 Metro Switch Cisco IOS Commands
mls qos trust
The trusted boundary feature prevents security problems if users disconnect their PCs from networked
Cisco IP phones and connect them to the switch port to take advantage of trusted CoS settings. You must
globally enable the Cisco Discovery Protocol (CDP) on the switch and on the port connected to the Cisco
IP phone. If the phone is not detected, trusted boundary disables the trusted setting on the switch port
and prevents misuse of a high-priority queue. If you configure the trust setting for DSCP or IP
precedence, the DSCP or IP precedence values in the inbound packets are trusted. If you configure the
mls qos cos override
interface configuration command on the switch port connected to the Cisco IP
phone, the switch overrides the CoS of the inbound voice and data packets and assigns the default CoS
value to them.
For an inter-QoS domain boundary, you can configure the port to the DSCP-trusted state and apply the
DSCP-to-DSCP-mutation map if the DSCP values are different between the QoS domains.
Classification using a port trust state (for example,
mls qos trust
[
cos
|
dscp
|
ip-precedence
] and a
policy map (for example,
service-policy input
policy-map-name
) are mutually exclusive. The last one
configured overwrites the previous configuration.
When port trust policies are used with 802.1Q tunneling, all ports sharing the same tunnel VLAN must
be configured with the same trust policy, and the ports involved must use the same DSCP-to-DSCP
mutation map. For more information, see the
“mls qos dscp-mutation” section on page 2-281
and the
“mls qos map” section on page 2-285
.
For 802.1Q tunnels, the switch processes inbound traffic on a standard port according to the trusted
setting applied to this port. The switch configures the inner and outer tags for packets sent over the
enhanced-services (ES) trunk port as follows:
•
If no trust state is configured on a standard port, the switch does not copy the inner CoS value to the
outer CoS value.
•
If the trust CoS state is configured on a standard port, the switch classifies inbound traffic by using
the packet CoS value. For an untagged packet, the switch uses the CoS value configured on that port.
If no CoS value is configured, the switch uses the default CoS value (0). The switch copies the inner
CoS value to the outer CoS value and sends the packet to an ES port.
•
If the trust DSCP state is configured on the standard port, the switch classifies inbound traffic by
using the packet DSCP value if the packet is an IP packet. For a non-IP packet that is tagged, the
switch uses the packet CoS value to generate a DSCP value through the CoS-to-DSCP map. For a
non-IP packet that is untagged, the switch uses the port CoS value to generate the DSCP from the
CoS-to-DSCP map. The switch configures the outer CoS value from the DSCP-to-CoS map, does
not modify the inner CoS value, and sends the packet to an ES port.
For an IP packet, the switch modifies the DSCP value in the packet if there is a DSCP-to-DSCP
mutation map configured on the standard port. The switch uses the mutated DSCP value to configure
the outer CoS value from the DSCP-to-CoS map and sends the packet to an ES port.
•
If the trust IP precedence state is configured on the standard port, the switch classifies inbound
traffic by using the packet IP precedence value. For a non-IP packet, the switch uses the packet CoS
value if the packet is tagged. For an untagged packet, the switch uses the port CoS value and then
generates the DSCP value by using the CoS-to-DSCP map. The switch converts the generated DSCP
value from the DSCP-to-CoS map and uses it as the outer CoS value in the packet. The switch does
not modify the inner CoS value in the packet and sends the packet to an ES port.
•
If the CoS override state is configured on the standard port, the switch overrides the previously
configured port trust state and applies the CoS value configured on the port to all inbound traffic.
The switch copies the port CoS value to the outer CoS value, does not modify the inner CoS value,
and sends the packet to an ES port.