cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
29134
Views
86
Helpful
10
Replies

Access Switch: Trust CoS or DSCP?

Antonio Knox
Level 7
Level 7

I can't seem to wrap my head around whether to trust DSCP or CoS.....

I would assume to trust CoS (It's at the Access Layer 2, right?), but I've read documents and articles in which DSCP was trusted without much explanation as to why.  It shouldn't mean much, but I have 3560Gs and 3560Xs.

I know this is a noob question, but can someone explain which to trust and why?  I'm not a VoIP guy but I am familiar with the concepts..... just stuck on this part.  I keep coming back to it

*I rate all responses accordingly*

1 Accepted Solution

Accepted Solutions

No - I'm saying if you use COS, you won't trust the PC traffic.

You would use trust DSCP, as that is part of the IP Header and is therefore present on traffic from the PC and the phone.

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

View solution in original post

10 Replies 10

Chris Deren
Hall of Fame
Hall of Fame

It depend on what kind of interface you are applying the trust command to, if it is uplink interface to a router or a server for example you want to trust DSCP, if this is on a host port and you want to trust the L2 markings from phone for example you would trust COS.

HTH,

Chris

What's the difference between that and trusting the cisco phone (ie mls qos trust device cisco-phone vs mls qos trust cos/dscp)?  I'm curious if that translates to trusting cos or dscp.

The first command ( mls qos trust device cisco-phone ) instructs the switch to trust a cisco ip-phone. The second command ( mls qos trust cos/dscp ) instructs the switch to use 'cos/dscp' as the trust mode.

So if you have a Cisco Phone you'll need both commands.

Let's say you enable both commands and plugged in a non Cisco phone,

It will not pay attention to marking anymore ( Switch will check the device using CDP and will detect it is not a cisco phone and will not trust the marking )

If you want to use non-Cisco phone on the same port , then you can use the "auto qos voip trust" command

Please rate this post if helpful

Thanks

Shamal

They are formulas, we use these on device ports, but set any port that connects to a router or server to trust dscp:

VOIP Device Specifics

When you enter the auto qos voip cisco-phone command on a port at the network edge connected to a Cisco IP Phone, the switch enables the trusted boundary feature. If the packet does not have a DSCP value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to 0. When there is no Cisco IP Phone, the ingress classification is set to not trust the QoS label in the packet. The policing is applied to the traffic matching the policy-map classification before the switch enables the trust boundary feature.

When you enter the auto qos voip cisco-softphone interface configuration command on a port at the network edge that is connected to a device running the Cisco SoftPhone, the switch uses policing to determine whether a packet is in or out of profile and to specify the action on the packet. If the packet does not have a DSCP value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to 0.

When you enter the auto qos voip trust interface configuration command on a port connected to the network interior, the switch trusts the CoS value for nonrouted ports or the DSCP value for routed ports in ingress packets (the assumption is that traffic has already been classified by other edge devices).

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/swqos.html#wp1843287

Thanks guys.  +5 to you.  That answered my question but not sure about the OP.

Well... to the OP...

In general these days you would want to trust DSCP rather than COS. COS is present only in trunked links, e.g. those between switches, or between switches and phones.

That means that the packets from a PC will never be trusted if using COS - and with softphones and other media apps (e.g. Jabber/Lync) being kind of popular now that probably isn't good... not to mention any 'normal' business apps that might want prioritising.

Of course, you might want to not trust either on edge ports, and/or configure policy maps to conditionally trust traffic, police the traffic that gets into priority queues, etc etc.

Regards

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

Aaron,

In general these days you would want to trust DSCP rather than COS. COS is present only in trunked links, e.g. those between switches, or between switches and phones.

That means that the packets from a PC will never be trusted if using COS - and with softphones and other media apps (e.g. Jabber/Lync) being kind of popular now that probably isn't good... not to mention any 'normal' business apps that might want prioritising.

So are you saying that if I don't trust CoS markings that softphones and media apps won't be properly prioritized (assuming I didn't have a policy map configured to trust it)?  I want these markings to be trusted if these services require it.  So is the general idea such that people just trust DSCP over CoS because it's the best practice or do they see a real benefit to it?  Seems from your explanation that there is no benefit to trusting DSCP over CoS.  Correct me if I'm off base...

No - I'm saying if you use COS, you won't trust the PC traffic.

You would use trust DSCP, as that is part of the IP Header and is therefore present on traffic from the PC and the phone.

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

The basic decision point is 'what markings is the attached device capable of setting' - a PC or a router will not set COS unless you go through much pain and agony, so anywhere a device like that is attached, you HAVE to trust dscp.  If you trust COS, and none is set, then the COS to dscp internal marking will whack your dscp setting, and your traffic will weep away.  Phones and switches will set COS, and it is a fine setting for a basic phone, since it will make sure that phone traffic is proiritized, if you don't have any relevant PC traffic that is associated, and needs proiritizing.  But dscp is fine for phones too.  Switches will preserve the dscp, if nothing is whacked on ingress with a bad trust setting, so their ports can use trust dscp too - unless you have a really crappy switch, that will not look at layer 3 - in which case he will be fine receiving traffic from another switch, because COS will be in the packet, same with phones, but if you attach a router and want to preserve markings, you will have to make a policy on the router to mark packets with a layer 2 header on their way over to the switch, or else all is lost..

To really know what is going on, you should check some ports, to make sure things are working the way you expect.  On the 3560, you can do sh mls qos int x/x stat and see your markings as packets go in and out.  On the newer versions of 4507, things are done with policy maps, more like routers, so you use sh policy-map int x/x.  You should really pull the QoS guide for the exact version of your devices, so you don't miss any subtle differences.