CoS DSCP Trust value and Trust boundary

Meddane · ‎08-15-2021

I read the following parapgraph in a Cisco Press Book about the Trust Boundary:

To protect against unwanted and unauthorized prioritization of applications, even if the PC sends tagged frames with a specific CoS value, the Cisco IP Phones can zero out this value before sending the frame to the switch. This is the default behavior. Voice frames coming from the IP Phone have a CoS value of 5, and data frames coming from the PC have a CoS value of 0. If the DSCP is set, the IP Phone cannot re-mark the DSCP, and this must be performed at the switching layer.

Per my understanding, if let's say a PC sends a data traffic with EF marking for malicious purpose, the IP Phone does not reset the DSCP value so we use we trust with DSCP value on the access switch, it is recommended to remark the DSCP value of the PC on the switch. or another option is to trust with CoS value and configure the CoS to DSCP mapping on the switch.

Is it correct?

Joseph W. Doherty · ‎08-15-2021

Well, for starters, generally totally ignore L2 CoS. Just use L3 ToS.

For the latter, "the book" says, you should "validate" any traffic entering your QoS trust boundary, which often includes access ports.

Years ago, we implemented a policy, rather than validate traffic has a proper marking EF, we just policed it, at edge ports, to allow expected VoIP data rates. I.e. if someone wanted to send FTP marked with EF, that was okay, but they only would obtain 100 Kbps, not the port's gig.