Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1895
Views
10
Helpful
2
Replies

Trust/Untrust DSCP value

peter.williams
Level 1
Level 1

‎07-05-2012 10:49 AM - edited ‎03-07-2019 07:37 AM

I am reading through a QOS Document and they want me to trust the DSCP value from an IP phone (Siemens) but untrust the PC DSCP value.  How can I trust one thing but not the other?

Any ideas?

I am using a 2960 Cisco switch with IP base IOS.

Thank you

Labels:
0 Helpful
2 Replies 2

Alessio Andreoli
Level 5
Level 5

‎07-05-2012 10:59 AM

Hi Peter,

you generally will have

Switch(2960) ->  IP Phone -> PC

Although the perimeter of the trust area is reccomended to be the switch itself, you can have a certain level of control on the IP Phone since indeed it is another switch that is trunking back to your cisco 2960.

Can you control the host off the PC? No way, because you can simulate everything from the PC and when you will do some security studies you will see an incredible amount of attacks using exactly this philosophy "if i can trust the IP phone i can trust the PC"

HTH

Alessio

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎07-06-2012 12:30 AM 

peter.williams@waiglobal.com wrote:
I am reading through a QOS Document and they want me to trust the DSCP value from an IP phone (Siemens) but untrust the PC DSCP value.  How can I trust one thing but not the other?
Any ideas?
I am using a 2960 Cisco switch with IP base IOS.
Thank you

Hello,

Normally  you can configure the Cisco IP phone to forward traffic with an IEEE 802.1p priority, and configure the switch to trust or override the traffic priority assigned by an IP phone.

The switch can process data traffic which comes from the device attached to the access port on the IP phone. You can configure the switch ports which send CDP packets that instruct the attached IP phone to configure the mode (trusted or untrusted mode) for the access port on the phone.

In trusted mode, the access port on the IP phone passes the traffic from the PC without any change. In untrusted mode, the access port on the IP phone receives all traffic in IEEE 802.1Q frames which contain a configured Layer 2 CoS value

When you enable the voice VLAN on the port, all untagged traffic is sent according to default CoS priority. Before you enable voice VLAN, enable the QoS on the switch by issuing the

mls qos  global configuration command and configure the port's trust state to  trust by issuing the mls qos trust cos interface configuration command.


Hope to Help !!

Ganeshh Iyer

Rate i it Helps ...

Customers Also Viewed These Support Documents