From: Joseph Brunner (joe@affirmedsystems.com)
Date: Sun Aug 24 2008 - 20:07:38 ART
After reading Brent's post and the doc cd a little more, I'm staring to
doubt my own experience using this command in production (and in my rack)
I guess a couple of phones and my 3560 will settle it tomorrow though...
-Joe
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Hobbs
Sent: Sunday, August 24, 2008 6:20 PM
To: GS CCIE-Lab
Subject: Re: mls qos trust device cisco-phone -vs- mls qos trust cos
Thank you both for the information. From what I understand now "trust
device" just puts a condition on whether to trust the cos or not.
The thing about the solution guide is that it doesn't have "trust device"
just "mls qos trust cos" and "switchport priority extend cos 1" to remark PC
traffic.
So I would say that "mls qos trust device" does not require "mls qos trust
cos". "mls qos trust device" is used so that a user can't plug the pc into
the port and send high priority traffic.
Since the task explicitly stated "7960 phone" I thought that's what they
were hinting at, but it appears not. But, it also seems either solution will
work.
On Sun, Aug 24, 2008 at 3:28 PM, Joseph Brunner
<joe@affirmedsystems.com>wrote:
> Thanks brent...
>
> So the mls qos trust device has no effect WITHOUT the MLS qos cos trust
> command?
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> brett spunt
> Sent: Sunday, August 24, 2008 5:22 PM
> To: GS CCIE-Lab; Hobbs
> Subject: Re: mls qos trust device cisco-phone -vs- mls qos trust cos
>
> Hobbs,
>
> There is a difference. Trust cos does just that...trust's cos of incoming
> packets to that port.
>
> "mls qos trust device cisco-phone" enables a "trusted boundary feature",
> similiar to the command "switchport priority extend cos #", except it only
> trusts the cos values if the first connected device is an IP Phone. (if
> trust cos is enabled ALSO)
>
> You need both to accomplish both (trusted boundary and trust cos values)
> but
> you only need mls qos trust cos to trust the cos value of the phone. that
> would accomplish the criteria...
>
> see this link
>
>
>
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/1
> 2.2_25_sed/configuration/guide/swqos.html#wp1229179
>
> plus I pasted info directly into this email from this link...
>
> Configuring a Trusted Boundary to Ensure Port Security :
>
> "mls qos trust device cisco-phone"
>
> In a typical network, you connect a Cisco IP Phone to a switch port, as
> shown in Figure 32-12, and cascade devices that generate data packets from
> the back of the telephone. The Cisco IP Phone guarantees the voice quality
> through a shared data link by marking the CoS level of the voice packets
as
> high priority (CoS = 5) and by marking the data packets as low priority
> (CoS
> = 0). Traffic sent from the telephone to the switch is typically marked
> with
> a tag that uses the 802.1Q header. The header contains the VLAN
information
> and the class of service (CoS) 3-bit field, which is the priority of the
> packet.
>
> For most Cisco IP Phone configurations, the traffic sent from the
telephone
> to the switch should be trusted to ensure that voice traffic is properly
> prioritized over other types of traffic in the network. By using the mls
> qos
> trust cos interface configuration command, you configure the switch port
to
> which the telephone is connected to trust the CoS labels of all traffic
> received on that port. Use the mls qos trust dscp interface configuration
> command to configure a routed port to which the telephone is connected to
> trust the DSCP labels of all traffic received on that port.
>
> With the trusted setting, you also can use the trusted boundary feature to
> prevent misuse of a high-priority queue if a user bypasses the telephone
> and
> connects the PC directly to the switch. Without trusted boundary, the CoS
> labels generated by the PC are trusted by the switch (because of the
> trusted
> CoS setting). By contrast, trusted boundary uses CDP to detect the
presence
> of a Cisco IP Phone (such as the Cisco IP Phone 7910, 7935, 7940, and
7960)
> on a switch port. If the telephone is not detected, the trusted boundary
> feature disables the trusted setting on the switch port and prevents
misuse
> of a high-priority queue. Note that the trusted boundary feature is not
> effective if the PC and Cisco IP Phone are connected to a hub that is
> connected to the switch.
>
> In some situations, you can prevent a PC connected to the Cisco IP Phone
> from taking advantage of a high-priority data queue. You can use the
> switchport priority extend cos interface configuration command to
configure
> the telephone through the switch CLI to override the priority of the
> traffic
> received from the PC.
>
> Beginning in privileged EXEC mode, follow these steps to enable trusted
> boundary on a port:
>
>
> ___________________________________
> Brett Michael Spunt, CCIE No. 12745
> Senior Consultant
> Convergence Practice, AT&T Consulting
> http://www.att.com/consulting
> Bs3757@att.com
> Your world. Delivered.
>
>
>
> --- On Sun, 8/24/08, Hobbs <deadheadblues@gmail.com> wrote:
>
> > From: Hobbs <deadheadblues@gmail.com>
> > Subject: mls qos trust device cisco-phone -vs- mls qos trust cos
> > To: "GS CCIE-Lab" <ccielab@groupstudy.com>
> > Date: Sunday, August 24, 2008, 1:00 PM
> > Hello,
> >
> > I had a task that states the there are 7960 ip phones
> > connected to a
> > switchport and the phone's cos value (cos 5) must be
> > trusted. I used the
> > command:
> >
> > int f0/7
> > mls qos trust device cisco-phone
> >
> > but the answer had:
> >
> > int f0.7
> > mls qos trust cos
> >
> > I have 4 questions:
> >
> > In this scenario, is there a difference between these two
> > commands?
> > Are both enabling trust of the phones cos value?
> > Does the "trust device" require the "trust
> > cos" command to take effect?
> > Consider if you are also using "switchport priority
> > extend cos #" command,
> > does either option still work as normal?
> >
> > here is the doccd reference and it seems both would do the
> > trick.
> >
>
>
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/1
> 2.2_44_se/command/reference/cli1.html#wp2331034
> >
> > thank you,
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:32 ART