From: Carlos G Mendioroz (tron@huapi.ba.ar)
Date: Fri Sep 12 2008 - 12:32:35 ART
Ouch, you were not alone here.
Actually, it is (in my view) even more complex, because usually
we think about trusting/not trusting as a global thing.
Thing is that if you don't trust at the switch, the switch will just
not pay attention to any QOS marking and let they move on (i.e.
it will not remark either).
So a real ok (from the QOS standpoint) config for a (possibly phone
serving) port seems to be:
1) (config-if)# mls qos trust
2) (config-if)# mls qos trust device cisco-phone
3) (config-if)# switchport priority extend cos 0
4) (config-if)# mls qos cos override
Without (4), this switch will not pay attention (when not connected to a
cisco phone) but the marking will pass through and the rest of the
network will honor it.
Still, I've been unable to validate (3).
Without it, a malicious PC could insert marked (trusted) traffic ?
But I have been unable to confirm this, or actually to get any specific
marking working. I.e. "switchport priority extend cos 1" does not
get the PC traffic marked with COS 1.
(tests done with a 7941 and 2950)
-Carlos
Joseph Brunner @ 24/08/2008 20:07 -0300 dixit:
> After reading Brent's post and the doc cd a little more, I'm staring to
> doubt my own experience using this command in production (and in my rack)
>
> I guess a couple of phones and my 3560 will settle it tomorrow though...
>
> -Joe
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Hobbs
> Sent: Sunday, August 24, 2008 6:20 PM
> To: GS CCIE-Lab
> Subject: Re: mls qos trust device cisco-phone -vs- mls qos trust cos
>
> Thank you both for the information. From what I understand now "trust
> device" just puts a condition on whether to trust the cos or not.
>
> The thing about the solution guide is that it doesn't have "trust device"
> just "mls qos trust cos" and "switchport priority extend cos 1" to remark PC
> traffic.
>
> So I would say that "mls qos trust device" does not require "mls qos trust
> cos". "mls qos trust device" is used so that a user can't plug the pc into
> the port and send high priority traffic.
>
> Since the task explicitly stated "7960 phone" I thought that's what they
> were hinting at, but it appears not. But, it also seems either solution will
> work.
>
>
> On Sun, Aug 24, 2008 at 3:28 PM, Joseph Brunner
> <joe@affirmedsystems.com>wrote:
>
>> Thanks brent...
>>
>> So the mls qos trust device has no effect WITHOUT the MLS qos cos trust
>> command?
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>> brett spunt
>> Sent: Sunday, August 24, 2008 5:22 PM
>> To: GS CCIE-Lab; Hobbs
>> Subject: Re: mls qos trust device cisco-phone -vs- mls qos trust cos
>>
>> Hobbs,
>>
>> There is a difference. Trust cos does just that...trust's cos of incoming
>> packets to that port.
>>
>> "mls qos trust device cisco-phone" enables a "trusted boundary feature",
>> similiar to the command "switchport priority extend cos #", except it only
>> trusts the cos values if the first connected device is an IP Phone. (if
>> trust cos is enabled ALSO)
>>
>> You need both to accomplish both (trusted boundary and trust cos values)
>> but
>> you only need mls qos trust cos to trust the cos value of the phone. that
>> would accomplish the criteria...
>>
>> see this link
>>
>>
>>
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/1
>> 2.2_25_sed/configuration/guide/swqos.html#wp1229179
>>
>> plus I pasted info directly into this email from this link...
>>
>> Configuring a Trusted Boundary to Ensure Port Security :
>>
>> "mls qos trust device cisco-phone"
>>
>> In a typical network, you connect a Cisco IP Phone to a switch port, as
>> shown in Figure 32-12, and cascade devices that generate data packets from
>> the back of the telephone. The Cisco IP Phone guarantees the voice quality
>> through a shared data link by marking the CoS level of the voice packets
> as
>> high priority (CoS = 5) and by marking the data packets as low priority
>> (CoS
>> = 0). Traffic sent from the telephone to the switch is typically marked
>> with
>> a tag that uses the 802.1Q header. The header contains the VLAN
> information
>> and the class of service (CoS) 3-bit field, which is the priority of the
>> packet.
>>
>> For most Cisco IP Phone configurations, the traffic sent from the
> telephone
>> to the switch should be trusted to ensure that voice traffic is properly
>> prioritized over other types of traffic in the network. By using the mls
>> qos
>> trust cos interface configuration command, you configure the switch port
> to
>> which the telephone is connected to trust the CoS labels of all traffic
>> received on that port. Use the mls qos trust dscp interface configuration
>> command to configure a routed port to which the telephone is connected to
>> trust the DSCP labels of all traffic received on that port.
>>
>> With the trusted setting, you also can use the trusted boundary feature to
>> prevent misuse of a high-priority queue if a user bypasses the telephone
>> and
>> connects the PC directly to the switch. Without trusted boundary, the CoS
>> labels generated by the PC are trusted by the switch (because of the
>> trusted
>> CoS setting). By contrast, trusted boundary uses CDP to detect the
> presence
>> of a Cisco IP Phone (such as the Cisco IP Phone 7910, 7935, 7940, and
> 7960)
>> on a switch port. If the telephone is not detected, the trusted boundary
>> feature disables the trusted setting on the switch port and prevents
> misuse
>> of a high-priority queue. Note that the trusted boundary feature is not
>> effective if the PC and Cisco IP Phone are connected to a hub that is
>> connected to the switch.
>>
>> In some situations, you can prevent a PC connected to the Cisco IP Phone
>> from taking advantage of a high-priority data queue. You can use the
>> switchport priority extend cos interface configuration command to
> configure
>> the telephone through the switch CLI to override the priority of the
>> traffic
>> received from the PC.
>>
>> Beginning in privileged EXEC mode, follow these steps to enable trusted
>> boundary on a port:
>>
>>
>> ___________________________________
>> Brett Michael Spunt, CCIE No. 12745
>> Senior Consultant
>> Convergence Practice, AT&T Consulting
>> http://www.att.com/consulting
>> Bs3757@att.com
>> Your world. Delivered.
>>
>>
>>
>> --- On Sun, 8/24/08, Hobbs <deadheadblues@gmail.com> wrote:
>>
>>> From: Hobbs <deadheadblues@gmail.com>
>>> Subject: mls qos trust device cisco-phone -vs- mls qos trust cos
>>> To: "GS CCIE-Lab" <ccielab@groupstudy.com>
>>> Date: Sunday, August 24, 2008, 1:00 PM
>>> Hello,
>>>
>>> I had a task that states the there are 7960 ip phones
>>> connected to a
>>> switchport and the phone's cos value (cos 5) must be
>>> trusted. I used the
>>> command:
>>>
>>> int f0/7
>>> mls qos trust device cisco-phone
>>>
>>> but the answer had:
>>>
>>> int f0.7
>>> mls qos trust cos
>>>
>>> I have 4 questions:
>>>
>>> In this scenario, is there a difference between these two
>>> commands?
>>> Are both enabling trust of the phones cos value?
>>> Does the "trust device" require the "trust
>>> cos" command to take effect?
>>> Consider if you are also using "switchport priority
>>> extend cos #" command,
>>> does either option still work as normal?
>>>
>>> here is the doccd reference and it seems both would do the
>>> trick.
>>>
>>
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/1
>> 2.2_44_se/command/reference/cli1.html#wp2331034
>>> thank you,
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI ArgentinaBlogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:18 ART