1. Introduction
The QoS Trust Boundary defines where and how QoS markings (such as DSCP or CoS) are trusted, modified, or discarded in a network. It ensures that only trusted devices (like IP phones or network switches) can set QoS values, while preventing unauthorized or misconfigured endpoints from affecting network performance.
2. Why is the Trust Boundary Important?
If the network blindly trusts all QoS markings:
π¨ Security Risk β End users could set high-priority DSCP values to get more bandwidth.
π¨ Misconfiguration β Incorrect markings from endpoints can cause congestion.
π¨ Unfair Bandwidth Usage β A normal PC could mark its traffic as VoIP, starving real-time applications.
To prevent these issues, network devices must determine where to trust or overwrite QoS markings.
3. Where Should the Trust Boundary Be Set?
Trust Scenarios
| Trust Model | Description | Example Devices |
|---|---|---|
| Trust at the Edge | QoS markings from endpoints are accepted | Cisco IP Phones |
| Trust at Access Switch | Switch verifies and applies QoS policies | Cisco Catalyst Switch |
| Trust at Distribution/Core | Only backbone switches/routers enforce QoS | Core Routers |
Best Practices
β
Endpoints (PCs, users) β π« DO NOT TRUST (Override QoS values).
β
IP Phones, APs β β
Trust QoS Markings (Mark and prioritize voice traffic).
β
Access Switches β β οΈ Conditional Trust (Verify markings, modify if needed).
β
Core/Distribution Layer β β
Strictly Enforce QoS Policies.
4. Configuring the QoS Trust Boundary on Cisco Switches
Cisco switches allow administrators to set trust levels on interfaces:
A. Trust DSCP from an IP Phone, Not from a PC
Most Cisco IP Phones mark their own traffic correctly, but connected PCs should not be trusted.
To trust only the phoneβs QoS markings:
interface GigabitEthernet1/0/1
switchport mode access
switchport voice vlan 10
mls qos trust dscpmls qos trust dscpβ Trust DSCP values from IP phones.switchport voice vlan 10β Ensures that phone traffic is correctly prioritized.
B. Remove Trust from an Untrusted Device (PC)
To override markings from PCs:
interface GigabitEthernet1/0/2
mls qos trust cos
mls qos trust device cisco-phonemls qos trust cosβ Trust CoS (only if itβs coming from a phone).mls qos trust device cisco-phoneβ Trust markings only from a Cisco IP phone, not a PC.
C. Rewriting QoS Markings (Reclassify Traffic)
If untrusted devices send incorrect markings, we can override them:
policy-map RECLASSIFY
class class-default
set dscp default
interface GigabitEthernet1/0/3
service-policy input RECLASSIFY- This resets all traffic to DSCP 0 (Best Effort) unless explicitly classified.
5. Verifying Trust Settings
To check trust settings on an interface:
show mls qos interface GigabitEthernet1/0/1To see traffic classification:
show policy-map interface GigabitEthernet1/0/16. Summary
| Scenario | Configuration |
|---|---|
| Trust DSCP from IP Phone | mls qos trust dscp |
| Trust CoS from Cisco Phones Only | mls qos trust cos; mls qos trust device cisco-phone |
| Remove Trust from a PC | Apply policy to reset DSCP to default |
| Check Trust Settings | show mls qos interface |
β Proper trust boundary configuration prevents abuse and ensures fair traffic prioritization! π
The Lazy Networker 
Leave a comment