Configuring a Trust Boundary



Configuring a Trust Boundary

When a Cisco IP Phone is connected to a switch port, think of the phone as another switch (which

it is). If you install the phone as a part of your network, you probably can trust the QoS information

relayed by the phone.

However, remember that the phone also has two sources of data:

■ The VoIP packets native to the phone—The phone can control precisely what QoS

information is included in the voice packets because it produces those packets.

■ The user PC data switch port—Packets from the PC data port are generated elsewhere, so

the QoS information cannot necessarily be trusted to be correct or fair.

A switch instructs an attached IP Phone through CDP messages on how it should extend QoS trust to

its own user data switch port. To configure the trust extension, use the following configuration steps:

Step 1 Enable QoS on the switch:

Switch(config)# mls qos

By default, QoS is disabled globally on a switch and all QoS information is

allowed to pass from one switch port to another. When you enable QoS, all

switch ports are configured as untrusted, by default.

Step 2 Define the QoS parameter that will be trusted:

Switch(config)# interface type mod/num

Switch(config-if)# mls qos trust {cos | ip-precedence | dscp}

You can choose to trust the CoS, IP precedence, or DSCP values of incoming

packets on the switch port. Only one of these parameters can be selected.

Generally, for Cisco IP Phones, you should use the cos keyword because the

phone can control the CoS values on its two-VLAN trunk with the switch.

Step 3 Make the trust conditional:

Switch(config-if)# mls qos trust device cisco-phone

You also can make the QoS trust conditional if a Cisco IP Phone is present.

If this command is used, the QoS parameter defined in step 2 is trusted only

if a Cisco phone is detected through CDP. If a phone is not detected, the

QoS parameter is not trusted.

Step 4 Instruct the IP Phone on how to extend the trust boundary:

Switch(config-if)# switchport priority extend {cos value | trust}

Normally, the QoS information from a PC connected to an IP Phone should

not be trusted. This is because the PC’s applications might try to spoof CoS

or Differentiated Services Code Point (DSCP) settings to gain premium

DiffServ QoS 375

network service. In this case, use the cos keyword so that the CoS bits are

overwritten to value by the IP Phone as packets are forwarded to the switch.

If CoS values from the PC cannot be trusted, they should be overwritten to

a value of 0.

In some cases, the PC might be running trusted applications that are

allowed to request specific QoS or levels of service. Here, the IP Phone can

extend complete QoS trust to the PC, allowing the CoS bits to be forwarded

through the phone unmodified. This is done with the trust keyword.

By default, a switch instructs an attached IP Phone to consider the PC port

as untrusted. The phone will overwrite the CoS values to 0.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download