Specifications
White Paper
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 35 of 89
Additional defaults can be found in the QoS configuration guides on CCO for a given software release.
7.2 Trusted and Un-trusted Ports
Any given port on the Catalyst 6500 can be configured as trusted or un-trusted. The trust state of the port dictates
how it marks, classifies and schedules the frame as it transits the switch. By default, all ports are in the un-trusted
state. This means that any packet entering that port will have its ToS and CoS rewritten with a zero value.
Consideration must thus be given when QoS is enabled for devices that tag their packets with a priority. Devices
such as IP phones, Call managers, key servers, etc should have their trust setting reviewed.
7.2.1. Un-trusted Ports (Default setting for ports)
Should a port be configured as an un-trusted port, a frame upon initially entering the port will have its CoS and ToS
value reset by the Forwarding Engine to zero. This means the frame will be given the lowest priority service on its
path through the switch. Alternatively, the administrator can reset the CoS value of any Ethernet frame that enters an
un-trusted port to a pre-determined value. Configuring this will be discussed in a later section.
Setting the port as un-trusted will instruct the switch to NOT perform any congestion avoidance. Congestion
avoidance is the method used to drop frames based on their CoS values once they exceed thresholds defined for
that queue. All frames entering this port will equally be eligible to be dropped once the buffers reach 100%. This
process is the same when trust-ipprec or trust-dscp on ingress is used
Note: For Cisco IOS, the software, setting trust is not supported on 1Q4T ports except Gigabit Ethernet ports.
Cat6500(config)# interface gigabitethernet 1/1
Cat6500(config-if)# no mls qos trust
In the example above, you enter the interface configuration and then apply the no form of the command to set the
port as un-trusted.
7.2.2. Trusted Ports
Sometimes Ethernet frames entering a switch will have either a CoS or ToS settings that the administrator wants the
switch to maintain as the frame transits the switch. For this traffic, the administrator can set the trust state of a port
where that traffic comes into the switch as trusted.
As mentioned earlier, the switch uses a DSCP value internally to assign a predetermined level of service to that
frame. As a frame enters a trusted port, the administrator can configure the port to look at either the existing CoS, IP
Precedence or DSCP value to set the internal DSCP value. Alternatively, the administrator can set a predefined
DSCP to every packet that enters the port. This is achieved by attaching an ACL with a predefined DSCP.
Setting the trust state of a port to trusted can be achieved using the following command
With Cisco IOS the setting of trust can be performed on a Gigabit Ethernet interface, 10GE interface, 10/100 ports
on the WS-X6548-RJ45/21 line card and 100Mb ports on the WS-X6524 100FX ports.as well as the 6148/6548-GE-
TX linecards)
Cat6500(config)# interface gigabitethernet 5/4
Cat6500(config-if)# mls qos trust ip-precedence
This example sets the trust state of Gigabit Ethernet port 5/4 to trusted. The frames IP precedence value will be used
to derive the DSCP value.