By default Cisco Catalyst switch does not take into account any bit from the Layer 2 CoS or Layer 3 ToS field. Does it mean that packets will be transmited in the original for and CoS/ToS fiels will be untouched.
Once we enable quality of service (QoS) for the entire switch using:
SW(config)#mls qosQoS will be enabled with the default parameters on all ports in the system. What it means that switch by default will remark CoS and ToS values to default 0 (zero).
Once we enable trusting under interface then system will analyze CoS and ToS fields. We have two options; trusting CoS or ToS (DSCP). If you would learn more about the QoS language take a look on this post.

Below you can find some examples and clarifications about sepcific options:

Trusting CoS
SW(config-if)#mls qos trust cos

  • Switch gets packet with CoS=5
  • Switch will pass through CoS value untouch, but DSCP will be rewritten based on the map table (by default CoS 5 will set DSCP to 46)
  • Conclustion: DSCP value is set based on the mls qos map cos-dscp

Trusting DSCP
SW(config-if)#mls qos trust dscp

  • Switch gets packet with CoS=4 and DSCP=46
  • Switch will pass through DSCP value untouch but CoS will be rewritten based on the map table (by default DSCP will rewrite CoS to 5 )
  • Conclusion: CoS value is set based on the mls qos map dscp-cos

Assigning CoS to port
SW(config-if)#mls qos cos 5

  • Switch gets packet on CoS untrusted port without QoS field, so it’s kind of untagged frame without 802.1p field(like in case of native VLAN)
  • Switch sets default CoS value that is assigned to the port, in this case CoS 5 (by default is 0). Marked value (CoS 5) later on is used to mark DSCP based on the mls qos map cos-dscp.
  • Conclusion: CoS value is set for all non capable 802.1p tag (layer 2 QoS field) frames

CoS overriding
SW(config-if)#mls qos cos 5
SW(config-if)#mls qos cos override

  • Switch gets tagged frame with CoS value of 4
  • Switch will tag frame with CoS value of 5 then it’s used to mark DSCP base on the mls qos map cos-dscp.
  • Conclusion: switch sets CoS for all frames even if they have CoS value already assigned to (base on the value in mls qos cos x)

Trusting DSCP just from Cisco IP Phone
SW(config-if)#mls qos trust dscp
SW(config-if)#mls qos trust device cisco-phone

  • Switch has Cisco IP Phone connected (phone’s visible over CDP) that sends frames with DSCP=46
  • Switch will pass through DSCP value untouch, CoS will be marked based on the mls qos map dscp-cos
  • Conclusion: trusting DSCP value only when a Cisco Phone is connected and reported via CDP on the respective interface; works in conjunction with the mls qos trust dscp and mls qos trust cos commands

Here you are QoS settings for not connected port (base on the above configuration):
SW#sh mls qos interface gi1/0/1
GigabitEthernet1/0/1
trust state: not trusted
trust mode: trust dscp
trust enabled flag: dis
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: cisco-phone
qos mode: port-based

And here you are QoS settings output once we connected Cisco IP Phone to the port:
SW#sh mls qos interface gi1/0/1
GigabitEthernet1/0/1
trust state: trusted
trust mode: trust dscp
trust enabled flag: ena
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: cisco-phone
qos mode: port-based

as you can notice enabled flag field has changed to ena (enabled) and trust state changed to trusted state, so port is ready to trust DSCP.

No DSCP/IPP to CoS rewriting (3550 only)
SW(config-if)#mls qos trust dscp pass-through cos

  • Switch gets packet with DSCP=46 and CoS=0
  • Switch will pass through DSCP and CoS value untouch, so DSCP=46 and CoS=0
  • Conclustion: switch does not remark CoS value

No CoS to DSCP rewrite (2960, 3560, 3750 only)
SW(config)#no mls qos rewrite ip dscp
SW#show mls qos
QoS is enabled
QoS ip packet dscp rewrite is disabled

  • Switch gets packet with DSCP=46
  • Switch will pass through DSCP value untouch
  • Conclustion: CoS will be trusted, DSCP will be preserved, switch does not modify DSCP value, leave it default as it is in the outgoing packet

Matching traffic with specific DSCP value in ACL (VLAN-Based) SW(config)#interface FastEthernet 1/1
SW(config-if)#switchport access vlan 100
SW(config-if)#switchport voice vlan 110
SW(config-if)#spanning-tree portfast
SW(config-if)#mls qos vlan-based
SW(config-if)#srr-queue bandwidth shape 10 0 0 0
SW(config-if)#srr-queue bandwidth share 10 30 40 20
SW(config-if)#queue-set 1
SW(config-if)#priority-queue out
SW(config-if)#ip access-list extended RTP
SW(config-ext-nacl)#permit udp any any range 16384 32767 dscp 46
SW(config-ext-nacl)#class-map match-any VOICE
SW(config-cmap)#match access-group name RTP
SW(config-cmap)#policy-map POLICY-VOICE
SW(config-cmap)#class VOICE
SW(config-pmap-c)#set dscp af31
SW(config-pmap-c)#interface vlan 110
SW(config-if)#service-policy input POLICY-VOICE

  • Switch gets packet with DSCP=46 and CoS=0
  • Switch will set DSCP to 26 and CoS value based the mls qos map dscp-cos map table
  • Conclustion: mls qos vlan-based overrides QoS interfaces level trusting seetings, port will not clear the CoS/DSCP field even that we don’t have trusting under policy, CoS/DSCP will be preserve and can be match by class-map
  • If you have more or better example please share with us under comments. Enjoy!

    , ,

    It’s very important to understand the Native VLAN and VLAN 1 concept and what impact for Layer 2 protocol communication.
    Cisco switch uses some of Layer 2 protocols like CDP/VTP/DTP/PAgP/UDLD/BPDU are using by default VLAN 1 to communicates with the other switches. Switch sends it to reserverd 01:00:0C:CC:CC:CC MAC address it’s a kind of Layer 2 multicast group so all Cisco switches are looking for these frames. What is a connection with VLAN 1 and native VLAN. By default VLAN 1 is Native VLAN what is means is that is not taged at all. I’ve done a small test to figure it out VLAN 1, Native VLAN and protocols relationship. I have connected the PC with Wireshark directly to the Cisco 3550 switch and configure interface fa0/24 as below:
    interface FastEthernet0/24
    switchport trunk encapsulation dot1q
    switchport mode trunk
    channel-group 1 mode desirable 1

    What I get on Wireshark is STP, CDP, DTP and PAgP protocols, so all is working fine. Let’s add the switchport trunk allowed vlan 10 command and see the capture:
    interface FastEthernet0/24
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 10
    switchport mode trunk
    channel-group 1 mode desirable 1

    As we see nothing has changed. All layer protocols are transmited. It’s important to understand here what switchport trunk allowed vlan command exactly do. Command Reference says that it “sets the list of allowed VLANs that transmit traffic from this interface in tagged format when in trunking mode”. OK so what about vlan 1? Is it allowed or not. As VLAN 1 by default is not tagged so it will not be filtered out what capture has confirmed. Let’s make last test and change the native vlan to different on, for example VLAN 10:
    interface FastEthernet0/24
    switchport trunk encapsulation dot1q
    swtchport trunk native vlan 10
    switchport trunk allowed vlan 10
    switchport mode trunk
    channel-group 1 mode desirable 1

    Thanks to this we have changed the Native VLAN from 1 to VLAN 10 so now VLAN 1 is tagged but due to command switchport trunk allowed vlan 10 is filtered out. So let’s see what we have in capture now.

    We have got just STP and DTP.

    Conclusion:
    STP and DTP frames have no relation to VLAN, so are always transmited over Native VLAN.
    CDP/VTP/PAgP/UDLD are always transmited over VLAN 1, if Native VLAN is 1 then will be transmited in untagged form, if VLAN 1 is tagged (Native VLAN is other VLAN then 1), protocols will be tagged with 1.

    I hope this has clarified the concept.

    ,