mls qos with mls qos trust

Issuing the 'mls qos' command on a switch makes all ports untrusted.  The markings are all set to zero.  So if we are asked to match on a marking wouldn't we need to issue the 'mls qos trust [device|cdp|ip-precedence|dscp]' command on the port?  For example: police traffic marked with a DSCP value of 'ef' to 1Mbps inbound on fa0/1:

mls qos
class-map EF
 match ip dscp ef
policy-map POLICE_EF
 class EF
  police 1000000 20000 exceed-action drop
int fa0/0
 service-policy input POLICE_EF

By issuing the 'mls qos' command won't all traffic inbound on f0/1 be untrusted and therefore be remarked as 000000 (default)?  If so, then our class-map will not match anything and our policing policy will not work.  Adding the 'mls qos trust dscp' command would maintain the DSCP markings and our class-map would match the 'ef' traffic.

I'm sure that I'm missing some key concept or order of operations issue because this would mean success for my class-map but it would also allow another device to pass DSCP-marked traffic into the network.

Any clarification would be greatly appreciated.

Thank you.


  • Port-level classification using "trust" command is mutually exclusive with the service-policy "based" classifications. When you apply a service-policy and set/trust markings inside the policy-map, IOS removes all interface level settings and behaves as instructed by the service-policy.

    In your example, you dont apply any marking. Thus, all packets will effectively have their markings reset to zero. If you want to retain the QoS labels, issue "trust" command under the respective class.

  • Hi  ,

    (..) so when we trust dscp , the CoS value is reseted/remarked to the internal dscp to cos mapping , and when we trust CoS we remark/reset  the existing dscp to the new dscp value from the internal mapping definition , and on both 3560 and 3550 is the same rule isn't it  ?

    ps . by default catalysts 3550 and 3560 without the "mls qos" global config trust all the dscp and cos markings ( pass through ) 

    thank you in advance for your confirmation ,

    kind regards ,


Sign In or Register to comment.