mls qos with mls qos trust
Issuing the 'mls qos' command on a switch makes all ports untrusted. The markings are all set to zero. So if we are asked to match on a marking wouldn't we need to issue the 'mls qos trust [device|cdp|ip-precedence|dscp]' command on the port? For example: police traffic marked with a DSCP value of 'ef' to 1Mbps inbound on fa0/1:
match ip dscp ef
police 1000000 20000 exceed-action drop
service-policy input POLICE_EF
By issuing the 'mls qos' command won't all traffic inbound on f0/1 be untrusted and therefore be remarked as 000000 (default)? If so, then our class-map will not match anything and our policing policy will not work. Adding the 'mls qos trust dscp' command would maintain the DSCP markings and our class-map would match the 'ef' traffic.
I'm sure that I'm missing some key concept or order of operations issue because this would mean success for my class-map but it would also allow another device to pass DSCP-marked traffic into the network.
Any clarification would be greatly appreciated.