- A
The policy-map is not applied to the correct interface direction.
Why wrong: Incorrect because the policy-map could be applied in the input direction, but without trust, the marking may still not be honored.
- B
The switch does not support DSCP-to-CoS mapping.
Why wrong: Incorrect because Catalyst 9300 switches support DSCP-to-CoS mapping.
- C
The interface is missing the 'mls qos trust cos' or 'mls qos trust dscp' command.
Correct because by default, Cisco switches do not trust incoming QoS markings; the trust command must be configured to accept the marking from the IP phone.
- D
The IP phone is not sending packets with DSCP EF.
Why wrong: Incorrect because the scenario states the engineer is trying to mark the packets, meaning the phone may or may not be marking them; the issue is on the switch side.
Quick Answer
The answer is that the interface is missing the 'mls qos trust cos' or 'mls qos trust dscp' command. This is correct because on Cisco Catalyst switches like the 9300, QoS trust boundaries are disabled by default on access ports; without an explicit trust command, the switch treats all incoming packets as untrusted and will ignore or overwrite any DSCP-to-CoS mapping set by a policy-map, even one matching DSCP EF. On the ENCOR 350-401 exam, this scenario tests your understanding of the QoS trust boundary concept—a common trap is assuming a policy-map alone can re-mark packets without first establishing trust. Remember that a policy-map only re-marks if the interface is told what to trust; otherwise, the switch defaults to the port’s configured CoS, often zero. A quick memory tip: “No trust, no touch”—without the trust command, your marking policy is effectively ignored.
CCNP QoS Architecture Practice Question
This 350-401 practice question tests your understanding of qos architecture. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A network engineer is configuring QoS on a Cisco Catalyst 9300 switch to prioritize voice traffic. The switch has multiple access ports connected to IP phones and PCs. The engineer applies a policy-map that matches DSCP EF and sets the CoS to 5. However, after testing, the voice packets are not being marked correctly. What is the most likely cause?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue:
"most likely"Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
The interface is missing the 'mls qos trust cos' or 'mls qos trust dscp' command.
On Cisco Catalyst switches like the 9300, QoS marking policies applied via a policy-map only re-mark packets if the interface port is configured to trust a specific marking. Without the 'mls qos trust dscp' command, the switch defaults to an untrusted state and may ignore or overwrite the DSCP-to-CoS mapping set by the policy-map. Option C is correct because the missing trust command prevents the policy-map from correctly applying the CoS 5 marking to voice packets.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
The policy-map is not applied to the correct interface direction.
Why it's wrong here
Incorrect because the policy-map could be applied in the input direction, but without trust, the marking may still not be honored.
- ✗
The switch does not support DSCP-to-CoS mapping.
- ✓
The interface is missing the 'mls qos trust cos' or 'mls qos trust dscp' command.
Why this is correct
Correct because by default, Cisco switches do not trust incoming QoS markings; the trust command must be configured to accept the marking from the IP phone.
Clue confirmation
The clue word "most likely" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
The IP phone is not sending packets with DSCP EF.
Why it's wrong here
Incorrect because the scenario states the engineer is trying to mark the packets, meaning the phone may or may not be marking them; the issue is on the switch side.
Common exam traps
Common exam trap: answer the scenario, not the keyword
Cisco often tests the trust boundary concept, where candidates assume a policy-map alone is sufficient to re-mark packets, but the missing 'mls qos trust' command is the hidden prerequisite that causes the marking to fail.
Trap categories for this question
Scenario analysis trap
Incorrect because the scenario states the engineer is trying to mark the packets, meaning the phone may or may not be marking them; the issue is on the switch side.
Detailed technical explanation
How to think about this question
Under the hood, Cisco switches use a 'trust boundary' concept: by default, all ports are untrusted, meaning the switch overwrites any incoming CoS or DSCP values with the port's default. The 'mls qos trust dscp' command tells the switch to preserve the DSCP value from the incoming packet, allowing the policy-map to then map that DSCP to a new CoS. In a real-world scenario, if an IP phone sends DSCP EF (46) but the switch port lacks trust, the switch may reclassify the packet to best-effort (DSCP 0), breaking QoS prioritization.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A practitioner preparing for the 350-401 exam encounters this exact type of scenario on the job. The correct answer here is not the most general option — it is the best answer for the specific constraint described. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Real exam questions reward reading the full scenario before eliminating options, because the constraint defines which answer fits.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
QoS Architecture — study guide chapter
Learn the concepts, then practise the questions
- →
QoS Architecture practice questions
Targeted practice on this topic area only
- →
All 350-401 questions
2,015 questions across all exam domains
- →
ENCOR 350-401 study guide
Full concept coverage aligned to exam objectives
- →
350-401 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related 350-401 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Architecture practice questions
Practise 350-401 questions linked to Architecture.
Enterprise Network Design practice questions
Practise 350-401 questions linked to Enterprise Network Design.
SD-Access Architecture practice questions
Practise 350-401 questions linked to SD-Access Architecture.
SD-WAN Architecture practice questions
Practise 350-401 questions linked to SD-WAN Architecture.
QoS Architecture practice questions
Practise 350-401 questions linked to QoS Architecture.
Virtualization practice questions
Practise 350-401 questions linked to Virtualization.
Network Function Virtualization practice questions
Practise 350-401 questions linked to Network Function Virtualization.
Virtual Machines and Hypervisors practice questions
Practise 350-401 questions linked to Virtual Machines and Hypervisors.
VRF and Path Isolation practice questions
Practise 350-401 questions linked to VRF and Path Isolation.
Infrastructure practice questions
Practise 350-401 questions linked to Infrastructure.
OSPF practice questions
Practise 350-401 questions linked to OSPF.
BGP practice questions
Practise 350-401 questions linked to BGP.
Practice this exam
Start a free 350-401 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this 350-401 question test?
QoS Architecture — This question tests QoS Architecture — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: The interface is missing the 'mls qos trust cos' or 'mls qos trust dscp' command. — On Cisco Catalyst switches like the 9300, QoS marking policies applied via a policy-map only re-mark packets if the interface port is configured to trust a specific marking. Without the 'mls qos trust dscp' command, the switch defaults to an untrusted state and may ignore or overwrite the DSCP-to-CoS mapping set by the policy-map. Option C is correct because the missing trust command prevents the policy-map from correctly applying the CoS 5 marking to voice packets.
What should I do if I get this 350-401 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Are there clue words in this question I should notice?
Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
2 more ways this is tested on 350-401
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. Which two statements about the Cisco QoS trust boundary are true? (Choose two.)
medium- ✓ A.The trust boundary can be set at the access layer switch port connected to an IP phone.
- ✓ B.The 'mls qos trust cos' command configures the interface to trust the Layer 2 CoS value.
- C.By default, all Cisco switch interfaces trust the incoming CoS or DSCP marking.
- D.The trust boundary is always located at the distribution layer switch.
- E.When a PC is connected to a switch port, the switch automatically trusts the DSCP value from the PC.
Why A: The trust boundary defines where the device accepts or overwrites Layer 2 CoS or Layer 3 DSCP markings. By default, Cisco switches trust the CoS value on trunk ports and set DSCP to 0 on access ports. The 'mls qos trust cos' command forces the switch to trust CoS, and 'mls qos trust dscp' forces trust of DSCP. The trust boundary can be extended to an IP phone, which then re-marks traffic from the PC. Option C is incorrect because trust is not automatically applied to all interfaces; it must be configured. Option D is incorrect because the trust boundary is at the access layer, not the core. Option E is incorrect because the switch does not automatically trust DSCP from a PC; it typically sets it to 0 unless configured otherwise.
Variation 2. Which two statements about the QoS trust boundary on a Cisco switch are true? (Choose two.)
medium- A.By default, a Cisco switch port in access mode trusts the CoS value received from the attached device.
- ✓ B.On a trunk port, the switch can be configured to trust the CoS value by default.
- ✓ C.The trust boundary can be extended to the endpoint by configuring the interface with the 'mls qos trust' command.
- D.When a Cisco IP Phone is connected, the switch automatically trusts the CoS values from the phone but not from the PC behind the phone.
- E.The 'trust device cisco-phone' command enables the switch to trust all CoS values from both the phone and the attached PC.
Why B: The trust boundary defines which device in the network is trusted to mark QoS values. By default, Cisco switches trust the CoS value on trunk ports but do not trust the DSCP value on access ports. The trust boundary can be extended to the endpoint by configuring the switch port as trusted, and the Cisco IP Phone can override the marking from the attached PC.
Last reviewed: Jun 24, 2026
This 350-401 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 350-401 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.