CoS Marking Not Preserved Across Layer 3 Boundary
Presenting Symptom
Voice traffic from an IP phone is not being prioritized across a router, resulting in poor call quality.
Network Context
A small branch office with a Cisco 2960 switch (access layer) connected to a Cisco 4321 router (WAN edge). The switch trusts CoS markings from IP phones and maps them to internal DSCP. The router connects to an MPLS WAN. The issue occurs when traffic traverses the router; CoS markings are lost at the Layer 3 boundary.
Diagnostic Steps
Check CoS marking on the switch access port
show mls qos interface gigabitethernet 0/1trust state: trust cos CoS value: 5
If trust state is not 'trust cos', the switch may be re-marking or not trusting the CoS. Normal: trust cos with CoS 5 for voice.
Verify DSCP marking on the router ingress interface
show policy-map interface gigabitethernet 0/0/0GigabitEthernet0/0/0
Service-policy input: MARKING
class-map: VOICE (match-all)
5 packets, 1000 bytes
5 minute offered rate 0 bps
Match: ip dscp ef (46)
police:
1000000 bps, 10000 limit, 10000 extended limit
conformed 5 packets, 1000 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
violated 0 packets, 0 bytes; action: drop
Check if DSCP EF (46) is being matched. If not, the router may not be seeing the correct DSCP marking. Normal: packets match DSCP EF.
Check if QoS trust is configured on the router ingress interface
show mls qos interface gigabitethernet 0/0/0trust state: not trusted
If trust state is 'not trusted', the router will re-mark CoS/DSCP. This is the root cause. Normal: trust state should be 'trust dscp' or 'trust cos'.
Verify the egress interface QoS policy
show policy-map interface serial 0/1/0Serial0/1/0
Service-policy output: WAN-SHAPER
class-map: VOICE (match-all)
0 packets
Match: ip dscp ef (46)
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
If no packets match the VOICE class on egress, the DSCP marking is not preserved. Normal: packets should match and be queued appropriately.
Root Cause
The router ingress interface (GigabitEthernet0/0/0) does not have QoS trust enabled. By default, Cisco routers do not trust Layer 2 CoS markings; they re-mark the CoS and DSCP to 0. This causes the voice traffic to lose its priority marking when crossing the Layer 3 boundary.
Resolution
Verification
Run 'show mls qos interface gigabitethernet 0/0/0' and verify 'trust state: trust dscp'. Then run 'show policy-map interface serial 0/1/0' and verify that voice packets are now matching the VOICE class on egress.
Prevention
1. Always configure 'mls qos trust' on interfaces that connect to trusted devices like IP phones or switches that already mark traffic. 2. Use a consistent QoS marking strategy across Layer 2 and Layer 3 boundaries. 3. Implement end-to-end QoS policies that preserve markings.
CCNA Exam Relevance
On the CCNA 200-301 exam, this scenario appears in troubleshooting questions where voice quality issues are reported. The exam tests understanding of QoS trust boundaries and the difference between Layer 2 CoS and Layer 3 DSCP. Candidates must know that routers do not trust CoS by default and must be configured to preserve markings.
Exam Tips
Remember that routers do not trust Layer 2 CoS; you must explicitly configure 'mls qos trust' on the ingress interface.
The default trust state on a router is 'not trusted', which causes all markings to be overwritten.
Know the command 'show mls qos interface' to verify trust state.
Commands Used in This Scenario
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions