QoSCCNA 200-301

DSCP Trust Boundary Set at Wrong Device

Presenting Symptom

Voice traffic from IP phones experiences jitter and packet loss, while data traffic is unaffected, and QoS markings are not being honored across the network.

Network Context

A small branch office with a Cisco Catalyst 2960 switch (IOS 15.0) connecting IP phones and PCs. The switch uplinks to a Cisco ISR 4321 router (IOS 16.9) via a trunk port. The network uses DSCP-based QoS with trust boundaries expected at the access layer. The IP phones are configured to mark voice traffic with DSCP EF (46).

Diagnostic Steps

Check interface QoS trust state on the access switch

show mls qos interface gigabitethernet 0/1

GigabitEthernet0/1
 trust state: not trusted
 trust mode: not trusted
 COS override: dis
 default COS: 0
 DSCP mutation map: default

The interface is not trusted, meaning the switch will overwrite any DSCP markings from the IP phone. This is the expected state if trust is not configured, but it indicates the trust boundary is missing at the access layer.

Check QoS trust state on the uplink to the router

show mls qos interface gigabitethernet 0/24

GigabitEthernet0/24
 trust state: trust dscp
 trust mode: trust dscp
 COS override: dis
 default COS: 0
 DSCP mutation map: default

The uplink is trusted for DSCP. This is incorrect; trust should be at the access port, not the uplink. The router will see the markings from the switch, but the switch may have re-marked traffic if the access port is untrusted.

Verify QoS global configuration on the switch

show running-config | include mls qos

mls qos

QoS is enabled globally. This is necessary for trust to work.

Check the access port configuration

show running-config interface gigabitethernet 0/1

interface GigabitEthernet0/1
 switchport mode access
 switchport voice vlan 10
 spanning-tree portfast

The access port is configured for voice VLAN but missing the 'mls qos trust device cisco-phone' and 'mls qos trust cos' commands. The trust boundary is not set at the access layer.

Check the uplink port configuration

show running-config interface gigabitethernet 0/24

interface GigabitEthernet0/24
 switchport mode trunk
 mls qos trust dscp

The uplink has 'mls qos trust dscp' configured. This is the wrong location for trust; it should be on the access port. The switch is trusting markings from the router, but the access port is untrusted, so the switch may re-mark traffic from the phone.

Root Cause

The QoS trust boundary is incorrectly configured on the uplink interface (GigabitEthernet0/24) instead of the access port (GigabitEthernet0/1) where IP phones are connected. The access port lacks the 'mls qos trust device cisco-phone' and 'mls qos trust cos' commands, causing the switch to re-mark DSCP values from the phone to 0, while the uplink trusts DSCP markings that are now incorrect.

Resolution

Remove trust from the uplink and configure trust on the access port. On the access switch: 1. interface GigabitEthernet0/1 mls qos trust device cisco-phone mls qos trust cos 2. interface GigabitEthernet0/24 no mls qos trust dscp Explanation: The access port is configured to trust the CoS markings from the Cisco IP phone (which maps to DSCP), and the uplink is set to not trust (default) to avoid trusting potentially re-marked traffic.

Verification

1. show mls qos interface gigabitethernet 0/1 Expected: trust state: trust cos 2. show mls qos interface gigabitethernet 0/24 Expected: trust state: not trusted 3. Verify voice traffic DSCP marking end-to-end: Use 'show mls qos ip' or packet capture to confirm DSCP EF is preserved.

Prevention

1. Always configure trust boundaries at the access layer where traffic enters the network (IP phones, cameras). 2. Use the 'mls qos trust device cisco-phone' command to automatically trust the phone's markings. 3. Avoid trusting uplinks unless necessary; trust should be as close to the source as possible.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario appears in troubleshooting questions about QoS trust boundaries. The exam may present a multiple-choice question asking where trust should be configured, or a drag-and-drop to place trust commands on the correct interfaces. Key fact: Trust boundaries must be set at the access layer, not on uplinks.

Exam Tips

Remember that trust should be configured on access ports connected to trusted devices like IP phones, not on trunk ports.

The command 'mls qos trust cos' is used for CoS-based trust; 'mls qos trust dscp' for DSCP-based trust. Know the difference.

If voice traffic is being re-marked, check the trust state on the ingress interface using 'show mls qos interface'.

Commands Used in This Scenario

mls qos trust [cos|dscp]

Sets the trust state on an interface to use either the CoS or DSCP value for QoS classification, enabling the switch to honor incoming QoS markings.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions