Trust Boundaries
When IP traffic comes in already marked, the switch has some options about
how to handle it. It can:
■ Trust the DSCP value in the incoming packet, if present.
■ Trust the IP Precedence value in the incoming packet, if present.
■ Trust the CoS value in the incoming frame, if present.
■ Classify the traffic based on an IP access control list or a MAC address
access control list.
Mark traffic for QoS as close to the source as possible. If the source is an IP
telephone, it can mark its own traffic. If not, the building access module
switch can do the marking. If those are not under your control, you might
need to mark at the distribution layer. Classifying and marking slows traffic
flow, so do not do it at the core. All devices along the path should then be
configured to trust the marking and provide a level of service based on it.
The place where trusted marking is done is called the trust boundary.