Trust Boundaries
1. Introduction to Trust Boundaries
🔍 What Are Trust Boundaries?
A trust boundary is the point in a network where traffic markings, such as DSCP (Layer 3) or Priority Code Point (PCP) / Class of Service (CoS) (Layer 2) are trusted. Beyond this point, the network devices rely on these markings to prioritize traffic based on Quality of Service (QoS) polic
💬 But here’s something to think about: What happens if a device outside your control marks its own traffic as high priority to gain an unfair advantage?
⚠️ Traffic markings applied by devices outside the trust boundary are considered untrusted and will be re-marked to align with the network’s policies. This ensures that only traffic from trusted devices influences network performance.
🛠️ The trust boundary is established on devices controlled by IT, such as access layer switches or IP phones.
2. How Trust Boundaries Work
🔍 Defining the Trust Boundary
The trust boundary is typically placed on network devices where traffic markings can be verified and adjusted if needed. These devices must be fully controlled and managed by IT staff. Common locations for trust boundaries include:
- Access Layer Switches: These devices receive traffic from end-user devices and re-mark it to align with network QoS policies.
🔍 Trust Boundary: Access Switch
Imagine you’re managing a network where devices like PCs are directly connected to access switches. Would you trust the traffic markings coming from these PCs? Probably not, right? That’s where the access switch steps in as the trust boundary.
✅ Here’s how it looks:
- When a PC connects to an access switch, the switch takes control of traffic markings.
- It evaluates the incoming traffic and applies appropriate DSCP (Layer 3) or PCP/CoS (Layer 2) values based on your QoS policies.
- At this point, you can be sure that the network will handle traffic according to your rules, as the switch re-marks any untrusted traffic.
💡 Think of the trust boundary as a checkpoint—anything beyond the access switch is now trusted and compliant with your configurations.
🔍 Trust Boundary: IP Phone
Now, let’s take it one step further. What if you have an IP phone between the PC and the network? This changes the game, as the IP phone itself becomes the trust boundary.
✅ Here’s how this setup looks:
- Picture this: A PC connects to an IP phone, which then connects to the access switch.
- The IP phone takes responsibility for marking traffic, not just for its own voice packets but also for the PC’s traffic.
- It assigns high-priority DSCP and PCP/CoS values to its voice traffic, ensuring clear and uninterrupted calls. At the same time, it marks the PC’s traffic appropriately, so you stay in control.
📢 In this scenario, the trust boundary is at the IP phone. You can trust its markings, knowing they align with your network’s QoS policies.
🔍 Trusted and Untrusted Devices
It’s important to identify trusted and untrusted devices when defining trust boundaries:
✅ Trusted Devices:
- These are devices managed by IT, such as access switches or IP phones.
- They apply markings accurately and reliably, aligning with your QoS policies.
- You can count on them to maintain traffic prioritization.
⚠️ Untrusted Devices:
- These are unmanaged or user-controlled devices, such as PCs or laptops.
- Their traffic markings may be incorrect or even manipulated to gain unfair advantages.
- To ensure fairness, their markings are re-evaluated and adjusted at the trust boundary.
3. Conclusion
Key Takeaways:
✅ A trust boundary is the point in a network where traffic markings are verified and trusted.
✅ It is established on IT-controlled devices, such as access layer switches or IP phones, ensuring that only trusted markings affect QoS decisions.
✅ By properly identifying trusted and untrusted devices, you maintain control over traffic prioritization and prevent misuse.
✅ Trust boundaries ensure fairness, security, and efficiency in network traffic prioritization.