Showing results for 
Search instead for 
Did you mean: 

Nexus 7000: QOS question how a port can be set to untrust



the normal behavior of the Nexus 7K is, that QOS is enabled by default and all port are trusted for dscp and cos. We have some connected devices which are conneted through trunks. How can i set this port to an untrust port so that cos values >0 will be reset to 0 and also for dscp.

I think i have to do this with an policy-map but how can configure this because under one class i can not configure two set's (set cos 0 and dscp 0).


4 Replies 4

Reza Sharifi
Hall of Fame Master Hall of Fame Master
Hall of Fame Master


You can try a policy-map and rewrite for example cos 5 to 0 on the incoming interface.  Once it is untrusted, then the uplink should untrust it too.




On the nexus 7000 platform, you have to be aware of  a few things.

For bridged traffic, COS is used for ingress queue selection et preserve for egress queue selection. If trafic originate from an access ports (not a trunk), COS value will be 0.

For routed traffc, COS is used for ingress queue selection. DSCP will rewrite COS using the 3 most significant bits of DSCP and the new COS will be used for egress queue selection.

If you want to change the default behavior and not trust the traffic, you have to write a policy-map that rewrite the DSCP value to 0  of all trafic and apply it inbound on the physical interface. This will force the 7000 to re-write COS for bridged traffic also and egress queue selection will use the new COS

Thanks for the answers. I wondering that the nexus is by default  rewriting the cos based on the dscp when the packets are bridged from on  trunk to an other trunk.

See also

"The  CoS value is derived based on the type of traffic (bridged or   routed).  For bridged traffic, the CoS value is copied from the received   CoS value."

This answer match not this answer.

So for me it looks like, when i  use a input policy-map with set dscp = 0 than the cos will be unchanged  bridged from incoming interface to the outgoing interface. When i set  the cos to 0 than the dscp will be unchanged bridged.

What i need is a policy which set the cos and dsp to 0 when a packet comes in. The same when i set a catalyst port to "untrust".


I agree, but if you rewrite the dscp, it will drive the cos for bridged trafic.

Try it, you ll see...

Sent from Cisco Technical Support Android App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers