"If you are looking end to end you need to mark to work as expected."

BTW, actually on many QoS capable switches and routers, they don't need CoS or ToS tags to support QoS; even end-to-end.

The real purpose of such tags is to reduce the processing load of every transit device to (deeply) examine a packet for classification purposes.  The "ideal" was the edge (ideally the sending host) would mark the frame/packet appropriately.  Unfortunately, because of the potential for abuse, network devices generally should be configured, at least at some "trust boundary", to verify a frame's/packet's marking, and remark if needed.

I may be misled people with that statement - what I meant was device end (connected) to mean Voice device.

I understand some of the edge to the internet we do not have control or some not support and not possible, we do need to consider reserve some bandwidth for better quality for voice.

Unsure "we're on the same page", yet. 

An end device, generally regardless of whether its a VoIP device or not, doesn't need to tag frames/packets to support QoS treatment.  Again, CoS/ToS tags just make examination of a frame/packet, for QoS treatment, more efficient.  (As an extreme example, we might [if supported on the device] do a "deep" packet analysis, using NBAR, for classification purposes.  Rather than doing this on every transit device, it's much more efficient to do it once, at first network device, tag the packet to indicate how it should be treated, and then all subsequent transit devices only need to examine the tag.)

Regarding VoIP and Internet, it's often "easy" to "guarantee" bandwidth as we send the traffic to the Internet.  Within the Internet, itself, we have no control.  (Fortunately, Internet providers often try to insure their circuits rarely congest.)

The problem is with Internet is bandwidth management from the Internet to our site.  This too we have no control over except in cases where we don't use the Internet for general access.  If we only use the Internet for traffic between our sites, we can manage bandwidth from the Internet by managing the bandwidth as we send it into the Internet.  E.g. site A <> Internet <> Site B - again, not using either Site A or B for general Internet access, Site A can manage traffic to Site B and the converse, too.  (Where it gets "messy" is with multiple sites, conversing with each other, i.e. a multi-point topology.)

Sure Agreed - yes based on CoS /ToS action, But in some cases, if you have enough bandwidth you do not need clarification  - it's unnecessary overhead in my personal point of view - again this depends on requirements and uses case..  but good to have where link congestion takes place due to other overloaded links - this can be any link - not limited.

yes some of them beyond our control and we rely on what promised as delivered. (this may be internet or MPLS or VPLS so on) - as long as it meets business goals there is no issue - how internally service provider-managed is a different discussion. (since we do expect  most of the SP provided links to be optimal)

thank you for your bit more clarity.

I recall (?) the 2960 and 3560/3750 switches, unless changed by a later IOS, all function as I described for "earlier switches".  I.e. you don't need a trust statement if you have an ingress policy attached to the interface.  (Why?  Because the policy determines what's trusted or not, and by default, trusts all.)

For those switch ports not using an ingress policy, then you'll need to use a "trust" statement (on access or trunk [or routed - if 3K switch] port) if QoS is enabled (which, again, for those families of switches, should be off, by default).

Also BTW, regarding the need to trust CoS for end devices, that's not needed unless they don't also support L3 ToS tagging (which almost all should).  If the end devices do not set L3 ToS, have the edge switch set the L3 ToS (which could be determined by examining just the L2 CoS, if desired).  (NB: again if end devices don't use VLAN tagged frames, there will be no CoS.  However, edge switch, if "smart/enhanced", should be able to examine L3 attributes and set L3 ToS.)

Thank you Joseph for this comprehensive answer.

On our 2960/3560/3750 switches, qos is enabled :

#show mls qos
QoS is enabled
QoS ip packet dscp rewrite is enabled

On our 3850 Core switches I don't really know how to see if QOS is enabled. We also have Core C4500 switches, and I don't know to verifiy if QOS is enabled or not.

Anyway according to what you explained, we should disable QOS on those switches in order to place every ports in trusted state, correct ?

But as QOS is enabled on our switches, we need to trust "manually" each ports end to end.

Anyway I admit QOS is not easy !

On 2960/3560/3750 switches, if QoS is disabled, CoS/ToS is passed through untouched (egress is a single FIFO queue).  If QoS is enabled, you either need to explicitly trust or have an ingress policy on an interface.  (Policies implicitly trust, unless you configure them not to.)  On egress, CoS and ToS, by default, are split between four queues, although PQ isn't enabled by default.

On the 3650/3850 switches, I believe (?) they trust by default.  QoS might also be enabled by default.  I recall (?) they support 8 egress queues.

On the 4500, QoS features vary much by supervisor.  On the later sups, sup 6 (?) and later, I recall (?) their QoS is somewhat like a router's, i.e. they trust by default, but only use a single FIFO egress queue unless you configure an egress policy (limited compared to a Cisco router's).  (NB: one of the earlier 4500 sups, the 4 [?], had/has an "interesting" QoS.)

BTW, when you use Auto-QoS, it generally creates a new set of ingress and egress QoS treatment.  Auto-QoS settings tends to vary based on IOS "age" and also features provided by platform.  When Auto-QoS is enabled, it make lots of changes, which can be individually changed.  (Generally, to fully remove it, you need to "no" every command it inserted.)

Thanks Joseph.

The problem we have, we have different switches models and with different software version.

I have verified another 3650,  WS-C3650-48PD software version: 16.6.6

On a PC+deskphone port we have this config :

description Office Desk Port
switchport access vlan 10
switchport mode access
switchport voice vlan 11
trust device cisco-phone
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy

On the trunk links, we don't have any policy applied :

TenGigabitEthernet1/1/3
description +UPLINK :  TE1/0/1 : TRUNK
switchport trunk native vlan 1000
switchport mode trunk
load-interval 30
channel-group 1 mode active

So we don't have any policy applied on the trunk links, as this switch is "MQC QOS", does that mean the ports are implicitely trusted even if there is not policy assigned on the port ?

I believe (?) the 3650 (and 3850) implicitly trust (like a router).  If so, you wouldn't need to "trust" on any port.

In your case of your access port, I believe (?) the "trust device cisco-phone" does more than just trust ToS, it may also help control what auto-QoS ingress policy is applied.  (For example, it might only accept DSCP EF from a recognized Cisco VoIP phone.)

Again, for your trunk port, I believe (?) you don't need to explicitly "trust", however if you're doing QoS to insure needed bandwidth for VoIP traffic, even though you have 10g Etherchannel, you should probably also have an egress QoS policy, to guarantee PQ for VoIP traffic.

(BTW, in you're wondering why all the "I believe [?]"s, my direct experience with Catalyst 3K switches stopped with the 3560/3750 series.  At the time Cisco released the 3650/3850 series, the company I was working for adopted another vendor's [cough - brand "J"] L3 switches.)

Thanks Joseph for all these comprehensive answers, I think the main thing I've understood is when the QoS is active on MLS ones, you need to explicitely trust QOS on the concerned interfaces