the DSCP/CoS settings are not set to 0 on output, they are treated on input as you described.
The main idea is to create a trusted zone, i.e. once the DSCP/CoS setting is checked on input it should be trusted throughout your switching/routing QoS domain. So set your trunks to trusted and access ports to untrusted unless you are sure the settings are correctly applied by the device connected.
Thanks. This answered my questions. I found this issue after watching packets with a sniffer. Here is what I found..
CoS is set in 802.1q/ISL packets. When trust cos is applied, the switch cos-to-dscp map establishes the DSCP value used internally in the switch. On egress, the switch uses the internal DSCP value to determine and mark the CoS value. However...Voice servers (CallManager etc.) do not connect to the switches via 802.1q/ISL trunk connections, therefore CoS is not marked. I saw all the packets from CallManager with CoS of 0, and on Egress DSCP of 0. Voice servers (and non-trunked gateways) must have the ports set to trust DSCP.
The only question I have left is, why not just set all ports to trust DSCP??
Previously Cisco recommended trusting CoS on ports where Cisco IP Phones were connected. This was due to the ability of the IP Phones to re-write the 802.1p field of received frames back to 0 from piggy-backed PC's. If you were simply to trust DSCP and set the Internal DSCP from this it would be easy for an attached PC to generate packets with DSCP EF and effectively hijack the Expedite Queue (if configured) causing havock for real-time applications (predominantly Voice).
If you can whole-heartedly trust your users and thier PC's (Viruses, Worms etc) then by all means trust DSCP but in my opinion this is just open to abuse.
The current way of thinking is to apply inbound policy-maps on access ports to classify and police right at the edge. Then on your uplinks apply the correct queuing and scheduling and trust inbound DSCP.
Take a look at the QoS SRND written by Tim Szigeti on CCO for an insight:
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...