Generally speaking, you should mark your packets as close to the source as possible. In theory, that could be the actual source, such as IP Phones, gateways, PCs and servers. However, that poses some problems in larger organizations where the group that is charged with protecting voice quality does not manage the PCs and servers. This is because server administrators and PC users could simply tweak their computers to send all their data, including WWW surfing, e-mail and file and print traffic at priority 7. (Don't forget users wouldn't know that voice traffic is usually set below routing and network control traffic.)
So the solution is typically to configure your switches to "trust" traffic coming in on a given port, or to not trust it. Trusted simply means the switch allows the packets to enter the network unmolested. Packets entering an untrusted port have their CoS and ToS values reset to the lowest value (usually). Thus, users can set their PCs or servers to send traffic at any priority they wish, but it will not affect the network.
However, if you're using IP Phones, you may be able to get a little more sophisticated, depending on your vendor. In a typical scenario where you have a PC plugged into an IP Phone, and the IP Phone plugged into the switch, you can configure the switch to trust the IP Phone, and configure the switch to instruct the phone to not trust the PC.
What this does is push the job of marking traffic off your layer 2 switch and onto the IP Phone (which the user typically can't modify).
As an example, the commands to configure this on a Cisco Catalyst switch would be:
set port qos <slot/port> trust-ext untrusted
set port qos <slot/port> trust trust-cos
Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.