I'm looking to deploy conditional QoS on access switches to enable users to move around without an administrative overhead of changing the port trust dependent up on device. However I want to make sure that any compromised or misconfigured devices dont have the potential to impact other users. Therefore, I've added a service policy to set the dscp values and police the traffic as required. This means that the voice and data vlans can be controlled and marked as required. My question is what happens if the device connected to the port isn't a trusted device, is the same service policy still applied to the interface? What I'm concerned about is if the device is untrusted but has a softphone client then I want to ensure that this traffic has its dscp set corretly. I'm guessing that I'd need to specify the data vlans subnet and UDP VoIP ports in an acl to match the correct traffic as opposed to just the voice vlan subnet and UDP VoIP ports in an acl if an IP Phone was connected and trusted? Any thoughts appreciated.