Thanks for the help - there is a slight problem with that in the why QoS is going to be implemented.
Basically the idea is not to trust anything at the edge, as it has been known for users to actively mark traffic with a QoS (DSCP) value. As an example a user could mark all their web traffic with a DSCP of 46 and then take advantage of QoS mechanisms employed, say for voice, also using DSCP 46.
So the idea is to create a untrusted and trusted area in the design. Everything south of the edge is untrusted. Everything north of the uplinks is trusted.
To make this demarcation work I will basically be turning off dot1p and diffserv examination south of the edge and enable it north of the uplinks.
ACL's will then be used at the edge to classify Voice and Video using port numbers with the use of diffserv replacement. Also the ACL will capture all remaining traffic and put it into QP2 as this thread details.
Now all traffic that enters the north side should be appropriately marked and we can use diffserv examination then onwards to trust the traffic. I will of course need to make sure any other traffic coming into the network, say from servers, web, are all put into QP2 (CS1, DSCP .
So you can see I need the ACL to profile all traffic into QP2 as a kind of permit all, without trusting any 802.1p or DSCP values, while at the same time not effecting control traffic. It might be that I don't actually need to worry about any control traffic if I'm only applying this to an edge port?