Ok let's say I just want to Police - I don't care I just want to drop any traffic (e.g. CustA to Site1) above whatever Mbps threshold/CIR rate I set.

To Reach Site1, CustA or any traffic trying to reach Site1 is directed to a let's say VTI/IPSEC tunnel at a router. Would it be simpler to just apply QOS policies (pre-classify) on the VTI tunnel? So basically any other customer who would need to be throttled, can just apply another  Class-map under the same Policy on the VTI? What would be best way to keep track of how much traffic each customer is even generating (to see how close to Thresholds are being reached) say if you don't have any other monitoring tool or something - for comparison or keeping track of metrics or something? This is why I was asking if maybe separate sub-interfaces or something are created on the Router for each customer, then traffic is directed to the VTI from there. Hope this sounds less confusing LOL

Also how many class-maps are supported under on Policy on Cisco routers or switches? I can't seem to find the answer.

"Would it be simpler to just apply QOS policies (pre-classify) on the VTI tunnel?"

Possibly, yes.  Pre-classify would allow you to "look" at pre-encapsulation IP packet fields.

"So basically any other customer who would need to be throttled, can just apply another Class-map under the same Policy on the VTI?"

Correct.

"What would be best way to keep track of how much traffic each customer is even generating (to see how close to Thresholds are being reached) say if you don't have any other monitoring tool or something - for comparison or keeping track of metrics or something?"

Possibly using a class-map w/o a policer.  I recall (?) a class-map will show current bandwidth rate using it.

"Also how many class-maps are supported under on Policy on Cisco routers or switches?"

On routers, varies per IOS version.  Early/original versions, I recall (?), only supported 64.  The next CBWFQ version, I recall (?), increased number of classes to 256.  Don't recall if number of classes allowed increased again later.

On switches, class number often limited by number of queues supported in hardware, which is much more limited, so you might find only 8 or so classes supported.

"Possibly using a class-map w/o a policer.  I recall (?) a class-map will show current bandwidth rate using it."

If not configuring with police, should I use the bandwidth parameter or something?

Possibly, a policy map's class might not require any configuration statements, but if it does, the basic bandwidth statement, alone, should suffice.  (NB: do keep in mind, the bandwidth statement will determine a class's dequeuing weight relative to all the other bandwidth classes.)

How about applying QOS right at the edge ingress interface of the infrastructure to throttle the external customer source so they don't utilize anymore bandwidth anywhere else in the infrastructure such as between that switch and a firewall (which will check this traffic) or the router which this traffic is destined in order to reach its tunnel destination?

Thanks again Joseph!

Yes that was what I was thinking. That traffic would still flow through other paths within the infrastructure where a link speed may not be that great either.

Also, can you apply QOS to a VTI IPSEC tunnel interface (so QOS before that traffic goes through tunnel or encrypted) with the  qos pre-classify on ISR or ASR routers?

not sure if I understand correctly. So in general, QOS is applied before traffic is encrypted or sent to tunnel correcct? If so then it would be the original packet header I would say sent from Customer A, B, etc.

You think it would be good idea to create let's say sub-interfaces for each customer want to throttle traffic on the router, apply the QOS to each sub-interface, then direct traffic to the tunnel if I want to manage QOS better and or reference how much traffic each customer is doing?

"So in general, QOS is applied before traffic is encrypted or sent to tunnel correct?"

In general, no.  QoS, depending on what you're doing, might be applied before tunneling, after tunneling, or both.

"You think it would be good idea to create let's say sub-interfaces for each customer want to throttle traffic on the router, apply the QOS to each sub-interface, then direct traffic to the tunnel if I want to manage QOS better and or reference how much traffic each customer is doing?"

Probably not because a single CBWFQ policy, on a router, can have lots of classes, so you might have one per customer (at least until you run out of CBWFQ policy map classes).

Kind of confusing reading doc on burstrate but the burst numbers you are referencing default (how do you set it)?

Would you suggest applying the policy on the egress interface right where the traffic I want to throttle comes in or at the SVI where it must hit to route?

I will have to check the SUP and get back to you