Here's what I have in mind (w/o including shaper for 3rd subinterface) - but again, unsure it will work correctly.

ip access-list extended Example
 permit ip {subinterface 1's traffic attributes}
 permit ip {subinterface 2's traffic attributes}
!
class-map match-? Example
 match access-group name Example
! and (match-all) or (match-any)
 match {some other subinterface 1's and 2's traffic attributes}
!
policy-map Example
 class Example
  shape average 8000
!
interface GigabitEthernet0/0/0
 no ip address
 service-policy output Example
!
interface GigabitEthernet0/0/0.1
 encapsulation dot1Q 1
 ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/0/0.2
 encapsulation dot1Q 2
 ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/0/0.3
 encapsulation dot1Q 3
 ip address 192.168.3.1 255.255.255.0

Oops, actually the ACL would need to match the traffic flowing across the subinterfaces, so just matching the subinterface's subnet, isn't correct.

H-QoS via policy aggregation?

---

@Ramblin Tech wrote:

H-QoS via policy aggregation?

---

Maybe!

If OP only wants just one specific set of combined subinterfaces, and the other subinterfaces independent, as they currently are (?), and the existing policies only shape the default class, it may be a very suitable approach.

If the need is more complex, likely this feature, even possibly the later XE 2.6 variant, might not be up to challenge.

BTW, what I suggested, is dependent on the main interface "seeing" all the subinterface traffic in a policy applied to it.  This may not be the case, or it may work on some platform/IOS combos, and not others.  (When you start really pushing complexity in MQC, I've often seen one platform/IOS accept a config that another platform/IOS does not.)

I don't have any hardware to test with.  Do have a copy of CML, which might accurately provide a faithful result.

I'm also wondering whether "match vlan #" would work on the main interface.

from: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_mqc/configuration/xe-16-12/qos-mqc-xe-16-12-book/qos-intro.html

policy-map child 
  class voice
    priority 
    police cir percent 10
  class video
    bandwidth remaining percent 30
!
policy-map parent-vlan100
  class class-default
    shape average 100m
    service-policy child 
!
policy-map parent-vlan200
  class class-default
    shape average 50m
    service-policy child
! 
int gigabitethernet1/0/0.100
  service-policy out parent-vlan100 
int gigabitethernet1/0/0.200
  service-policy out parent-vlan200

This example shows that although the definition may be shared the instances of the policy on different interfaces are truly unique.

You can also create hierarchical policies with policy-maps used in user-defined classes.

The following example illustrates a 3-level hierarchical policy, the max currently supported on the ASR 1000 Series Router. For a packet to match a class at the application level it must now match 3 requirements: the voice or video classifier at the child, the vlan classifier in the vlan-sharing policy-map, and the class-default (anything) in the physical level policy-map:

class-map vlan100
  match vlan 100
class-map vlan200
  match vlan 200
!
policy-map child 
  class voice
    priority 
    police cir percent 10
  class video
    bandwidth remaining percent 30
!
policy-map vlan-sharing
  class vlan100
    shape average 100m
    service-policy child 
  class vlan200
    shape average 50m
    service-policy child
!
policy-map physical-policy
  class class-default
    shape average 500m
    service-policy vlan-sharing
!
interface gigabitethernet1/0/0
  service-policy out physical-policy

In the above, the first portion, is probably somewhat similar to what OP is doing now.

The second portion, is what I had in mind, more or less.  (I've often done similar QoS with multiple tunnels crossing a physical interface, just not with router subinterfaces.)

Assuming the second portion works, it might require being used exclusively, i.e. you might not be able to mix the two techniques on the same interface.  (Not a big deal if you only have a few, like the OP's 3, but if you have hundreds, then you might have a major conversion effort.)

Again, I've often seen complex QoS configs impacted by their level of complexity.  So, @Vlad8 can you provide an example of what your subinterface policies are (actually) now?

PS:

BTW, Jim, I wasn't aware of the feature you referenced.  Reading it though, it seems inferior to the above because I usually find I need a multi-level hierarchal policy when shaping, not aggregation of multiple streams.  Again, though, perhaps it would be suitable for OP.

The usual case I've had to deal with, having a hub with a 10x the bandwidth of spoke sites, but more than 10 spoke sites.  So, from the hub, need to deal with its overall bandwidth limit, (to) spoke bandwidth limits, and prioritization of traffic when either the hub or  (to) spoke bandwidth limits are exceeded.

@Joseph W. DohertyI've updated the post and included the policy. To provide more context, just imagine that there is a physical channel that carries only these two VLANs, which is limited to 20 Mbps and does not support QoS. The goal is to maximize the usage of this pipe while respecting QoS.

Possibly:

interface GigabitEthernet0/0/1
 service-policy output VLANS-100-n-101-SHAPER-OUT-20Mbps
interface GigabitEthernet0/0/1.100
! service-policy output SHAPER-OUT-10Mbps
interface GigabitEthernet0/0/1.101
! service-policy output SHAPER-OUT-10Mbps
interface GigabitEthernet0/0/1.102
 service-policy output SHAPER-OUT-15Mbps

policy-map SHAPER-OUT-10Mbps
 class class-default
  shape average 10000000   
   service-policy WAN-OUT

policy-map VLANS-100-n-101-SHAPER-OUT-20Mbps
 class VLANS-100-n-101
  shape average 20000000   
   service-policy WAN-OUT

class-map match-any VLANS-100-n-101
 match vlan 100
 match vlan 101

It doesn't let to attach the service policy to the main interface

(config)#interface GigabitEthernet0/0/0
(config-if)#service-policy output VLANS-100-101-AGGREGATE-SHAPER-20Mbps
Service_policy with queueing features on this interface is not allowed 
if service-group/evc queuing policy is already installed Remove service-group/evc policy first and then install policy on this interface and later on service-group/evc
%QOS-6-POLICY_INST_FAILED: Service policy installation failed on GigabitEthernet0/0/0. service-policy not applicable for interface features. policy:VLANS-100-101-AGGREGATE-SHAPER-20Mbps, dir:OUT, ptype:, ctype:DEFAULT

Error appears to be about sequence of application (which I've sometimes seen).  Also, did you remove policies from those two subinterfaces first?

For the former, it may require you first remove all subinterface policies, then apply policy on main interface, then reapply subinterface policies.

It may also turn out it won't support policies on both main and subinterfaces, concurrently.  If so, and if main policy works correctly matching VLANs, you could do all your QoS in just a main interface policy, although limited by max number of classes per policy.

Yup, you're right - it doesn't support policies on both main and sub-interfaces, concurrently.

So, the final config, which I'm going to test, looks like this:

class-map match-any AGGREGATE-QoS_VLANS_100_101
 match vlan  100
 match vlan  101

class-map match-any AGGREGATE-QoS_VLAN_102
 match vlan  102

policy-map Gi0-0-0_AGGREGATE-SHAPER
 class AGGREGATE-QoS_VLANS_100_101
  shape average 20000000   
   service-policy WAN-OUT
 class AGGREGATE-QoS_VLAN-102
  shape average 15000000   
   service-policy WAN-OUT

interface GigabitEthernet0/0/0.100
 no service-policy output SHAPER-OUT-10M
interface GigabitEthernet0/0/0.101
 no service-policy output SHAPER-OUT-10M
interface GigabitEthernet0/0/0.102
 no service-policy output SHAPER-OUT-15M

interface GigabitEthernet0/0/0
 service-policy output Gi0-0-0_AGGREGATE-SHAPER

Looks okay.  Just now a question whether it will accept it and work as desired.

Ahhh yes, it did accept the config on a lab router. By 'test,' I meant a traffic load test to verify that it works as desired.