"pkts matched/bytes matched"  ==>> (pkts output/bytes output) in your output

With the forgoing "translation", why/when the different counters are updates, still holds.

BTW, further briefly reviewing that reference, I agree with Cisco on the causes of congestions, but disagree that congestion is when the tx-ring overflows.  Further, I disagree that waiting until the class counter and match counter, when nearly equal, should be investigated.  Not saying they shouldn't, but waiting until that happens, may lead to detecting an issue "late".

Also BTW, congestion, is typical within almost any data network.  The question, though, is your congestion adverse to your traffic service needs?

Lastly, as to whether your service policy is working correctly, often Cisco software does work correct, although, of course, you can bump into a bug.  Your policy stats show your traffic is not triggering the shaper and it's not matching any defined class.  Insufficient information to determine if that's actually correct processing.

Hello @Joseph W. Doherty  Thank you for the reply. Regarding my policy, I think I know why it doesn't work. Config "source interface" under DMVPN tunnel refers to interface vlan, not the physical interface where QoS is applied to. Most of the traffic is going through the tunnel and that's why we don't see any match in that policy map. But what I still don't understand, why traffic going to the Internet, which are going through that physical interface wasn't shaped to 300 Mbps.

Regarding counters: In that Cisco's article, which I shared, it's stated that "pkts matched/bytes matched" means packets which not only matched the class-map, but also were processed by policy-map. So, if "pkts matched/bytes matched"  = "pkts output/bytes output", then "pkts output/bytes output" shows packets which were processed by policy map during congestion.

Ah, with tunnels with policy on physical interface, by default, QoS only "sees" the tunnel packet.  Also, unless you're using really very old Cisco equipment (and IOS), tunnel packets do copy original packet's ToS byte, so you can match on that.

To deal with tunnel packets on a physical interface, beyond matching on ToS alone, you can use the pre-classify command on the tunnel interface, and then the physical interface can "see" more of the original packet's contents (a shadow copy), but not all.  (I believe packet header and maybe [?] UDP/TCP header.)  Or, you apply policy on tunnel, which "sees" all of packet's contents before encapsulation.

As to why your getting above 300 Mbps, again, as with your prior posting, I'm still not clear exactly how you're configured.  I still suspect, somehow traffic is bypassing your policy.

I haven't reread the Cisco article, but I think your confusion (?) may be due to you not, yet, grasping matching a class-map vs. being processed by the policy map and what Cisco means by congestion (again different from how I define it).

There's a reason, even with modern educational media, some education still benefits from having an instructor/teacher that you can interact with, when stumbling with some concept.