QOS for traffic going outside the router is straight forward. You specify classes for your traffic and prioritize, shape and police; based on the classes.
Ingress is a little confusing. Assuming I have 4/4mbps bandwidth available. I shape my traffic to 4mbps so there are no drops. Voice is prioritized and non-priority traffic is policed. Everything is perfect on the egress side.
But what can I do on the ingress side to ensure all the bandwidth is not used for http? I can just police http, right? But what if someone tries to download using some other protocol and use all the available bandwidth? I can't shape or do prioritization for ingress traffic.
Assuming my priority traffic comes from 220.127.116.11 and 18.104.22.168 and I want to reserve the 3mb bandwidth for it, is the following the best way:
match access-group name priority
police cir 1000000
ip access-list extended priorty
permit ip host 22.214.171.124 any
permit ip host 126.96.36.199 any
Typically, you mark ingress, then you police the marked traffic on the egress interface.
so you would not need to police/shape traffic on your ingress interface.
PLease rate if usefull
When possible, the best QoS for ingress is the "other side's" egress.
When that's not possible, you can do things like police ingress, as you mention, but your "mileage may vary" as to how effective it is for your QoS needs.
I found you often must police at a (even much) higher rate to obtain the bandwidth guarantee you're looking to obtain for some of your traffic.
BTW, depending on the kind of ingress traffic, you might also be able to shape control flow egress traffic, like shaping egress TCP ACKs to help regulate ingress TCP flow rates.
There are also 3rd party appliances that can do more, like spoofing a receiver's TCP RWIN to regulate a TCP sender's transmission rate.