I'm sorry a forget post all config:

SW1(config)#class-map Class2
SW1(config-cmap)#match ip dscp af13

SW1(config)#policy-map Policy1

SW1(config-pmap)#class Class2
SW1(config-pmap-c)#police cir 4000000 conform-action transmit exceed-action drop

SW1(config)#interface GigabitEthernet 1/0/1
SW1(config-if)#service-policy input Policy1

I'm using generator/analyzer Spirent TestCenter1 which is generating traffic with DSCP value = AF13 (rate 5000 kbps) and I measure incoming traffic from this switch to analyzer.

Hello,

what I meant with full configuration was the full output of the command 'sh run'...can you post that ?

Where is the Traffic Generator located, on another subnet ? Post a schematic drawing of your topology including the IP addresses of the traffic generator and the switch interface you have the service policy configured on...

Several possible answers, although I don't know if any might apply.

First, on some Cisco devices, I'm unsure policers count L2 or L3 bandwidth. If the Cisco switch is counting L3 and your test equipment is counting L2, the latter would be higher.

Second, there's the issue of what K is. I.e. 1,000 or 1,024. Such can throw off stats if one device is using "decimal" while the other device is using "binary". (If this is happening, if you can control frame size, the difference should decrease as frame size increases.)

Third, depending on Tc and frame sizes, and exactly how traffic is being placed on the wire, allowed bandwidth might vary.

Lastly (at least of the things that come to mind), Cisco's implementation might not be "precise" for some reason. For example, they mention on the original 3750 series that egress port limiting is rather inexact (which is likely due to ASIC limitations), although I don't recall a similar mention for ingress policing, perhaps there's hardware precision limitations.

I will post all config on monday because switch is in laboratory. My generator use L2 traffic with IPv4 header because of using DSCP values. I'm using this topology:

 I'm using MTU on L2 layer with size of 1500 B.

My follow up question was to see the topology as well as the full config of the switch...sorry for the misunderstanding. It is not clear, af least to me, where the traffic is coming from ( same or different subnet) and how it hits the interface with the applied service policy...