Hi,
The template you have probably will not work as you expect.
1, I see you have crypto-map configured under WAN interface, the traffic will be encrypted before enter the egress queue; which means the marking based on pre-encryption port number will not work, you need to classify on the LAN interface in ingress direction or use ipsec pre-classify feature.
2, You are using 100M interface on your side, and on SP side they will police down to 2M. So any traffic beyond 2M will be dropped by the provider side. You need to configure a HQOS with parent level shaping down to 2M to make sure your egress traffic rate wont exceed 2M.
3,voice traffic is delay sensitive traffic, it is better give them priority level rather than bandwidth guarantee, but you should not give priority queue more than 33% of the total available bandwidth, otherwise it can saturate other type traffic and lower down your overall performance.
4,You don’t need shape the traffic going out to your LAN interface; basically the traffic coming in from WAN interface will not exceed the 100M LAN bandwidth, the queue will never be used.
HTH,
Lei Tian