If this were me, then I would create 2 class maps and match the traffic you have 50/50. Then in the policy map have 2 x 2.1 gig throughputs.
You could even have the class maps the same so they match the same traffic, then have a throughput of 2.1 gig (or even 4 gig) and then if the policy is exceeded, move to the next line which gives you the rest that you need.
I've not got a router near me, but have a go with a 2 rate policer. Here you have CIR and PIR. You can send at the PIR rate - which is higher than the CIR rate. Have a look at this link for some config tips:
Next, I would have a go at marking the access-list 125 traffic on ingress with a qos value currently not in use (e.g af11) using shaping for the first 4gig. Then in the 1st map class - match the af11 traffic. Then on the second, match the rest of the traffic that was no marked using the access-list.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...