Hello Bousso
Policing can be done anywhere and on any port that is on a device that supports it. One example is applying policing on a WAN link between your various branches in order to avoid oversubscribing these links. It can also be applied on your own edge router in order to avoid sending too much traffic to the ISP (you may have a cost agreement with them that bills you based on usage and you want to control that). In general, policing, as well as shaping, are applied at locations of the network where some control over the traffic usage is necessary. This takes place most often at connections with the ISP or on WANs, and not generally within other areas of the enterprise network. But you will often see it on your own enterprise equipment, and not just on the ISP side.
In the beginning, the buckets are full and only start being emptied as traffic arrives on the interface. How they are emptied is further described in this post: QoS Traffic Shaping Explained - #64 by lagapidis
Yes, for policing this is correct. For shaping, you would use bits instead of bytes.
The minimum number of tokens in a bucket is zero, when enough traffic arrives quickly enough to empty the bucket.
A non conforming packet can belong to either the exceeding or violating category.
- Exceeding packets are those where the number of bytes in the packet is less than or equal to the number of tokens in the Be bucket.
- Violating packets are those where the number of bytes in the packet is less than or equal to the number of tokens in both the Be and Bc bucket.
An excellent resource on QoS order of operations can be found at the following Cisco documentation:
I hope this has been helpful!
Laz