Switch is ME-3400EG-12CS-M   12.2(58)SE2           ME340x-METROIPACCESSK9-M.

I need to limit traffic on a per VLAN basis. I've read some other threads on this discussion forum and I can't seem to put all the pieces together. It feels like I'm almost there but I need a little help.

I have a 100Mbit link that is broken up into two EVCs. One for trusted traffic (VLAN 540) with a 80Mbit CIR and one for untrusted traffic (VLAN 539) with a 20Mbit CIR.

My upstream provider will silently drop any traffic that is sent over my CIR, so I need to make sure I'm not sending more than 80Mbit to VLAN 540 and 20Mbit to VLAN 539.

Gi0/1 on this 3400E connects to my upstream provider. They hand off a copper trunk port to me running dot1q.

Gi0/2 on this 3400E connects to my trusted LAN.

Gi0/3 on this 3400E connects to my untrusted WAN

class-map match-all WAN-VLAN

  match vlan  539

class-map match-all LAN-VLAN

  match vlan  540

policy-map WAN

class class-default

    police cir 20000000

      conform-action transmit

      exceed-action drop

policy-map LAN

class class-default

    police cir 80000000

      conform-action transmit

      exceed-action drop

...and I'm stuck at the next step.  Since I can only control the traffic I'm sending OUT of Gi0/1 to my upstream provider I was assuming I need an output policy - but reading through the configuration guide for this 3400E is sounds like I cannot apply an output policy on a per-vlan basis.

I hope I provided enough information, I have not had much exposure to Cisco QoS so this is all new to me.

To recap, I need to make sure that VLAN 540 cannot output more than 80Mbit and VLAN 539 cannot output more than 20Mbit through Gi0/1

In case it matters, here is my config for Gi0/1:

interface GigabitEthernet0/1

switchport trunk allowed vlan 539,540

switchport mode trunk

media-type rj45

speed 100

duplex full