ok let me try that and get I'll get back to you.

anyway what's the exact way to calculate this??

Thanks. BR.

Hello,

attach the service policy to the outside interface. I have also made a few change to your policy and access lists (in bold):

Current configuration : 2548 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname IntRegManzanas
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$r/qO$L.tQ0JnkA
enable password 7 1511021
!
aaa new-model
!
aaa authentication login default local
!
aaa session-id common
clock timezone MX -6
clock summer-time MX recurring
dot11 syslog
ip cef
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.50
!
ip dhcp pool REDINTERNA
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 189.194.28.161 200.52.167.161
!
ip domain name somosggl.com
!
multilink bundle-name authenticated
!
username gaspar privilege 15 password 7 094B4F1A0
username extra privilege 15 password 7 10692E3500
archive
log config
hidekeys
!
ip ssh version 2
!
class-map match-all CLASS1M
match access-group name ACL1M
!
policy-map POLICE1M
class CLASS1M
police cir 1000000 bc 8000 pir 8000
!
interface FastEthernet0/0
description *** Externa ***
ip address 10.227.225.33 255.255.252.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
service-policy output POLICE1M
!
interface FastEthernet0/1
description *** Interna ***
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.227.224.1
!
ip http server
no ip http secure-server
ip nat inside source list 110 interface FastEthernet0/0 overload
!
ip access-list standard ELCACTI
permit 10.227.224.11
deny any
!
ip access-list extended ACL1M
permit ip 192.168.1.0 0.0.0.255 any
!
logging 10.227.224.11
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
snmp-server community ******** RO ELCACTI
snmp-server location Canatlan
snmp-server contact Irma Mtz
!
control-plane
!
banner login ^C

*******************************
*******************************

Acceso restringido
Solo personal autorizado

*******************************
*******************************
^C
!
line con 0
password 7 040F5D515
logging synchronous
line aux 0
line vty 0 4
password 7 040F5D515
logging synchronous
transport input all
!
scheduler allocate 20000 1000
end

Hi, I forgot to tell you about this:

IntRegManzanas(config-pmap-c)#police cir 1000000 bc 8000 pir 8000
Inconsistent PIR value, should be greater than CIR: 1000000

that's why I did set pir=1000000

and this is my access-list:

ip access-list extended ACL1M
 deny   ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any

should I change it by yours???

Thanks.

Hello,

if you configure just the below, what is the output of 'show policy-map interface FastEthernet0/1?

access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
class-map match-any CLASS1M
 match access-group 101
!
policy-map POLICE1M
 class CLASS1M
  police cir 1000000
!
interface FastEthernet0/1
 service-policy output POLICE1M

after been configured like you suggested here's the output:

IntRegManzanas#show policy-map interface FastEthernet0/1
 FastEthernet0/1

  Service-policy output: POLICE1M

    Class-map: CLASS1M (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group 110
        0 packets, 0 bytes
        5 minute rate 0 bps
      police:
          cir 1000000 bps, bc 31250 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps

    Class-map: class-default (match-any)
      4717 packets, 6121306 bytes
      5 minute offered rate 137000 bps, drop rate 0 bps
      Match: any

Thanks.

Hello,

there is nothing matching the class map.

Try and add the following to the access list matching the class map:

ip access-list extended ACL1M
permit ip 192.168.1.0 0.0.0.255 host 192.168.1.1
deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any

this is what I configured:

class-map match-any CLASS1M
 match access-group name ACL1M
!
!
policy-map POLICE1M
 class CLASS1M
   police cir 1000000
!
!
!
!

interface FastEthernet0/1
 service-policy output POLICE1M
!
!
ip access-list extended ACL1M
 permit ip 192.168.1.0 0.0.0.255 host 192.168.1.1
 deny   ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any

and now I'm getting this:

IntRegManzanas#show policy-map interface FastEthernet0/1
 FastEthernet0/1

  Service-policy output: POLICE1M

    Class-map: CLASS1M (match-any)
      24 packets, 1680 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name ACL1M
        0 packets, 0 bytes
        5 minute rate 0 bps
      police:
          cir 1000000 bps, bc 31250 bytes
        conformed 24 packets, 1680 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps

    Class-map: class-default (match-any)
      204640 packets, 266057008 bytes
      5 minute offered rate 948000 bps, drop rate 0 bps
      Match: any

let's see if now it works.

Thanks.

Actually, you can configure the access list as below. You don't need to deny traffic from 192.168.1.0/24 to 192.168.1.0/24, since that traffic is not even routed and would never hit the interface:

ip access-list extended ACL1M
permit ip 192.168.1.0 0.0.0.255 any

anyway I can't get limit traffic, it reach 2.49 Mbps today. Check this:

IntRegManzanas#show policy-map interface FastEthernet0/1
 FastEthernet0/1

  Service-policy output: POLICE1M

    Class-map: CLASS1M (match-any)
      24 packets, 1680 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name ACL1M
        0 packets, 0 bytes
        5 minute rate 0 bps
      police:
          cir 1000000 bps, bc 31250 bytes
        conformed 24 packets, 1680 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps

    Class-map: class-default (match-any)
      889227 packets, 1097285797 bytes
      5 minute offered rate 447000 bps, drop rate 0 bps
      Match: any

what can I do???

There is still (almost) nothing matching your class. What does your configuration look like now ?

Here it is:

IntRegManzanas#sh running-config
Building configuration...

Current configuration : 2304 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname IntRegManzanas
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$r/qO$L.tQ0JnkA
enable password 7 1511021F0725
!
aaa new-model
!
!
aaa authentication login default local
!
!
aaa session-id common
clock timezone MX -6
clock summer-time MX recurring
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.50
!
ip dhcp pool REDINTERNA
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 189.194.28.161 200.52.167.161
!
!
ip domain name somosggl.com
!
multilink bundle-name authenticated
!
!
!         
!
username gaspar privilege 15 password 7 094B4F1A
username extra privilege 15 password 7 10692E35
archive
 log config
  hidekeys
!
!
!
!
ip ssh version 2
!
class-map match-any CLASS1M
 match access-group name ACL1M
!
!
policy-map POLICE1M
 class CLASS1M
   police cir 1000000
!
!
!
!
interface FastEthernet0/0
 description *** Externa ***
 ip address 10.227.225.33 255.255.252.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description *** Interna ***
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 service-policy output POLICE1M
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.227.224.1
!         
!
ip http server
no ip http secure-server
ip nat inside source list 110 interface FastEthernet0/0 overload
!
ip access-list standard ELCACTI
 permit 10.227.224.11
 deny   any
!
ip access-list extended ACL1M
 permit ip 192.168.1.0 0.0.0.255 any
!
logging 10.227.224.11
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
snmp-server community ******* RO ELCACTI
snmp-server location Canatlan
snmp-server contact Irma Mtz
!
!
!
!
!
!
control-plane
!
!
banner login ^C

*******************************
*******************************

    Acceso restringido
   Solo personal autorizado

*******************************
*******************************
^C
!
line con 0
 password 7 040F5D51
 logging synchronous
line aux 0
line vty 0 4
 password 7 040F5D51
 logging synchronous
 transport input all
!
scheduler allocate 20000 1000
end

Hello,

which IOS version are you running ? Can you post the output of 'show version' ?

Try to apply the service policy outbound on FastEthernet0/0, or as an input (instead of output) on the LAN interface...

Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(15)T14, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 17-Aug-10 05:26 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

IntRegManzanas uptime is 1 week, 2 hours, 16 minutes
System returned to ROM by power-on
System image file is "flash:c1841-advipservicesk9-mz.124-15.T14.bin"

I'll try what you're suggesting and post results.

Thanks.