Objective: Limit incoming and outgoing bandwidth for each user (switch port) when accessing external (Internet) resources while at the same time allowing access to internal resources (servers, printers, etc.) at unthrottled speeds.

Equipment:  

Cisco IOS Software, C3550 Software (C3550-IPBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)

I have found configurations that work using policy maps / QoS that will allow me to throttle on a per switchport basis. I am having a problem figuring out where to change the configuration to allow the full access to internal resources. I have attempted to create a access-list with the necessary internal ip address and added them to a class-map. I then added the class-map to the policy-map but last time I tried it disabled all throttling. I don't know if it is the implicit deny all the end of the access-list or if I'm even placing it in the right order on the policy-map. Actually I'm literally learning policy-map/class-maps as I do this.

If there is a simpler way to achieve this, im all ears. Also is there a way to include the whole internal 192.168.1.0 network while still throttling things going to the gateway address?

Current Config:

mls qos

!

class-map match-all no500kb

match access-group 100

class-map match-all 2MB

match ip dscp default  63

class-map match-all 250kb

match ip dscp default  63

!

!

policy-map outboundthrottle

class 200kb

    police 1500000 250000 exceed-action drop

policy-map inboundthrottle

class 2MB

    police 1500000 75000 exceed-action drop

!

interface FastEthernet0/19

switchport mode access

mls qos monitor dscp 0 63

service-policy input inboundthrottle

service-policy output outboundthrottle

!

access-list 100 permit ip any host 192.168.1.254

access-list 100 permit ip any host 192.168.1.253

access-list 100 permit ip any host 192.168.1.2

access-list 100 permit ip any host 192.168.1.3

access-list 100 permit ip any host 192.168.1.4