• on the incomming interface on the router:
  • drain down main interface:

    
    (config)# interface FastEthernet X/Y
    (config-iface)# no ip address
    (config-iface)# no ip mroute-cache
    (config-iface)# duplex full
    

  • create subinterface(s)

    
    (config)# interface FastEthernet X/Y.N
    (config-sub-iface)# description blabla
    (config-sub-iface)# encapsulation dot1Q N
    (config-sub-iface)# ip address IP NETMASK
    (config-sub-iface)# no snmp trap link-status
    (config-sub-iface)# no cdp enable
    

    on this subinterface you can do your:

    rate-limit ...
    traffic-shape ...
    access-list ...
    

• on the switch
  • on the interface where the trunk is comming in from the router

    
    (config)# interface FastEthernet A/B
    (config-iface)# description blabla
    (config-iface)# duplex full
    (config-iface)# speed 100
    (config-iface)# switchport trunk encapsulation dot1q
    (config-iface)# switchport mode trunk
    

  • interface where the VLan ist going out (splitt):

    
    (config)# interface FastEthernet C/D
    (config-iface)# description blabla
    (config-iface)# switchport access vlan N
    (config-iface)# no cdp enable
    

  • you may need to publish your VLans to the switch:
    list vlans

    # show vlan
    

    publish / configure vlans

    # vlan database
    (vlan)# vlan N name NAME state active
    

that's all folks ;-)
PS: ... and just keep in mind: VLan 1 may be the devils one!

rate-limit {input | output} rate burst-normal burst-max 
conform-action conform-action exceed-action exceed-action

rate	Average rate, in bits per second (bps). The value must be in increments of 8 kbps
burst-normal	Normal burst size, in bytes. The minimum value is rate divided by 2000; calculate: rate*(1/8)bytes*1.5
burst-max	Excess burst size, in bytes; calculate: burst-normal*2

Example:

rate-limit input 64000 11520 23040 conform-action transmit exceed-action drop

limit the speed of a www-server

access-list:

conf)# access-list 112 permit tcp host IP-of-HTTP-Server eq www any

rate-limit:

(conf-if)# rate-limit input access-group 112 32000 8000 10000 conform-action transmit exceed-action drop

Limit services reachable from outside:

(config)#no access-list 111
(config)#access-list 111 permit tcp any host IP established
(config)#access-list 111 permit tcp any host IP eq www
(config)#access-list 111 permit tcp any host IP eq 22
(config)#access-list 111 permit icmp any host IP 
(config)#access-list 111 deny ip any host IP

(config-subif)#ip access-group 111 out

explaining the output of 'debug ppp negotiation':
O: send by this device
I: send by ISP (other device)
LCP / PPP negotiation
CONFREQ: a configuration-request
CONFACK: Configure-Acknowledge
CONFREJ: reject! (options in the CONFREQ are not recognized)
CONFNAK: PPP configuration error! (values of CONFREQ are not acceptable)
Look at the Line following the CONFNAK or CONFREJ!
The only place where you can configure PPP stuff is in the dialer interface. Type

show running-config interface dialer N

to view the config.

Took me a long time to find this out (strange phenomena: auth-error, disconnect after successful auth, ...):
mtu 1488 fixes the problem

#sh run in di 0
!
interface Dialer0
 description arcor
 mtu 1488
 ip address negotiated
 ip nat outside
 encapsulation ppp
 no ip mroute-cache
 load-interval 120
 dialer pool 10
 dialer idle-timeout 1200
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname xyzuser
 ppp chap password 0 xyzpass
end 

see: example from cisco

Example:
• 1-minute delay at boot-up
• a 10-second delay for redialing
• a maximum of five tries

!
interface dialer 1
  ip address negotiated
  encapsulation ppp
  dialer pool 1
  dialer remote-name remote1
  dialer idle-timeout 0 either
  dialer string 7135550199
  dialer persistent delay initial 60
  dialer persistent delay 10
  dialer persistent max-attempts 5
  ppp authentication chap
  ppp chap hostname DDR
  ppp chap password mysecret