Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1388
Views
7
Helpful
3
Replies

Error when trying to apply a policer policy through vmanage

Go to solution
Tim_J_RC
Level 1
Level 1

‎08-03-2020 11:58 AM

I am trying to apply an ingress policer policy on one of my vEdge interface, when try pushing the configurations from vManage, I get the following


com.tailf.maapi.MaapiException: illegal reference /ncs:devices/device{vedge-11OG641180001}/config/vpn/vpn-instance{101}/interface{ge0/0.48}/policer{POLICY-LOCAL-VHUB-NYC in}/policer-name

 

I am trying to apply this ACL/Policy

 

access-list POLICY-ACL-VHUB-NYC
sequence 1
match
source-data-prefix-list LIST-VM251-NYC
destination-data-prefix-list LIST-VM251-ANP
!
action accept
policer POLICY-POLICE-10M
!
!
default-action accept

 

 

I am using vManage 19.2.2

 

Thanks,

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Tim_J_RC
Level 1
Level 1
In response to brselzer

‎08-03-2020 01:08 PM

Thanks Bradley.   I did have my localized policy applied properly.   What I didn't realize is that when using the ingress policer option in vmanage, I can only apply a standard policer policy, not what I was trying to do.   I'm used to nested policies in routers, and i was trying to apply the ACL  with a policer applied to a sequence as a the ingress policing entry.   I read a little more, and saw that when I police specific flows, it needs to be done on an ACL entry and applied as an ingress ACL, not a ingress police policy.

 

Tim

 

View solution in original post

3 Replies 3

Go to solution
brselzer
Cisco Employee
Cisco Employee

‎08-03-2020 12:52 PM

Hello Tim,

 

When you configure a local policy, it has to be in the policy you attached to the device or it won't know how to reference it. 

 

If you go to your device template, there is a field for policy. See attachment "device_template_policy.jpg"

 

You must make sure your policer is under that policy. You can check by going to config->policies->Localized Policy and clicking on the policy that you attached to the template.

 

Make sure the policer you are trying to configure is listed under the "Access Control Lists" section of that local policy.

 

The way it works is you create a local policy profile then attach it to the device template. This downloads all the ACLs and other objects. From everywhere else in your template it references that policy. If it is missing from the policy, it will not have a reference for it and you will get the error you see. 

 

Hope that helps!

-Bradley Selzer
CCIE# 60833
Preview file
18 KB

Go to solution
Tim_J_RC
Level 1
Level 1
In response to brselzer

‎08-03-2020 01:08 PM

Thanks Bradley.   I did have my localized policy applied properly.   What I didn't realize is that when using the ingress policer option in vmanage, I can only apply a standard policer policy, not what I was trying to do.   I'm used to nested policies in routers, and i was trying to apply the ACL  with a policer applied to a sequence as a the ingress policing entry.   I read a little more, and saw that when I police specific flows, it needs to be done on an ACL entry and applied as an ingress ACL, not a ingress police policy.

 

Tim

 

Go to solution
pgasparovic
Level 1
Level 1

‎07-25-2023 09:36 AM

Very useful,

now I was crazy about my vSmart CLI policy being edited, I updated freely my policy name, but forgot to do so under "apply-policy" section tool...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents