cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Choose one of the topics below for SD-WAN Resources to help you on your journey with SD-WAN

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.

266
Views
5
Helpful
2
Replies
Highlighted
Beginner

Error when trying to apply a policer policy through vmanage

I am trying to apply an ingress policer policy on one of my vEdge interface, when try pushing the configurations from vManage, I get the following


com.tailf.maapi.MaapiException: illegal reference /ncs:devices/device{vedge-11OG641180001}/config/vpn/vpn-instance{101}/interface{ge0/0.48}/policer{POLICY-LOCAL-VHUB-NYC in}/policer-name

 

I am trying to apply this ACL/Policy

 

access-list POLICY-ACL-VHUB-NYC
sequence 1
match
source-data-prefix-list LIST-VM251-NYC
destination-data-prefix-list LIST-VM251-ANP
!
action accept
policer POLICY-POLICE-10M
!
!
default-action accept

 

 

I am using vManage 19.2.2

 

Thanks,

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Thanks Bradley.   I did have my localized policy applied properly.   What I didn't realize is that when using the ingress policer option in vmanage, I can only apply a standard policer policy, not what I was trying to do.   I'm used to nested policies in routers, and i was trying to apply the ACL  with a policer applied to a sequence as a the ingress policing entry.   I read a little more, and saw that when I police specific flows, it needs to be done on an ACL entry and applied as an ingress ACL, not a ingress police policy.

 

Tim

 

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee

Hello Tim,

 

When you configure a local policy, it has to be in the policy you attached to the device or it won't know how to reference it. 

 

If you go to your device template, there is a field for policy. See attachment "device_template_policy.jpg"

 

You must make sure your policer is under that policy. You can check by going to config->policies->Localized Policy and clicking on the policy that you attached to the template.

 

Make sure the policer you are trying to configure is listed under the "Access Control Lists" section of that local policy.

 

The way it works is you create a local policy profile then attach it to the device template. This downloads all the ACLs and other objects. From everywhere else in your template it references that policy. If it is missing from the policy, it will not have a reference for it and you will get the error you see. 

 

Hope that helps!

-Bradley Selzer
CCIE# 60833
Highlighted

Thanks Bradley.   I did have my localized policy applied properly.   What I didn't realize is that when using the ingress policer option in vmanage, I can only apply a standard policer policy, not what I was trying to do.   I'm used to nested policies in routers, and i was trying to apply the ACL  with a policer applied to a sequence as a the ingress policing entry.   I read a little more, and saw that when I police specific flows, it needs to be done on an ACL entry and applied as an ingress ACL, not a ingress police policy.

 

Tim

 

View solution in original post