Net Worker World

R1 advertise following networks to R2: R2#sh ip bgp | b Network    Network          Next Hop            Metric LocPrf Weight Path *> 192.168.1.0      100.100.12.1             0             0 100 i *> 192.168.2.0      100.100.12.1             0             0 100 i *> 192.168.3.0      100.100.12.1             0             0 100 i R2# Then we add a prefix-list to deny 192.168.2.0 network: R2(config)#do sh run | s prefix-list ip prefix-list FROM-R1 seq 5 deny 192.168.2.0/24 ip prefix-list FROM-R1 seq 10 permit 0.0.0.0/0 le 32 R2(config)#do sh run | s bgp router bgp 200  bgp log-neighbor-changes  neighbor 100.100.12.1 remote-as 100   neighbor 100.100.12.1 prefix-list FROM-R1 in R2(config)# Then we can see the 192.168.2.0/24 is no longer in BGP table: R2#clear ip bgp 100.100.12.1 in R2#sh ip bgp | b Network    Network          Next Hop            Metric LocPrf Weight Path *> 192.168.1.0      100.100.12.1             0             0 100 i *> 192.168.3.0      100.100.1

show ip as-path-access-list [ filter-list ] show ip bgp filter-list access-list-number show ip bgp regexy expression show ip bgp prefix-list [] show ip bgp community [] sh ip bgp community-list []

Problem example: Message:  IKE Phase 1: Rejected an initial Phase 1 packet from an unrecognized peer gateway.  Enter the command get sa, and note the gateway IP address in question: ns-> get sa total configured sa: 1 HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys 00000001< 1.1.1.1 500 esp: des/md5 00000000 expir unlim I/I 1 0 00000001> 1.1.1.1 500 esp: des/md5 00000000 expir unlim I/I 2 0 Set an SA filter (not a flow filter) for the gateway IP address, so that only debugs related to that VPN gateway are captured: ns5400-> set sa-fil 1.1.1.1 < 1.1.1.1 > is added to the SA IP filters Begin the debug: ns-> undebug all         (to turn off any debugs currently enabled) ns-> set db size 4096     (to increase debug buffer) ns-> clear db            (to clear debug buffer) ns-> debug ike detail ns-> debug pki all          (if using certificates) [attempt to bring VPN up, or if rekey is enabled wait for VPN to reconnect.  The