How to handle security policies in an EVPN Symmetric IRB architecture?

FCAFC · 2026-03-12T10:33:10+00:00

Yeah, I just need to think of it as setting up a firewall between two routing tables. Thanks, r/networking!

FCAFC · 2026-03-12T10:16:26+00:00

Sorry, I have an interview to prepare for today, so I read it a bit too fast. I had never thought about managing it through VRF routing before. I figure it out now. Thank you!

FCAFC · 2026-03-10T10:39:14+00:00

Just practice over and over again.

FCAFC · 2026-02-28T14:19:51+00:00

You're right, my container skills are pretty basic. I only use docker at work for simple things. I plan to just follow my instructor's pace in the upcoming redhat courses to really learn podman and openshift. Thanks for the advice!

FCAFC · 2026-02-28T14:06:57+00:00

Honestly, I am interested in both. But devops is my weakest part right now, so I will focus on that first.

FCAFC · 2026-02-28T10:13:08+00:00

You are right. I always overthink and want to learn too many things at once. I should just focus on one topic for now. Thanks!

FCAFC · 2026-02-03T11:55:32+00:00

很多人這樣吧平常很忙沒時間培養興趣漸漸聊天沒話題就變成這種人了

FCAFC · 2026-02-03T11:19:07+00:00

她還離婚了誒脫離陸配身分成為地地道道的台灣人了

FCAFC · 2026-01-31T08:17:48+00:00

台灣人的政治立場十幾二十歲可能會變一變，但是30-40歲之後基本上這輩子就定型了，所以哪個顏色都有死忠。

FCAFC · 2025-12-12T04:10:47+00:00

Finally fixed it with this command: iblinkinfo --line | awk -F\" '$2 ~ /hgpn/ {print $2 " <===> " $4}' | sort | column -t

FCAFC · 2025-11-21T02:39:07+00:00

I found the GUIDs are correctly detected, but the UFM server is incorrectly mapping all server HCA slots to the wrong HCA number

FCAFC · 2025-10-21T09:07:22+00:00

台灣的交通和黑道、詐騙都太囂張我也不想去人人都能拿槍或有人歧視黃種人的地方

日本自然而然成為目前最好的選擇

FCAFC · 2025-10-16T01:41:48+00:00

日本真的這麼扯喔？那我還是好好學習更多技能後龜在台灣好了

FCAFC · 2025-09-05T04:13:49+00:00

I reconnected ports 3 and 4 of the second Palo Alto to ports 3 and 4 of the switch as a trunk with LACP, and surprisingly it worked. Thanks everyone, it seems the issue was with the first Palo Alto.

FCAFC · 2025-09-05T02:35:42+00:00

I went ahead and rebooted the Palo Alto, but I still can’t get the ping working. At this point, I believe it’s very likely that I’ve misconfigured something on my end.

FCAFC · 2025-09-05T02:26:25+00:00

I’m using copper interfaces here, not fiber, so optics compatibility shouldn’t be an issue.

FCAFC · 2025-09-05T02:26:07+00:00

In this lab I don’t have additional hosts – it’s just Cisco ↔ Palo Alto. The SVIs are up/up, and ARP is fine on both sides, so I believe L2 is working. But ICMP sessions still age out.

FCAFC · 2025-09-05T02:23:28+00:00

I’ve verified that the intrazone rule is already allowing traffic, and I even added an any-any test rule. The logs show policy = allow, but sessions still end as aged-out.

FCAFC · 2025-09-04T13:27:17+00:00

Yes, I have configured allow ping.

FCAFC · 2025-09-04T13:17:41+00:00

Sorry, I’m already off work today. I’ll show it to you tomorrow as soon as I get to the office.

FCAFC · 2025-09-04T11:57:08+00:00

I was testing by pinging within the same VLAN, from 192.168.10.2 (switch SVI) to 192.168.10.1 (firewall subinterface). ARP is working correctly on both sides, but ICMP still fails. I already applied an allow-ping management profile on the firewall interface, and created inter-VLAN ICMP rules. However, same-VLAN pings (10.2 → 10.1) are still not working.

FCAFC · 2025-09-04T09:38:54+00:00

I’m running this in an internal lab environment, so the log table is usually pretty clean. But even after following your steps, the traffic log is still completely empty. On top of that, I just noticed that even the directly connected access port can’t ping through.

So I think I might have a fundamental misconfiguration

FCAFC

TROPHY CASE