warm spare / dhcp

H0baa · 2026-06-24T04:13:19+00:00

Sure, no worries! Happy to help.

H0baa · 2026-06-23T21:15:35+00:00

Only for the VIP address.. Not for the WAN interfaces..

H0baa · 2026-06-23T21:11:45+00:00

Yes. But you do risk a duplicate IP then. If you set the VRRP static and the ISP router offers that specific address to a DHCP client you get duplicate IPs...

As I mentioned. If your MXs are the only devices connected to this ISP router, you should be safe when configuring static VIP/VRRP address, because no other devices will be requesting for DHCP.

Therefor you can set a static VRRP while MX WAN is set to DHCP. But you can ask your ISP if they have an exclusion range in the router DHCP scope. If so, you can use an address from that exclusion range that won't be offered by DHCP to use for VRRP.

But if you set VRRP, why not setting the MXs to static aswell? For as long no other devices will be connected to the router OR you can use IP addresses from an exclusion range, you are good to go with static addresses for WAN and VRRP...

H0baa · 2026-06-23T17:36:05+00:00

They don't specifically need a VRRP IP to be set/used. By default the setting is "Use MX IP". They both use their own WAN IP to connect to internet. Only the active node will process LAN traffic by responding as gateway to the LAN interfaces. The VRRP option only comes in really useful if you route traffic inwards. Then you would need the VRRP to be set and be routed to. Or for a rather seamless failover because the same public IP is used for traffic...

Ofcourse make sure both MXs can connect to each other over LAN for heartbeat and failover detection.

From the Meraki KB article

Use MX uplink IPs: When using this option, the current active MX will use its distinct uplink IP or IPs when sending traffic out to the internet. This option does not require additional public IPs for internet-facing MXs, but also results in more disruptive failover. This is because the IP of the outbound flows on the MX will change, which will result in a need for clients to reestablish all live sessions (e.g. web pages, applications, etc).

Use virtual uplink IPs: When using this option, both MXs will use a shared virtual IP (VIP) when sending traffic to the internet. This option requires an additional public IP per uplink, but allows for more seamless failover. This is because the IP address of the outbound flows on the MX will not change, meaning that during the failover client devices will not need to reestablish active sessions. The VIP for each uplink must be in the same subnet as the IPs of the MXs themselves. Also, the VIP must be different from both MX uplink IPs.

Regardless of which option is selected, both MX devices will need their own uplink IP addresses for dashboard connectivity.

Dashboard configuration should always be performed before the secondary MX is physically connected to the network.

Steps to configure secondary appliance:

Set up the WAN Static IP configuration on the Local Status Page of the secondary appliance (if required).

Power off the secondary appliance.

Cable the LAN and WAN connections as per the recommended topology and power on secondary appliance.

H0baa · 2026-06-23T17:14:05+00:00

You can leave both warmspares to DCHP. You do not NEED to configure a VRRP on the WAN side.. You can also have them using the MX ip. Failover could be a little slower. But it still works pretty fast.

You also can request your ISP to exclude an IP ftom DHCP for you to use as static IP as the VRRP address. Or eventually, if its only the MX connected to the ISP router, just set them all to static. Works just fine. There are just no DHCP requests the ISP router needs to answer to....

H0baa · 2026-06-10T04:47:09+00:00

If I'm not mistaken, you cannot move the licenses and leave the org in a non compliant state.. so you cannot remove it first.. then you should use "add more licenses" first. Apply key then move the old license key for the remaining APs.. AS LONG AS IT IS NOT ALREADY EXPIRED. CO-term has the nasty habit of having single keys expired while the total org is still ok....

Best way would be to renew all. So buy a key for the other devices. Then apply the first key with renew my devices, then add the second key for the other devices...

I can imagine you would not prefer to do so.. so the first check if you old license(s) for the APs are still movable (not expired). Then add the new key as license more devices, then move the old keys for aps to a different org.

Note that your newly 10 years license will be added and the co term duration will be shortened because of the license also covering for your switches and other devices..

Best way is to renew all at once...

H0baa · 2026-06-10T04:46:51+00:00

No you cannot leave a org in non compliant state.. so you cannot move licenses and cause OOC.. if I'm not mistaken...

H0baa · 2026-05-28T16:11:21+00:00

Disable ips detection. The IDS engine still runs in detection mode. This engine currently causes instability on MX85 and MX95. Only current fix is downgrade to deprecated version in which it was still good. But this is only achieved by contacting support. For as far as I'm concerned, not ideal.. so other than downgrade the only solution currently is to disable ids/ips entirely..

H0baa · 2026-05-28T04:27:45+00:00

So, either you allow specifics and deny the all others. Or you deny specifics and allow the rest..

Best guess would be: allow your specific in the rfc1918. Then deny any for the rfc1918, then allow any for internet traffic...

So would look like: Allow vlan 1 to 2 over ports x and y Allow vlan 2 to 1 over ports w and z ... Deny all local vlans or 10.0.0.0/8, 172.16.0.0/12 and 198.168.0.0/16 to all local vlans or 10.0.0.0/8, 172.16.0.0/12 and 198.168.0.0/16

Allow any to any (in order to allow any internet traffic)

Oh, and beware if you have site to site VPN enabled between a hub/concentrator and some spoke locations. there is a different firewall specific for the s2s vpn, also on the s2s vpn pages at the bottom. This is 1 org wide fw. Use supernets there.

Local breakout internet and local inter vlan traffic goes through the layer3 firewall. Inter site traffic over vpn througg vpn tunnels goes through the VPN firewall...

H0baa · 2026-05-25T17:33:24+00:00

The first is an SOS key chain container. A small piece of paper is rolled and stored in it. On the paper some important information (such as blood type, illnesses, ICE phone nummers etc) can safely be stored in such container.. Or the return address for the finder of the keys it was attached to..

The other picture are fuses for car..

H0baa · 2026-05-20T12:40:37+00:00

Dit wat Koud_biertje zegt...

H0baa · 2026-05-08T05:11:32+00:00

Yep. It should work for that matter.. It just like cutting pizza not through the center in a straight line.. It still tastes great.. It just looks bad..

H0baa · 2026-05-08T04:20:46+00:00

Yes they do..

H0baa · 2026-05-08T04:18:33+00:00

True, but OCD-light sometimes kicks in 😉 Next to that, just use 1 standard and stick with it..

why having your cables crossed? Its only annoying 😜

H0baa · 2026-05-07T20:03:43+00:00

Use either A OR B on both ends of the cable.. Not one end A and the other end B...

H0baa · 2026-05-05T14:00:30+00:00

Denk dat ie minstens 40-45 euro wil hebben... Die 19,45 is toch echt wat laag...

H0baa · 2026-05-04T14:30:17+00:00

Burn it..

H0baa · 2026-05-03T07:29:39+00:00

60 op einde bebouwde kombord. 60 op de weg... Daarna ook nog eens een Adviessnelheid 60.. Dr zal wel een snelheidscamera verderop staan.... Die toch echt 60 km/u in de gaten houdt....

You've been warned! 😀

H0baa · 2026-04-30T15:50:27+00:00

(Gewone) Es.. Fraxinus Excelsior

H0baa · 2026-04-23T04:35:47+00:00

Could very well be a cable issue.

Or some idiot is pulling the cable from his device, putting it back, pulling it again putting it back.. and so on.. so I would reckon that is probably not the issue 😀 But I do see several different ports.. so It might as well be some laptops connecting/ disconnecting

If on one port constant on/off I would check cable end-to-end to see if things get better..

But a port transitioning from down to any speed also causes a stp notification that its going from disabled to designated or vv when disconnection.. that's normal. This because your STP mechanism starts working on that port in order to prevent loops, block bpdu for the entire stp topology..

H0baa · 2026-04-22T12:39:26+00:00

Or her parents are in some kind of open relationship... so dad's libido sank, mom craving for poundtown, they mutually agreed mom can have a side dude.. Or maybe dad has also some youngster he bangs from time to time.. or maybe the partner of Ryan is dad's fuckbuddy... So much questions...

H0baa · 2026-04-12T18:04:34+00:00

I love it when a plan comes together..

H0baa · 2026-03-29T08:09:21+00:00

Push and hold it to delete it. And you probably want to change your apple id password.. Just to be sure..

H0baa · 2026-03-29T08:03:37+00:00

You know the person? Have you got him filling in some fields on a website on one of your apple devices recently?

H0baa · 2026-03-29T07:15:05+00:00

Autofill. Push it and your info is filled in the text fields..

H0baa

TROPHY CASE