Best method to capture east-west traffic to security appliance

MW0013
Conversationalist

Best method to capture east-west traffic to security appliance

I'm looking for information on the best method to capture east-west traffic that may even stay within a switch/switch stack. I'm only seeing an option to mirror each port and select a single destination port. We tried this as a test from one switch stack to a dedicated mirror link to an upstream MS425 switch, but the upstream switch suffered and didn't even hand out DHCP anymore. If anyone has done this with a Meraki infrastructure and sent that traffic to a security appliance, please let me know. The security solution should be able to give us great visibility and built-in integrations with our firewalls, so getting this working would be fantastic.

5 REPLIES 5
PhilipDAth
Kind of a big deal
Kind of a big deal

>I'm only seeing an option to mirror each port and select a single destination port.

 

This is the only option.  You should mirror out to another port on the same switch plugged directly into the security device you are testing.

MW0013
Conversationalist

So if we have, let's say, 15 switches in the same building, that becomes a bit of a problem, and an expensive one. I'm hearing that mirroring multiple interfaces is too much for a Meraki switch to handle, so I'm not sure of the best way to see the most traffic. I doubt that putting a security appliance on each switch is financially feasible. There must be a way to capture at least a majority of the traffic. We're also looking into taps/aggregators, but I haven't had experience with those personally. In the larger buildings, we might have to just resort to passive taps, but I still need to understand the best way to configure the switches in that case.

PhilipDAth
Kind of a big deal
Kind of a big deal

Unfortunately the design on the security appliance you are looking at is not suitable for a Meraki MS network for what you want to achieve.

MW0013
Conversationalist

That's disappointing. In that case, if anyone has suggestions for the best way to monitor east-west with Meraki to a security platform, please let me know. 

GIdenJoe
Kind of a big deal
Kind of a big deal

These are not span sessions like you have on catalyst switches but only temporary mirrors.
I'm not even sure if the destination port even replicates the encapsulation or not or if it keeps it untagged or tags it always depending on the source VLAN.

At the moment you can only use netflow data to send to your security collector.

 

Maybe in the future the MS390 will support encrypted traffic analytics like Catalyst does and that could be a better way to support your case.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels