I'm looking for information on the best method to capture east-west traffic that may even stay within a switch/switch stack. I'm only seeing an option to mirror each port and select a single destination port. We tried this as a test from one switch stack to a dedicated mirror link to an upstream MS425 switch, but the upstream switch suffered and didn't even hand out DHCP anymore. If anyone has done this with a Meraki infrastructure and sent that traffic to a security appliance, please let me know. The security solution should be able to give us great visibility and built-in integrations with our firewalls, so getting this working would be fantastic.
>I'm only seeing an option to mirror each port and select a single destination port.
This is the only option. You should mirror out to another port on the same switch plugged directly into the security device you are testing.
So if we have, let's say, 15 switches in the same building, that becomes a bit of a problem, and an expensive one. I'm hearing that mirroring multiple interfaces is too much for a Meraki switch to handle, so I'm not sure of the best way to see the most traffic. I doubt that putting a security appliance on each switch is financially feasible. There must be a way to capture at least a majority of the traffic. We're also looking into taps/aggregators, but I haven't had experience with those personally. In the larger buildings, we might have to just resort to passive taps, but I still need to understand the best way to configure the switches in that case.
Unfortunately the design on the security appliance you are looking at is not suitable for a Meraki MS network for what you want to achieve.
That's disappointing. In that case, if anyone has suggestions for the best way to monitor east-west with Meraki to a security platform, please let me know.
These are not span sessions like you have on catalyst switches but only temporary mirrors.
I'm not even sure if the destination port even replicates the encapsulation or not or if it keeps it untagged or tags it always depending on the source VLAN.
At the moment you can only use netflow data to send to your security collector.
Maybe in the future the MS390 will support encrypted traffic analytics like Catalyst does and that could be a better way to support your case.