Traffic analysis of clients connected to 3rd party switches
Have a couple of MS120s. These are connected to the HP uplink switches. Those wired devices which are connected to the uplink HPs are visible under the "clients" dashboard in the Meraki switches cloud interface with complete application visibility/traffic pattern and even the usage as well. All those devices appears/shows as part of the uplink port and infact there is no difference in terms of stats when compared to a meraki directly connected device!
I am quite bemused especially when i mirror the port which is connected to HP (uplink) , i am getting a copy of all packets that's transmitted by those direct clients of HP. As i said earlier the HP is gateway..
Hows this even possible, is it some propitiatory stuff from Meraki?
That you see the clients connected to the HP switch on the Meraki Dashboard isn’t unexpected. Every client at some point - especially if it’s Windows - will broadcast traffic across the network and so the Meraki switches will ‘see’ it, since the HP switches will forward the broadcast everywhere. As expected these appear on the uplink port just like you describe.
What does surprise me is what you say regarding the visibility of traffic and applications. Under normal circumstances you wouldn’t expect traffic on the HP switch to be forwarded to the Meraki MS unless it was destined for a client there. Unless anyone has a better idea all I can suggest is that for some reason the HP is acting as a hub and just forwarding all the traffic it sees to the Meraki MS. This might be a bug in the HP firmware/code, or a configuration error on he HP, or it might be ‘designed’ behaviour for a trunk (if you’re using a trunk), but whatever it is, it sounds like the HP switch is misbehaving.
Not sure if its the broadcast traffic as the real time "usage" against those clients incrementing steadily and the HP is indeed not a hub or suspected to be misbehaving here. The scenario is same with a netgear switch even.
But yes the application classification that i see , after monitoring for a while is mostly port based icmp,dns,udp etc so it may be broadcast traffic . Ill keep an eye for a day and add more clients to see how it goes.
Depends where you are doing the packet capture. If the packet capture is on the Meraki switch then it should only be the broadcasts or other traffic which is flooded to all ports. If you can run a packet capture on the Client itself you would capture everything, as you would if you could mirror/SPAN the port on the HP switch, and capture traffic on that port.
If you could capture the traffic on the Client directly or HP switch, and compare it to what you are seeing on the Meraki then you should get your answer. As you’ve suggested, it’s likely only broadcasts and other flooded traffic on the MS, not everything.