We've changed from Cisco switches to Meraki switches on our network.
With the Cisco Catalyst switches, for gathering info for our decoder/concentrators, we were using the "monitor" commands to see all VLAN traffic on our network. This was set up on a pair of 6506e switches running ion VSS mode.
A network connection on each 6506e was set to monitor all the VLAN traffic and those two interfaces fed the data to our Decoder/Concentrator Hybrid.
Meraki switches do not have this feature but do support the mirror command for mirroring a port or set of ports.
So, when we changed to Meraki, we used a pair of MS425 switches to replace our core 6506e's. Unfortunately, this mirror command only works as one instance on one of the two MS425's in the stack.
For those unfamiliar with Meraki stacking, it's not like the true stacking technology of Cisco Catalyst switches. Cisco Catalyst switches stack ports basically create a backbone to the stacking environment that handles all network traffic in the stack. The Meraki stacking is actually a special pair of 40Gig switched ports that allow you to stack 2 or more Meraki switches together in a daisy chain. Issue with this is, if you have traffic flowing in one switch that does not need to leave that switch, you'll never see it on the stacked interfaces.
So, if the switch that does not have the monitor port, has traffic that flows across some of it's ports, the switch with the monitor port will never see that traffic and thus NetWitness HW won't see it.
Simple fix would be to do a monitored port on the second switch, however you can't do more that one mirrored interface per switch/switch stack.
So, how is other that have gone the Meraki switching route handled grabbing all network traffic in their environment?
FWIW: I have put in a feature request to Meraki to add something like the monitor commands of the Catalyst switches. No word back yet if they will ever implement this.
