Have a common SMB deployment (300 users) where the firewall is at the "core" of the network, meaning that's the DFGW for LAN users, not a layer 3 VIP on the switched core. I need to mirror North/South traffic (LAN to INTERNET and vice versa) so I don't really want to mirror ALL traffic to the firewall interface (which could be destined for another LAN subnet, subinterface, etc.). I was thinking that it would be cool if I could combine some criteria like the destination MAC of the firewall and an IP not known to be local and build a mirror of just that traffic. Anyone run up against something like this? The firewall can mirror an interface but the whole interface (sub-interfaces too). I could move the gateway to a VIP and drop another subnet in front of the firewall but this environment is very sensitive to downtime and it'd be like pulling teeth. Any suggestions/ideas? Thanks in advance!
