If someone plugs in a router with a spoofed MAC of an allowed device for that port, you'd never know.
Most routers support MAC spoofing in order to forward the MAC of your main PC to the cable / DLS modem. Many ISPs will block a new MAC for a period of time or until your call up and tell them. If you require authentication on a wired port, they could set that up as well.
The only way to prevent a MITM attack is to physically secure the network wiring or centrally manage per-device encryption keys/certificates. And I know you're not doing that. And if you want to claim that you are, I also know you're not doing it for your printers and other devices.
For wireless, if someone plugs in a wireless router you might be able to detect it if you have antennas in range, but you can't stop it.
The air marshal shit Meraki does is completely illegal. You can't jam wifi, which is all Meraki does for "containment". They even fucking admit that it's illegal to use it in their documentation.
From https://meraki.cisco.com/lib/p... , page 8:
2As containment renders any standard 802.11 network completely ineffective, containment measures should taken in your airspace. Extreme caution should be taken to ensure that containment is not being performed on a legitimate network nearby and, action should only be taken as a last resort. Unauthorized containment is prosecutable by law (subject to the FCC’s Communications Act of 1934, Section 333, ‘Willful or Malicious Interference’).
Beyond the legality, it doesn't even work in a manner that could be called secure. It creates bubbles of noise where NO wifi works (hello DoS). It becomes a loudness war and the rogue AP will always have a bubble of effective range where it will win out. If you have two Meraki networks near each other, they often get into wars, shutting each other down where their edges meet.
VLANs has nothing to do with wireless security. Segregating your networks with a VLAN is pointless - all the devices that are wireless APs also include routing functions. Use them. VLANs are meant for logically extending a network that is physically separate, not for logically separating a network that is physically connected.