Hello Experts, 

don't know this is right forum or not, if not please suggest the right place to ask thanks in advance. 

I'm facing an issue with the load on our IDS (Intrusion Detection System). Currently, traffic from various sources is being forwarded to a single switch, which then sends it all to the IDS through a span port (think multiple source to single destination span ) To alleviate this load, someone suggested terminating each traffic source directly on the switch, with each source link connected to a separate interface on the switch, each assigned to a different VLAN (e.g., source link 1 on VLAN 10, source link 2 on VLAN 20, etc.). Instead of using a span port, they proposed configuring the switch's port connected to the IDS as a trunk port, filtering the VLANs to send only specific ones to the IDS.

However, I have concerns about how the IDS will handle this setup. Since the IDS will receive traffic through a trunk port, it will also receive VLAN tagging information. This means each packet received by the IDS will have additional VLAN header bytes that aren't part of the original source traffic. I'm unsure how the IDS will interpret this additional VLAN information and whether it will affect its ability to perform both signature-based and anomaly-based detection effectively. 

any idea any suggestion or any thought ?