I have a question regarding SPAN. My main focus is to detect spams and viruses on the Employee VLAN.(We have server,student,guest and print VLANs too) using an IDS.
Would that traffic be detectable with my SPAN config which mirrors out/in traffic from Interface connected to ISP or should I use only the Employee VLAN int. as the source of the SPAN ?
Lets put it this way, Im confused about the basic concept of how the traffic looks like when it leaves a vlan and routed out to the internet .