Hi,

Its a Cisco 6509-E. I want to install an IDS server and mirror the in/out traffic to it. Since the traffic does not exceed 200-300MBs I do not want to use the last 10G interface as the destination of the SPAN. 

Thanks for the reply.

I have one more question regarding SPAN. My main focus is to detect spams and viruses on the Employee VLAN.(We have server,student,guest and print VLANs too)

Would that traffic be detectable with my SPAN config stated above or should I use only the Employee VLAN int. as the source of the SPAN ?

Lets put it this way, Im confused about the  basic concept of how the traffic looks like when it leaves a vlan and routed out to the internet.

That depends on your IDS system it should see something

So we span everything for security reasons but we use certain devices/hardware and software for different tasks

We use a bluecoat to detect any issues going outbound to the web for protection

We use DLPs to review SPAN traffic and other software that can inspect individual SPAN packets, the thing with security is there is no one fix all product , you need to use layers of devices that specialise in certain functions , especially when trying to track viruses but IDS is a very good start

SNORT is an open source tool which is very good at tracking viruses too

having host level scanners inbuilt to your machines will also help especially when capturing that data  

if the IDS can take it I would collect as much traffic as possible from each vlan , don't think printer vlan would be required really but student and guest I would capture too