This is the setup, I hope anyone interested in reading this can follow:
I have a DMZ switch that holds all the DMZ interfaces for two PIX firewalls (four on each PIX), along with the outside interfaces of those PIX firewalls and the edge router interface. The DMZ switch has an interface in the inside network "switch" VLAN, everything else in this switch is in VLAN1.
There is an inside router that connects to this switch via a GBIC connector. The inside router is a 7206 and it's inside interface is connected to the the DMZ switch.
There is a core 6509 switch that also connects to the DMZ switch via the other GBIC connector. This is a trunk link up to the DMZ switch, the trunk carries all VLANs.
Each device is in it's own VLAN, so the router interface has only the core switch SVI as the only thing it the router vlan with it.
The router gets to the SVI on the core switch through the DMZ switch.
The core switch is the default gateway for all VLANs.
Number one, it seems to me that this is not a very good setup going through the DMZ switch like this, as a passthtough from the core switch to the router.
I made a change to remove a VLAN from a configured SPAN session that is on the core 6509 switch and it shut down the port from the DMZ switch to the 7206 router, and hosed up the OSPF process in the PIX firewall in the DMZ switch.
The SPAN session is mirroring ALL vlans to a port for the IDS to monitor. I removed the existing SPAN session, removed on VLAN and reconfigured it back exactly as it was, minus the one VLAN.
I guess my questions are:
Is it dangerous (unstable) to mirror all ports (user traffic, routers, switches) to a single port like this for IDS purposes?
I know it was an STP issue, but I can't really find what exactly happened
Does it seem to you guys like this needs to be redesigned for a better and safer logical layout?