So long story short, I've got a spare server with ESXi 6.7 and I want to throw a linux distro running SNORT onto the machine. The host has 4 network cards and 3 of them will be on a dedicated "monitoring" vswitch with promiscuous mode enabled.

My network is three "distribution" switches (users) they all have trunked uplinks to my core switch-stack. Also plugged into the core are the servers and firewall.... I'm mostly interesting in what the users are doing - I've got plenty of server monitoring in place already.

My plan was:

1) create a port-mirroring "monitor" (target) port on each of the three distribution switches

2) turn on port-mirroring on the distribution switches for all ports EXCEPT the monitoring port AND the trunk uplink ports

3) connect the three switches monitoring ports to three of the NICs on my server

I was hoping that this would allow me to monitor all of the user traffic without generating any additional traffic between switches or on the core. Will this work? Or would I be better off monitoring at the core switch instead?