I admit to being a little confused about which interfaces to place intrusion detection on.
Here is my network topology
6 Port Protectli box
- 2 Empty ports (LAN and OPT1) -
- Lagg0 (named TRUNK) - 3 ports in LACP LAGG going to Cisco managed port in trunk mode-> 10.0.10.1/24
- VLAN10 - HOME - 10.0.0.1/24
- VLAN20 - GUEST - 10.0.20.1/24
- VLAN30 - SERVERS - 10.0.30.1/24
All traffic is tagged in the switch and passed through the LAGG.
I believe I don't need intrusion detection on the WAN since it's completely locked down using firewall rules. I do want it on my internal network to ensure that nothing is compromised.
In the Intrusion Detection admin page in the interfaces dropdown I see the all the interfaces linked above AND I see em3, em4, em5 which are the physical ports that I have set in the LAGG.
Should I be setting intrusion detection on the single interface named TRUNK and assume it can see all the traffic from the VLANS? Should it be set to the physical interfaces which comprise the LAGG? or to the VLANS themselves?