Snort on span port

[Ilango S Allikuzhi <IlangoAllikuzhi () dtcc com>]

We are deploying SourceFire (snort network sensor) appliances to capture 
traffic on a VLAN that spans 4 Cisco Catalyst 5500 switches (Cat OS), 
connected on a trunk. I looked at the data, connecting to the span port of 
each of the switches; these span ports are supposed to be well configured 
by competent engineers and are in use for a long time for network sniffing 
through NAI distributed network sniffer. I am connecting the snort 
appliance in parallel with NAI sniffer using a 100 MB/s hub. I see less 
than 0.2 MB/s traffic on 3 of these switches while I see over 2 MB/s 
sustained traffic when connected to the span port of one of the switches. 
So i decided to connect the IDS to the span port of this switch. I 
initially thought that I would see the same traffic on all 4 switches as 
they are trunked and after this exercise, I realized the entire traffic of 
the VLAN can be sniffed only on one of the switch's span port. A network 
engineers clarified that ONLY the root bridge on the VLAN would see all 
the traffic and the root bridge could change after a re-election when the 
current root goes down. 

The question is how do I ensure that I always capture the entire VLAN 
traffic, irrespective of which switch is the "root bridge".  Should I have 
IDS sensors on the span port of all the switches in this kind of scenario? 
 Is there any better solution?  I keep hearing of Cisco terminology VACL 
to configure the port on which IDS sits? Is it better than using span port 
??  I would appreciate if some one shares their experience dealing with 
this kind of situation.

Thanks,
Ilango