I'd go with zENGER's model which does not call for traffic to flow through anything other than your core infrastructure and does not involve routing or bridging of any kind on the snort box. Why? Because the first time something goes wrong with your snort box and it impacts operations, your credibility with management will be shot and your chances of adding additional security devices to the network will go up in smoke. The second reason is that you will take a chance that the snort box may get pummeled with traffic and produce unexpected results. MANY people throw a machine on the wire and watch it work under normal conditions but have no clue how it will react when put under the load of a real attack. I've seen very baaaaadddd things happen to many a poor soul when making this mistake. The other thing thing that can happen is packet loss during a security event (or just a sustained spike in traffic). This means your results may be incomplete, etc. The spanning (cisco)/management port method is the best way to implement IDS such as snort or any other sniffing technology. Also be sure to stress test your IDS. Depending upon how you configure it, the horse power needed will vary greatly. Of course this is my opinion and experience.

--TH13