Switching Configuration 293Switching ConfigurationThis section provides configuration scenarios for the following features:• "Virtual LANs" on page 29• "Voice VLAN" on page 37• "IGMP Snooping" on page 40• "IGMP Snooping Querier" on page 43• "Link Aggregation/Port Channels" on page 45• "Port Mirroring" on page 49• "Port Security" on page 50• "Link Layer Discovery Protocol" on page 52• "Denial of Service Attack Protection" on page 54• "DHCP Snooping" on page 56• "sFlow" on page 67Virtual LANsAdding Virtual LAN (VLAN) support to a Layer 2 switch offers some of the benefits of both bridgingand routing. Like a bridge, a VLAN switch forwards traffic based on the Layer 2 header, which is fast.Like a router, it partitions the network into logical segments, which provides better administration,security and management of multicast traffic.A VLAN is a set of end stations and the switch ports that connect them. You can have many reasonsfor the logical division, for example, department or project membership. The only physicalrequirement is that the end station, and the port to which it is connected, both belong to the sameVLAN.Each VLAN in a network has an associated VLAN ID, which appears in the IEEE 802.1Q tag in theLayer 2 header of packets transmitted on a VLAN. An end station may omit the tag, or the VLANportion of the tag, in which case the first switch port to receive the packet may either reject it orinsert a tag using its default VLAN ID. A given port may handle traffic for more than one VLAN, butit can only support one default VLAN ID.Two features let you define packet filters that the switch uses as the matching criteria to determine ifa particular packet belongs to a particular VLAN.