Switching Configuration 253Switching ConfigurationThis section provides configuration scenarios for the following features:• "Virtual LANs" on page 25• "IGMP Snooping" on page 30• "IGMP Snooping Querier" on page 32• "Link Aggregation/Port Channels" on page 33• "Port Mirroring" on page 37• "Port Security" on page 37• "Link Layer Discovery Protocol" on page 39• "Denial of Service Attack Protection" on page 41• "DHCP Filtering" on page 43• "Port Aggregator" on page 44Virtual LANsAdding Virtual LAN (VLAN) support to a Layer 2 switch offers some of the benefits of both bridgingand routing. Like a bridge, a VLAN switch forwards traffic based on the Layer 2 header, which is fast.Like a router, it partitions the network into logical segments, which provides better administration,security and management of multicast traffic.A VLAN is a set of end stations and the switch ports that connect them. You can have many reasonsfor the logical division, for example, department or project membership. The only physicalrequirement is that the end station, and the port to which it is connected, both belong to the sameVLAN.Each VLAN in a network has an associated VLAN ID, which appears in the IEEE 802.1Q tag in theLayer 2 header of packets transmitted on a VLAN. An end station may omit the tag, or the VLANportion of the tag, in which case the first switch port to receive the packet may either reject it orinsert a tag using its default VLAN ID. A given port may handle traffic for more than one VLAN, butit can only support one default VLAN ID.Two features let you define packet filters that the switch uses as the matching criteria to determine ifa particular packet belongs to a particular VLAN.• The IP-subnet Based VLAN feature lets you map IP addresses to VLANs by specifying a source IPaddress, network mask, and the desired VLAN ID.