Switching Configuration 29
3
Switching Configuration
This section provides configuration scenarios for the following features:
• "Virtual LANs" on page 29
• "Voice VLAN" on page 37
• "IGMP Snooping" on page 40
• "IGMP Snooping Querier" on page 43
• "Link Aggregation/Port Channels" on page 45
• "Port Mirroring" on page 49
• "Port Security" on page 50
• "Link Layer Discovery Protocol" on page 52
• "Denial of Service Attack Protection" on page 54
• "DHCP Snooping" on page 56
• "sFlow" on page 67
Virtual LANs
Adding Virtual LAN (VLAN) support to a Layer 2 switch offers some of the benefits of both bridging
and routing. Like a bridge, a VLAN switch forwards traffic based on the Layer 2 header, which is fast.
Like a router, it partitions the network into logical segments, which provides better administration,
security and management of multicast traffic.
A VLAN is a set of end stations and the switch ports that connect them. You can have many reasons
for the logical division, for example, department or project membership. The only physical
requirement is that the end station, and the port to which it is connected, both belong to the same
VLAN.
Each VLAN in a network has an associated VLAN ID, which appears in the IEEE 802.1Q tag in the
Layer 2 header of packets transmitted on a VLAN. An end station may omit the tag, or the VLAN
portion of the tag, in which case the first switch port to receive the packet may either reject it or
insert a tag using its default VLAN ID. A given port may handle traffic for more than one VLAN, but
it can only support one default VLAN ID.
Two features let you define packet filters that the switch uses as the matching criteria to determine if
a particular packet belongs to a particular VLAN.