Let's explore the features of Zyxel XMG1930-30HP, a switch with 2.5G/10G PoE ports and licensed L3 functions

The XMG1930 series of switches appeared due to the widespread introduction of Wi-Fi 6/6E and the transition to multi-gigabit wired interfaces already at the access level. And if 2-3 years ago 2.5GBase-T ports were found mainly in inexpensive NAS and middle-class access points, today this speed is already mainstream, and businesses need switches that support it on all access ports, plus additional 10-gigabit ports for uplinks or server connections.

Just Zyxel XMG1930-30HP is such a switch that has 24 ports of the 2.5GBase-T standard, of which 20 support PoE+ (802.3at), and 4 - PoE++ (802.3bt), 4 more copper ports with support for intermediate speeds up to 10 Gbit/s and PoE++ can be used for Hi-End access points or converged networks, and 2 SFP+ 1/10G slots for uplinks. In total, there are 30 ports, of which 28 are PoE, and the total power budget of network devices is an impressive 700 watts.

L3 Access license

From a technical point of view, it should be understood that processors in modern multi-gigabit switches are much more powerful than in the 1-gigabit generation, and practically the implementation of some L3/L4 level functions already rests not so much on the capabilities of hardware as on the costs of implementation and marketing. No one will answer unequivocally the question whether it is necessary at the access level to have dynamic routing based on IP addresses, Q-in-Q tunneling and some network protection capabilities from spoofing: some clients need it, others do not, and keep the nomenclature of L3 and L2 switches with the same port configuration for the manufacturer is already unprofitable - too expensive multi-gigabit models.

L3 features available without a license

ARP Learning and Static ARP

DHCP Relay with Option82 support

Static Routing IPv4 / IPv6

Therefore, Zyxel reasoned this way: if the L3 functionality is already determined only by the firmware, 99% choose an access switch for the sake of port density, PoE, VLAN, Multicast, and less often for static routing, then here is the base model XMG1930, which is generally L2, but slightly L3. And if your network requires advanced L3 functions, then all this is also there, just blocked programmatically: buy the appropriate license, and get L3 core-level functionality. You can do this at any time, even when buying a device, even after a year, if necessary. And although the IT community for the most part does not like when there is something in the device, but it is blocked programmatically, you must agree - having the same nomenclature for access and core is very convenient, given that the distribution level has outlived itself today: its functions have been smeared up and down the topology, and all thanks to these switches, which "know how to do a little more."

What exactly are the functions in question? First of all, about vertical scaling: in terms of the volume of tables and records, the limits of the configuration are expanded in order to be used in large enterprise networks.

Extension of existing limits using the L3 Access license

Base value

Extended value

Number of entries in L3 table






Static VLANs



Static routes IPv4



Static routes IPv6



Classifiers ACL



ACL policies



But as for the new features, not everything is so rosy: Zyxel has recorded such a useful thing as Network AV Mode in the web interface in the category of licensed ones (you can see how it looks in our GS2220-30HP review), without which it is impossible to imagine a modern PoE switch, as well as an automatic reboot by PoE frozen devices, which for a PoE model is just a must-have! The VLAN function based on IP subnets also does not look like something from the Hi-End world and, along with the MAC-based VLAN, is used in medium-sized projects. Or MVR is even available in cheap L3 switches, and then they took it and decided that this is a licensed function. But, however, these are all rather exceptions, because the bulk of L3 Access features are intended for large multi-tenant networks (providers, business centers), and usually not everyone needs a project.

Additional features added by the L3 Access license:

  • Multilevel CLI
  • CLI (Cisco-like)
  • Networked AV Mode
  • Protocol-Based VLAN
  • IP subnet-based VLAN
  • MAC-based VLAN
  • VLAN isolation
  • IEEE 802.1AD VLAN stacking (QinQ)
  • VLAN mapping
  • MRSTP (Zyxel Proprietary)
  • BPDU transparency
  • Flex link
  • IEEE 802.3ah OAM (Link Discovery, Loopback)
  • BPDU Guard
  • Root Guard
  • IP source guard (IPv4/IPv6)
  • DHCPv6 Snooping
  • IPv6 DHCP trust
  • ARP Inspection
  • ARP Freeze
  • Anti-ARP Scan
  • MAC Freeze
  • DHCP Server Guard
  • MVR support
  • IGMP Snooping Immediate Leave
  • MLD Snooping (MLD v1)
  • sFlow
  • IEEE 802.3x Flow Control
  • Diffserv (DSCP)
  • Auto PD recovery
  • ZUID
  • MAC-based authentication per VLAN
  • Compound Authentication
  • DHCP Client Option60
  • Multiple TACACs+ server
  • Login authentication by TACACS+
  • TACACS+ Accounting
  • Authorization on TACACS+

We have already talked about some of the above functions in our other reviews of Zyxel switches (see our reviews of network equipment), and I recommend starting with a fresh XGS2220-30HP test, because the software base there is most likely the same.

I want to note that L3 Access licensing is not a "subscription model" when you need to renew something every year. The license is applied on a one-time basis to the device and works on it for the entire life of the switch. It is also not transferred between different switches, except in cases of return under warranty. By the way, our Zyxel XS1930-12HP, (see our review), which we have been using for testing network devices since 2021, also did not have any extended L3 functions two years ago, except for static routing, but with the release of firmware version 4.80, I had the opportunity to buy a license for it and get some new chips in addition to the old ones. Agree, for a device with a lifetime warranty, which in 2 years has not become morally obsolete, but on the contrary has acquired a new Web interface and moved to a higher level of classification - this is very unusual and damn nice.

Zyxel XMG1930 design features

Structurally, the XMG1930 is very similar to our recently reviewed older brother XGS2220-30HP, the same layout with two boards and a case-free power supply is used here. An over-voltage protection and an RF interference filter are installed at the power supply input. There are no electrolytic capacitors on the board, which is an undoubted plus for me, and several cans are solid-state, apparently manufactured by Sanyo. The claimed time to failure is 537 thousand hours or 61.3 years, which is 2 times more than the XGS2220-30HP, but still less than the models of 2021, where there were record 100 years!

For cooling, three fans with a diameter of 40 mm with automatic adjustment are used, the minimum speed of which is approximately 3700 RPM. The operating range of air temperature is extended: from -20 to +50 degrees Celsius, that is, the switch can be installed in unheated and non-conditioned rooms. Typical temperatures of components in idle mode at 25 degrees Celsius, as well as their maximum permissible values are listed below:


Idle temperature

Max. temperature










Multi-gigabit switches consume more power than 1-gigabit switches, and the XMG1930-30HP is no exception: in idle mode without connected cables, it takes an average of 51 watts from the outlet. The maximum power consumption, taking into account the PoE load, can be 864 watts, of which 164 watts will go into the switch itself, and for this reason, given that its maximum noise level can reach 52 dBA (the option without PoE is slightly quieter - up to 47 dBA), it should not be installed in a common room with people, and forced ventilation should be provided in the telecommunication cabinet.

Interestingly, the protection of ports from a surge of voltage in the 30HP model is higher than that of a similar one without PoE - 2 KV versus 1 KV, but the lightning protection of copper ports is the same - 8/4 KV (air / contact). And again, since the PoE model has a more powerful power supply, then its lightning protection is better - up to 6 KV.

The port operation indication is displayed on the left side of the front panel in the form of multi-colored LEDs in four rows: the upper two rows show the PoE power mode, the lower ones show the connection speed and port operation mode. Additional indicators signal that the switch is connected to the Nebula Control Center cloud service and the PoE power is exceeded.

2.5-gigabit ports are arranged in 2 rows, in pads of 12 pieces, to the right of them is one 4-port pad of 10-gigabit RJ45 ports, and even to the right are two SFP+ slots. A yellow-orange stripe runs below the ports, the ports above the yellow part of it support PoE+ (up to 26 watts), and those above the orange one support PoE++ (up to 60 watts). It is easy to calculate that the total power of the PoE load can be 1000 watts at an acceptable 700 watts, and in order to avoid overload (this is unlikely, but still) in the switch settings, you can set the power priority, which ports to turn off in case of overload, and which to limit the current permanently. All in order to ensure the operation of the wireless infrastructure: the client may not notice the loss of 1-2 access points.

Software features

Interestingly, there are not many settings in XMG1930-30HP, but they are placed in such a way that it seems as if there are more of them than there really are :) All modern Zyxel switches are brought to a single Web interface style, and on the home page you can see the status of the ports, click on the desired one, turn off/on or overload the power client. In Networked AV, the bandwidth and IGMP mode on each of the ports are displayed here. Previously, I didn't pay attention to the fact that a search finally appeared in the web interface, so you can now find the desired function in 1 click. I would like it to take into account user parameters, such as the names of VLANs and ports, but this is only in the future.

As befits a business model, the XMG1930-30HP has 2 operating system images that can be updated and downloaded independently of each other, so if you are not satisfied with the new firmware, you can download the previous one, and if the firmware is damaged, the switch will load the backup itself.

Port Configuration Features

In terms of working with ports, I would like to draw attention to the support of 6 criteria for combining in LAG both by MAC address and IP. The "Green Ethernet" functions are disabled by default, and it's better not to change this parameter: from series to series, Zyxel has problems with EEE and 2.5GBase-T compatibility, which can be seen even in the Known Issues section in firmware releases, and since our switch has 24 2.5 Gbps ports, I don't I understand why to leave these "green" technologies to the firmware.

When mass configuring the same type of parameters, it makes sense to make your work a little easier and configure everything on one port, and then just clone all the settings to one or more other ports, and what exactly to transfer and what not - you choose yourself.

Three methods are available to configure QoS in the database - SPQ, WFQ and WRR, which are applied directly to physical ports. Setting the speed limit is also quite simple: the administrator sets the limit for incoming and outgoing traffic, too, only on the physical port.

Features of using classifiers (ACL)

Some functions that are implemented explicitly in switches from other manufacturers, well, for example, speed shaping and QoS for VLANs, Zyxel can also be implemented, but in a slightly more cunning way through traffic classifiers. For example, if we need to configure speed shaping for a VLAN, then first we need to designate the appropriate type of traffic by creating a classifier and specifying the VLAN number in it and optionally any other parameters, such as IP address, protocol, Ethernet type, MAC address and incoming port, after which we set a policy for managing this traffic., and individually for each now outgoing port. We can drop packets, limit the speed, forward them to another port, or exclude them from the general speed limit on the physical port.

Agree, although this is more complicated, it gives the administrator more opportunities to fine-tune traffic shaping and change the priority of packet passing, because here we can take into account not just physical and virtual subnets, but also the client machines themselves in these subnets. Even more - if desired, you can classify the class of applications, cutting off, for example, VPN via UDP... oh yes, and it can still be taken into account on certain days according to a given schedule.

Classifiers and policies are processed on the CPU, so their number is limited to 128/256 or 256/384 with a license. Sometimes you can come across the opinion that Zyxel's L3 switches are actually L4, and now you know why this is true.

PoE Configuration Features

In the basic version, you can configure the power priority, maximum power and PoE standard for each of the ports. There is also the possibility of supplying power according to a schedule, for example, to turn off some of the access points during non-working hours. The implementation of this function has one feature: yes, you can assign multiple time ranges to the same port, but they should not overlap.

When activating the L3 Access license, the function of polling the connection status by LLDP or ping by IP address appears. And if the connected device suddenly stops responding, for example, it freezes, it can be automatically overloaded by power, if it is PoE, or simply send a notification to the administrator. Without a remote reboot of the camera or access point, it is already difficult to imagine a modern network, but still not all switches can do this automatically, as well as change any port to a backup (no, this is not port mirroring, namely switching to a backup and back).

VLAN capabilities when L3 Access is activated

With the L3 Access license connected, the switch gets the ability to create VLANs based on IP, protocols and MAC addresses. The network administrator can use VLAN Stacking in order to separate the downstream networks, which at the same time can conduct their own VLANs through the network even if the VLAN IDs of one client coincide with the ids of other clients. This is done by using "double tagging" – adding another (external) VLAN marker.

For the same purpose, double tagging is also supported in its classic variant, Selective Q-in-Q. Thus, if it is necessary to skip the traffic of clients using their own VLAN in downstream networks, Zyxel XMG1930-30HP can integrate with Cisco, D-Link, Mikrotik, etc. client switches. which makes sense in provider networks or business centers.

Multicast parameters (IGMP Snooping) and MVR are configured granularly for each port, and it is also possible to enable static Multicast redirection for VID and ports. This, by the way, is the difference between the 2200 series and the younger L3 Zyxel switches.

Additional security features of L3 Access

The L3 Access license extends the functionality of the XMG1930 with additional built-in security features. The switch is able to deal with IP address substitution, fake or erroneous DHCP servers, allows you to set up a hard binding of IP to MAC per port, view existing ARP tables, has anti-spoofing of ARP packets and filtering functions for both Layer 3 IP and Layer 4 TCP/UDP.

Well, even in the basic functionality there is a guest VLAN, without which no more or less serious industrial network device can do today. For monitoring, SNMP v2c/v3 is used, metrics and logs are exported to the Syslog server and information is output to the Web interface.

Nebula Hybrid mode

Management via Nebula Control Center, let's face it, is not the scenario for which this switch was created, because this cloud configuration service was created for convenience, not functionality. The possibilities of configuring L3 switches in Nebula are very limited, and even worse, some functions, such as routing settings, require a paid Nebula Pro Pack license.

When connected to Nebula, the switch switches to the so-called "hybrid" mode, when some functions are still configured locally, while others are configured via the cloud. The user can configure ACL lists, PoE schedules, VLANs, IGMP and ports.


As can be seen from our review, in the basic version, the XMG1930 series presents enough opportunities for deploying modern networks, including using Wi-Fi 6/6E and the most modern IP cameras. As for the directly considered version of XMG1930-30HP with PoE support, I believe that this switch will be bought mainly for connecting access points, and it doesn't really need all the additional security features, well, don't buy a license just for the sake of Networked AV Mode and automatic reboot of hung downstream devices? Of course, both functions are very much in demand in this kind of switches, and I'm sorry that they were made optional, but with CLI access to the switch and configured monitoring, they can be implemented programmatically. The main thing here is a huge PoE budget and 2.5-gigabit interfaces.

But as for the younger model, XMG1930-30, this is the case when the same switch can be used both in the core, in the distribution layer and at the access level, if you can do without stacking, and implement fault tolerance of services programmatically.

If we talk about the disadvantages, then I don't like that Nebula Control Center frankly does not keep up with the capabilities of Zyxel switches, and the switches' own web interface is only in English. Zyxel should have tightened this direction, otherwise it seems that all switching in Nebula remains "insofar as", and all progress in the cloud management service revolves around access points.

What I personally am delighted with is the concept of a new Web interface, which is implemented in all switches. Finally, there is no need to try to remember where the desired setting is and gloomily wander through the menu in the left column - the search solves this problem. Yes, and the Help function has long existed in home routers, and was very much asked for in professional switches. Previously, everything related to ACLs (classifiers) and policies was inconvenient, clumsy and repulsive, but now everything is so convenient that I'm already planning to use this functionality in our test network, and if you didn't understand ACLs, be sure to pay your attention there, it's really worth it.

Michael Degtjarev (aka LIKE OFF)

Read also:

Protecting the company's network with Zyxel USG Flex 100AX

Zyxel USG Flex 100AX is an entry–level security gateway that is designed for installation in small offices and branches, in cases where the company has strict security requirements or there is a complex multi-rank network in whi...