Zyxel XGS2220-30HP - L3 Access switch for modern converged networks

In the Zyxel hierarchy, the XGS2220 series refers to access switches, that is, to the lowest level that serves end devices and access points. We are used to the fact that cheap maintenance-free switches are installed at this level, with or without PoE, and switching settings are assigned to a higher class of switches. However, networks are progressing, and today more and more client devices are connected via Wi-Fi, which means they do not occupy switch ports, as a result of which the network hierarchy can be simplified to 1-2 levels, and Zyxel XGS2220 is an excellent candidate for this role both in terms of building new networks and upgrading old ones. This L3 layer switch has 4 x 10-Gigabit SFP+ slots, 1-Gigabit PoE+ ports for the main fleet of devices, NVR/VoIP optimized interface, Nebula cloud service support and multi-Gigabit PoE++ ports for Wi-Fi 6 access points. That is, Zyxel has added a maximum of functions to one device to make it the most versatile.

There are 6 models in the XGS2220 series: 3 for 24 ports and 48 ports each. The XGS2220-30F model is designed for the distribution level, in which all 1-gigabit interfaces are presented in the form of SFP slots, but the most interesting are PoE variants with the HP index in the name. They have a PoE budget of as much as 400 and 600 watts for 24- and 48-port versions, respectively, and the XGS2220-54FP version even boasts an impressive 960-watt PoE power reserve. All these switches can power devices with up to 60 watts per port, which is enough even for small office PCs, not to mention access points, IP cameras and downstream switches: there will be enough electricity for all this. Ports 1 through 16 support PoE 802.11at with up to 30 watts per port, and ports 17 through 26 (including a pair of multi-gigabit RJ45) support PoE 802.11bt up to 60 watts per port.

Comparison with the previous generation



Generation, year



Total number of uplinks 10G



Number of copper uplinks 10G



PoE++ support (60Wt)



Total PoE budget, Wt



Memory Flash/RAM



Max number of statinc VLAN






Management with Nebula CC



The scope of use of the XGS2220 series is municipal and commercial buildings, such as hospitals, universities, schools and hotels, including those using converged networks for data storage systems and NAS. At the same time, it should be borne in mind that this series does not have fault-tolerant power supplies, and physical stacking seems to be possible, but it will appear only in August 2023.

Design features

We received a 24-port version of XGS2220-30HP with PoE+ support for testing. The main feature of this series is that it has ports, as they say, for all occasions. 4 SFP+ slots with a speed of 1/10G are designed for uplinks, and it should be noted here that switching between DAC/SFP+ modes is done manually, in the switch settings, and not automatically, as in most other devices.

There are two multi-gigabit ports here, and both are with PoE++ support and speeds of 1/2.5/5/10 Gbit/s. Thus, they can be used both for connecting inexpensive NAS-s with support for speeds not higher than 2.5 Gbit/s, and for expensive access points with 5GBase-T/10GBase-T interfaces.

Ordinary 1-gigabit RJ45 ports are interesting because for each of them you can force a speed of 10 Mbit /s, which is used to communicate with IP cameras over a wire length of more than 100 meters. By itself, the XGS2220 series is not positioned as "long-range", but in principle, today the ability to "punch" further than 150 meters on a copper twisted pair will not surprise anyone.

The usual 1-gigabit RJ45 ports are interesting because for each of them you can boost the speed of 10 Mbit/s, which is used to communicate with IP cameras over a wire length of more than 100 meters. By itself, the XGS2220 series is not positioned as "long-range", but in principle, today the ability to "punch" further than 150 meters on a copper twisted pair will not surprise anyone.

On the right side of the front panel there is a digital indicator of the device number in the stack, which is not used yet due to the lack of stacking in the current firmware version. Above it there is a USB Type-C for console access, but there is no cable included (it will fit from a regular phone), and in general console access is only here as a last resort, and so all control is either through the Web interface or through the Nebula Control Center (what will happen if Nebula CC will be blocked or banned?).

Zyxel does not save on fans, the XGS2220-30 HP switch is cooled by three 40 mm Y.S.Tech fans with automatic adjustment. This is one of the oldest brands in the world of server and industrial fans, the products of this company are expensive, and unfortunately, therefore, they are becoming rarer. The noise level of the XGS2220 is 30HP without PoE load in idle mode - about 30 dB, so if you install this switch in the same room with the staff, it is better in a closed cabinet. Fans react not only to the temperature of the components, but also to the connection of transceivers, which can be very hot. The operating temperature range of the ambient air is wider than that of conventional switches: as much as -20 to +50 degrees Celsius, that is, XGS2220-30HP can be installed in unheated and non-conditioned rooms. I want to draw attention to such a moment - the switch can withstand the temperature of the motherboard up to 110 degrees Celsius, and PHY - up to 86 degrees Celsius without disconnecting!

At the input in front of the power supply, there is protection against high voltage (up to 2 KV / 1 KV), the power supply itself is quite bulky, unencumbered with Japanese Nippon and Rubycon capacitors. All Ethernet ports provide protection against static voltage up to 8 KV / 6 KV (contact/air), but according to this parameter, which no one ever pays attention to, XG2220-30HP is inferior to its predecessors (in the same XS1930-12HP, this parameter is 8 KV / 15 KV).

In principle, there are no design features in the XGS2220-30HP, except for USB Type-C for console access, and even then in case of an emergency. The switch is assembled soundly, from expensive components, thanks to which it boasts a wider temperature mode of operation. The stated time-to-failure (MTBF) parameter is almost 268,305 hours, or 30 years, but is it a lot or a little? In an absolute sense, yes, we see high-quality components and a large declared service life, but in the 2021 models, the MTBF was 3-4 times larger and reached 100 years.

According to the parameters, we see a noticeable reduction in the cost of the design, especially in comparison with the 2021 models, which can be explained by general trends, difficult times, and a shortage of components, and simply by the fact that no one needs a switch with a service life of 100 years. The main thing is that structurally no defects have been noticed, which means we are moving on.

Software settings

At one time, Zyxel made an alternative Web interface for its PoE switches so that it would be easier for video surveillance system operators to monitor bandwidth on switch ports and overload devices on power. This good tradition has taken root, and in XGS2220-30HP you have two interfaces to choose from: classic and "network A/V", from which almost all settings have been removed. You can switch between them on the fly, and if there is a need to change something, you can switch to the classic interface, make the necessary changes, and then return back to the "network A/V". Yes, there is also control via the Nebula Control Center, but more on that a little further.

Zyxel XGS2220-30HP has a modern, pleasant web interface in which some parameters can be changed directly on the diagram by clicking on the desired port. Given that there are a lot of settings in the L3 switch, the more visual you make the control, the easier it will be for the setup engineers later. Initially, during initialization, the setup wizard is generally launched here, through which protection against loops, QoS and VLAN is configured: everything is decorated colorfully and brightly, like in children's coloring books, and I don't see anything wrong with it.

L2 Features

Zyxel XG2220-30HP allows you to configure OAM Ethernet connection fault management for each physical port, as well as the one-way connection detection function, ZULD. The latter comes into effect when, due to a hardware malfunction of the equipment, the connection between the devices in the network is established, but only one of them can send packets, and the other cannot. In this case, OAMPDU, having determined that the connection works only in one direction, disconnects the port before the malfunction leads to the formation of a loop.

In addition to STP, Zyxel has its own loop protection technology, Loop Guard, which can detect a short circuit in the network even on the ports of downstream switches and disconnect the port connected to them. This technology conflicts with RSTP (MSTP and the proprietary MRSTP protocol are also supported), and one thing should be chosen for work.

PoE Features

Interestingly, for all RJ45 ports, the switch has a function of polling the connection status by LLDP or ping by IP address. And if the connected device suddenly stops responding, for example, it freezes, it can be automatically overloaded by power, if it is PoE, or simply send a notification to the administrator. Without a remote reboot of the camera or access point, it is already difficult to imagine a modern network, but still not all switches can do this automatically, as well as change any port to a backup (no, this is not port mirroring, namely switching to a backup and back).

The maximum power of each port can be forcibly limited in the configuration of the switch, so as not to go beyond the total budget (400 watts), which is noticeably less than the total maximum power on the ports.

VLAN features

The switch has the ability to create VLANs based on IP, protocols and MAC addresses. The network administrator can use VLAN Stacking in order to separate the downstream networks, which at the same time can conduct their own VLANs through the network even if the VLAN IDs of one client match the ids of other clients. This is done by using "double tagging" – adding another (external) VLAN marker.

For the same purpose, double tagging is also supported in its classic variant, Selective Q-in-Q. Thus, if it is necessary to skip the traffic of clients using their own VLAN in downstream networks, Zyxel XGS2220-30HP can integrate with Cisco, D-Link, Mikrotik, etc. client switches. which makes sense in provider networks or business centers.

Multicast parameters (IGMP Snooping) and MVR are configured granularly for each port, and it is also possible to enable static Multicast redirection for VID and ports. This, by the way, is the difference between the 2200 series and the younger L3 Zyxel switches.

L3 features

Among the packet routing functions at the 3rd level, in principle, everything is standard: up to 32 IP interfaces linked to VLAN IDs and up to 64 routes are supported. It is a pity that VRRP support is still not implemented in XGS22xx switches - so far Zyxel implements it only in the top 3700/3800's and 4600's series.

I want to note that the XGS2220-30HP allows you to combine any port configurations into a trunk, mixing both 10-gigabit optical and 1-gigabit and multi-gigabit ports in one LAG group. Since the switch belongs to level 3, integration is possible based on MAC and IP, and the following methods are available in total, including LACP:

  • src-mac
  • dst-mac
  • src-dst-mac
  • src-ip
  • dst-ip
  • src-dst-ip

The ability to mix ports with different performance within the same LAG group may be required in cases where the number of ports is not enough, and the presence of the trunk itself is more important than its speed.

Security features

From the 1900 series of switches, the 2200s are distinguished by built-in security features. The switch is able to deal with IP address substitution, fake or erroneous DHCP servers, allows you to set up a hard binding of IP to MAC per port, view existing ARP tables, has anti-spoofing of ARP packets and filtering functions for both Layer 3 IP and Layer 4 TCP/UDP.

To increase fault tolerance, ports are disabled in case of errors (errdisable) with subsequent recovery and protection against CPU overload by limiting the flow of packets per port.

And of course, there is a guest VLAN, without which no more or less serious industrial network device can do today. For monitoring, SNMP v2c/v3 is used, metrics and logs are exported to the Syslog server and information is output to the Web interface.

Nebula Features

Management via Nebula Control Center, let's face it, is not the scenario for which this switch was created, because this cloud configuration service was created for convenience, not functionality. The possibilities of configuring L3 switches in Nebula are very limited, and what is even worse - some functions, such as routing settings, require a paid Nebula Pro Pack license.

However, the user can configure ACL lists, PoE schedules, VLANs, IGMP and ports even in the free version of Nebula. But, I repeat once again - such advanced L3 models as XGS2220-30HP does not make sense to use together with Nebula.


Of course, the XGS2220 series can be considered as a natural development of the PoE-L3 line from Zyxel, but if you look more broadly, then with these switches, the network architect has the opportunity to "comb" the switch fleet at the facility, getting rid of the already superfluous "access layer" and reducing the nomenclature, for example, for converged networks. Here you have both copper and optical 10G Ethernet, so the administrator will have plenty of options for how to connect a server + storage + access point, and if the task is to connect lower-level clients in some multi-tenant environment, then here's 802.1Q support for you, and if you need to transfer resources to an NVR environment - everything is here to done.

Michael Degtjarev (aka LIKE OFF)

Read also:

Will Zyxel Nebula survive on the sovereign internet?

What will happen to your network if the Iron Curtain suddenly falls, and the Global Internet turns into something sovereign and all cross-border channels are blocked? Let's simulate this situation and tell you how to unsign the ...