1/232
www.zyxel.com
Switch Series
Edition 2023.1
Handbook
Default Login Details
LAN Port IP Address
https://192.168.1.1
User Name
admin
Password
1234
Copyright © 2022 ZyXEL
Communications Corporation
2/232
www.zyxel.com
Contents
Basic principles for network management ................................................. 7
1.1 How to change the switch management IP address to avoid
accessing the wrong device ........................................................................ 7
1.1.1 Configuration in the Switch-2 ......................................................... 8
1.1.2 Test the Result ................................................................................. 10
1.2 How to configure the switch with a device name to avoid accessing
the wrong device ........................................................................................ 11
1.2.1 Configuration in Switch-1 .............................................................. 12
1.2.2 Test the Result ................................................................................. 13
1.3 How to configure the switch to update the time from an NTP server14
1.3.1 Configuration in Switch ................................................................. 15
1.3.2 Test the Result ................................................................................. 16
1.3.3 What could go wrong? ................................................................. 18
1.4 How to configure the switch to backup events on a SYSLOG server19
1.4.1 Configure the Switch-1 ................................................................. 20
1.4.2 Test the Result ................................................................................. 22
1.4.3 What could go wrong? ................................................................. 23
1.5 How to configure the switch with a port name to quickly identify
directly connected devices ....................................................................... 24
1.5.1 Configure Switch-1 ........................................................................ 25
1.5.2 Test the Result ................................................................................. 26
1.6 How to collect the Diagnostic Info ....................................................... 27
1.6.1 Collect the Diagnostic Info from web GUI ................................. 28
1.6.2 Test the Result ................................................................................. 29
1.7 How to change the default administrator password .......................... 30
1.7.1 Change the default administrator password ............................ 31
1.7.2 Test the Result ................................................................................. 32
1.8 How to configure a whitelist for remote management to prevent
unauthorized access ................................................................................... 33
1.8.1 Configure the whitelist of the remote management ............... 34
1.8.2 Test the Result ................................................................................. 35
1.8.3 What could go wrong? ................................................................. 35
Designing the Local Area Network ............................................................ 37
2.1 How to configure the switch to separate traffic between
departments using VLAN ............................................................................ 37
2.1.1 Configure Switch-1 ........................................................................ 38
2.1.2 Configure Switch-2 ........................................................................ 40
2.1.3 Test the Result ................................................................................. 42
2.2 How to configure the switch to route traffic across VLANs ................ 43
2.2.1 Configure VLAN 10 ........................................................................ 44
2.2.2 Configure VLAN 20 ........................................................................ 46
3/232
www.zyxel.com
2.2.3 Set the gateway on PC-1 and PC-2 ........................................... 48
2.2.4 Test the Result ................................................................................. 50
2.2.5 What could go wrong ................................................................... 51
2.3 How to configure the switch to perform DHCP service in a VLAN .... 52
2.3.1 Configure VLAN 10 ........................................................................ 53
2.3.2 Configure VLAN 20 ........................................................................ 55
2.3.3 Configure the Switch and PC ...................................................... 57
2.3.4 Test the Result ................................................................................. 60
2.3.5 What Could Go Wrong ................................................................. 61
2.4 How to Configure the Switch to Translate Customer VLAN to Service
Provider VLAN .............................................................................................. 62
2.4.1 Configuration on the Core Switch .............................................. 64
2.4.2 Configuration on the Edge Switch .............................................. 66
2.4.3 Test the Results ................................................................................ 69
Improving Network Reliability .................................................................... 72
3.1 How to configure a stacked switch to ensure high server availability
....................................................................................................................... 72
3.1.1 Configure Switch-1 and Switch-2 for Stacking .......................... 72
3.1.2 Configure Link Aggregation on Stacked switch ....................... 75
3.1.3 Configure Link Aggregation on Switch-3 ................................... 75
3.1.4 Test the Result ................................................................................. 77
3.1.5 What Could Go Wrong ................................................................. 78
3.2 How to configure RSTP in a ring topology ........................................... 79
3.2.1 Configure Switch ............................................................................ 80
3.2.2 Test the Result ................................................................................. 82
3.2.3 What Could Go Wrong ................................................................. 84
3.3 How to configure VRRP to provide hosts with a redundant gateway
....................................................................................................................... 85
3.3.1 Configuration in the Gateway-A ................................................ 86
3.3.2 Configuration in the Gateway-B ................................................. 89
3.3.3 Test the Result ................................................................................. 92
3.3.4 What Could Go Wrong? ............................................................... 93
3.4 How to configure bandwidth control to limit incoming or outgoing
traffic rate ..................................................................................................... 94
3.4.1 Configure Switch ............................................................................ 95
3.4.2 Test the Result ................................................................................. 96
3.5 How to configure ACL to rate limit IP traffic ........................................ 97
3.5.1 Configure VLAN and Route Traffic .............................................. 98
3.5.2 Configure the Classifier ................................................................. 99
3.5.3 Configure the ACL (Policy Rule) ................................................ 101
3.5.4 Test the Result ............................................................................... 103
3.5.5 What Could Go Wrong ............................................................... 105
4/232
www.zyxel.com
3.6 How to Implement VRRP with Multiple Routing Interface Combine
with HA-pro Using Zyxel Enterprise Switch .............................................. 106
3.6.1 Configuration ............................................................................... 108
3.6.2 Verification .................................................................................... 123
3.6.3 What may go wrong? ................................................................. 125
3.7 How to Configure the Switch to Tunnel Layer 2 Protocol Packets
Through Service Provider Network ........................................................... 126
3.7.1 Configuration on the Edge Switch ............................................ 128
3.7.2 Configuration on the Customer Switch .................................... 131
3.7.3 Test the Results .............................................................................. 134
3.7.4 What Could Go Wrong ............................................................... 136
Designing an IPTV Network ....................................................................... 137
4.1 Introduction for IGMP .......................................................................... 137
4.1.1 What are General Queries and Group Specific Queries? .... 137
4.1.2 What are IGMP Snooping Querier Modes? ............................. 137
4.1.3 What are the differences between IGMP Snooping
fast/normal/immediate leave? .......................................................... 137
4.2 How to configure IGMP routing for multicast clients in a different LAN
..................................................................................................................... 139
4.2.1 Configure Switch-1 ...................................................................... 140
4.2.2 Configure Switch-2 ...................................................................... 141
4.2.3 Test the Result ............................................................................... 142
4.2.4 What Could Go Wrong ............................................................... 143
4.3 How to configure IGMP Snooping for multicast clients in the same
LAN .............................................................................................................. 144
4.3.1 Configure Switch .......................................................................... 145
4.3.2 Test the Result ............................................................................... 146
Network Security ........................................................................................ 147
5.1 How to configure the port security to limit the number of connected
devices ....................................................................................................... 147
5.1.1 Configure Switch-1 ...................................................................... 148
5.1.2 Test the Result ............................................................................... 149
5.1.3 What Could Go Wrong ............................................................... 150
5.2 How to configure MAC filter to block unwanted traffic ................... 151
5.2.1 Configure Switch-1 ...................................................................... 152
5.2.2 Test the Result ............................................................................... 153
5.2.3 What Could Go Wrong ............................................................... 154
5.3 How to configure the switch to prevent IP scanning ........................ 155
5.3.1 Configuration in the Switch ........................................................ 156
5.3.2 Test the Result ............................................................................... 157
5.3.3 What Could Go Wrong? ............................................................. 160
5/232
www.zyxel.com
5.4 How to Configure the Switch and RADIUS Server to Provide Network
Access through 802.1x Port Authentication ............................................ 161
5.4.1 Configuration in the Switch ........................................................ 162
5.4.2 Configuration in the RADIUS-Server .......................................... 162
5.4.3 Test the Result ............................................................................... 164
5.4.4 What May Go Wrong? ................................................................ 167
5.5 How to configure the switch to send unauthorized users in a guest
VLAN ........................................................................................................... 168
5.5.1 Configure 802.1x Port Authentication on the Switch ............. 169
5.5.2 Configure VLAN for Guest VLAN ............................................... 169
5.5.3 Configure Guest VLAN for Failed Authentication ................... 169
5.5.4 Configure the RadiusServer ........................................................ 169
5.5.5 Configure the setting on User-A, User-B and Guest ................ 170
5.5.6 Test the Result ............................................................................... 172
5.5.7 What Could Go Wrong ............................................................... 173
5.6 How to Configure the Switch and RADIUS Server to Provide Network
Access through Device MAC Address .................................................... 175
5.6.1 Configuration in the Switch ........................................................ 176
5.6.2 Configuration in the RADIUS-Server .......................................... 178
5.6.3 Test the Result ............................................................................... 179
5.6.4 What Could Go Wrong? ............................................................. 180
5.7 How to configure the switch to prevent ARP spoofing ..................... 181
5.7.1 Configuration in the Switch ........................................................ 182
5.7.2 Test the Result ............................................................................... 184
5.7.3 What Could Go Wrong? ............................................................. 185
5.8 How to Configure the Switch to Protect Against Rogue DHCP Servers
..................................................................................................................... 186
5.8.1 Configuration in the Switch ........................................................ 187
5.8.2 Test the Result ............................................................................... 190
5.8.3 What Could Go Wrong? ............................................................. 191
5.9 How to configure IPSG static binding for trusted network devices . 192
5.9.1 Configuration in the Switch ........................................................ 193
5.9.2 Test the Result ............................................................................... 194
5.10 How to configure ACL to block unwanted traffic ........................... 195
5.10.1 Configure VLAN and Route Traffic .......................................... 196
5.10.2 Configure the Classifier ............................................................. 197
5.10.3 Configure the Policy Rule ......................................................... 198
5.10.4 Test the Result ............................................................................. 199
5.10.5 What Could Go Wrong ............................................................. 200
5.11 How to use ACL to mirror traffic of a specific criteria ..................... 201
5.11.1 Configuration of ACL ................................................................ 203
5.11.2 Test the Result ............................................................................. 207
6/232
www.zyxel.com
5.11.3 What May Go Wrong ................................................................ 208
5.12 How to Separate Traffic through L2 Port Isolation ........................... 209
5.12.1 Configuration in the Switch ...................................................... 212
5.12.2 Test the Result ............................................................................. 214
5.12.3 What May Go Wrong ................................................................ 216
Implementing VOIP ................................................................................... 217
6.1 How to configure an IP Phone's VLAN using LLDP-MED ................... 217
6.1.1 Configure VLAN for IP Phone ..................................................... 218
6.1.2 Configure Switch .......................................................................... 219
6.1.3 Test the Result ............................................................................... 220
6.1.4 What Could Go Wrong ............................................................... 221
6.2 How to configure the switch to separate VOIP traffic from data traffic
..................................................................................................................... 222
6.2.1 Configure VLAN 100 for IP Phone .............................................. 223
6.2.2 Configure Voice VLAN ................................................................ 224
6.2.3 Test the Result ............................................................................... 225
6.2.4 What Could Go Wrong ............................................................... 226
6.3 How to configure the switch to improve Voice traffic quality ......... 227
6.3.1 Configure VLAN for voice traffic ............................................... 228
6.3.2 Configure Voice VLAN ................................................................ 229
6.3.3 Configure Mirroring (For “Test the Result”) ............................... 230
6.3.4 Test the Result ............................................................................... 231
6.3.5 What Could Go Wrong ............................................................... 232
7/232
www.zyxel.com
Basic principles for network management
1.1 How to change the switch management IP address to
avoid accessing the wrong device
This example shows administrators how to use the Web GUI to manage
the IP addresses of the switches and avoid administrators from
unintentionally accessing the wrong devices. As shown below, there are
two switches in the environment. Both default IP addresses of the two
switches are 192.168.1.1.
Figure 1 Two switches are using the same default IP address
Note:
All network IP addresses and subnet masks are used as examples in this article.
Please replace them with your actual network IP addresses and subnet masks. This
example was tested using XGS2220-30 (Firmware Version: V4.80).
8/232
www.zyxel.com
1.1.1 Configuration in the Switch-2
1 Disconnect the link between Switch-1 and Switch-2.
2 Set the PC’s IP address on to the same subnet as the switches.
For example, set the PC IP address as 192.168.1.100.
3 Open a browser (IE, Chrome, Safari, Firefox, etc….). Go to
website http://192.168.1.1 (default management IP address).
Key in “username: admin; password: 1234” and log in.
9/232
www.zyxel.com
4 Enter the webpage and go to Menu > SYSTEM > IP Setup > IP
Setup > IP Interface > Add/Edit. Set the IP address you prefer,
for example 192.168.1.2. Then click Apply.
5 Log back in using the new IP address 192.168.1.2. After logging
in again, remember to click the Save icon to save the new
configurations.
10/232
www.zyxel.com
1.1.2 Test the Result
1 Log in via the web GUI and go to Menu > SYSTEM > IP
Setup > IP Status. Check if the IP address is already
configured as 192.168.1.2.
11/232
www.zyxel.com
1.2 How to configure the switch with a device name to avoid
accessing the wrong device
This example shows administrators how to use the Web GUI to manage
device name and avoid accessing the wrong devices. As shown below,
the PC connects with Switch-1 in the environment. In the default setting,
device name (System Name) will be the model name (XGS2220 in this
example).
Figure 2 Change the device name of the switch
Note:
All network IP addresses and subnet masks are used as examples in this article.
Please replace them with your actual network IP addresses and subnet masks. This
example was tested using XGS2220-30 (Firmware Version: V4.80).
12/232
www.zyxel.com
1.2.1 Configuration in Switch-1
1 Enter the web GUI and go to Menu > SYSTEM > General
Setup. Change the System Name (Switch-1 in this example)
and click Apply.
2 Click “Save” to save the configuration.
13/232
www.zyxel.com
1.2.2 Test the Result
Enter the web GUI and you will see the page of the switch
information. Check if the System Name is the name you
configured (Switch-1 in this example) or not.
14/232
www.zyxel.com
1.3 How to configure the switch to update the time from an
NTP server
This example shows administrators how to use the NTP server to update
the system time of the switch. As shown below, the PC connects with
Switch and Switch connects with the USG in the environment.
Figure 3 Set up Switch to get time from NTP Server
Note:
All network IP addresses and subnet masks are used as examples in this article.
Please replace them with your actual network IP addresses and subnet masks. This
example was tested using XGS2220-30 (Firmware Version: V4.80). We use google
free public NTP server (216.239.35.12) to be our NTP server. You can also choose
another available NTP server. Furthermore, due to there is routing set up in this
configuration, the user interface might be some difference for other models.
15/232
www.zyxel.com
1.3.1 Configuration in Switch
1 Enter the web GUI and go to Menu > SYSTEM > IP Setup > IP
Setup > IP Setup. Set the default Gateway as USG IP:
192.168.1.1. Then click “Apply”.
2 Go to Menu > SYSTEM > General Setup. Select “Use Time Server
when Bootup” to NTP(RFC-1305) and set the “Time Server IP
Address”. In this scenario, we use the google free public NTP
server (216.239.35.12) as an example. Also, select the “Time
Zone” in your location. Finally, remember to click “Apply”.
3 Click Save to save the configuration.
16/232
www.zyxel.com
1.3.2 Test the Result
1 Go to Menu > SYSTEM > General Setup. Both the Current Time
and Current Date should be the current time in your location.
If the current time is not updated as the correct time, click
“Refresh”.
2 Try to select the “User Time Server when Bootup” as None. Few
second later, change back to NTP(RFC-1305). The time will still
update to the current time.
17/232
www.zyxel.com
18/232
www.zyxel.com
1.3.3 What could go wrong?
1 Switch may not be able to access the NTP Server successfully.
Follow the step to test if NTP Server is available. Go to Menu >
Maintenance > Diagnostic. Select IPv4 and type the IP address
of NTP Server (216.239.35.12) into the IP Address field. Click
“Ping”.
19/232
www.zyxel.com
1.4 How to configure the switch to backup events on a
SYSLOG server
The example shows administrators how to set up the switch to send
system log events to a remote syslog server.
Figure 4 Upload the syslog automatically to the server
Note:
All network IP addresses and subnet masks are used as examples in this article.
Please replace them with your actual network IP addresses and subnet masks. This
example was tested using XGS2220-30 (Firmware Version: V4.80).
20/232
www.zyxel.com
1.4.1 Configure the Switch-1
1 Enter the web GUI and go to Menu > SYSTEM > Syslog Setup >
Syslog Server Setup > Add/Edit. Enable the Activate setting and
set up the server IP address. In this example, it is 192.168.1.200.
Choose the Log Level you prefer (Level 0-7 in this example). The
wider the range, the more detailed log will be recorded.
Remember to click “Apply”.
2 In the same page, activate the Syslog and activate the
logging type you prefer. Also, remember to click “Apply”.
Note:
Log Level refers to which events should be sent to the Syslog Server.
Severity: Emergency (0), Alert (1), Critical (2), Error (3), Warning (4), Notice
(5), Informational (6), and Debug (7).
21/232
www.zyxel.com
3 Click Save to save the configuration.
.
22/232
www.zyxel.com
1.4.2 Test the Result
1 Unplug and re-plug PC-1 from the switch.
2 The Syslog Server should receive an event log from the switch.
3 We can also check the directory (“C:\app\Tftpd64” in this
example) to find out if a text file is created on the Syslog Server.
23/232
www.zyxel.com
1.4.3 What could go wrong?
1 If Switch-1 and Syslog Server are in different subnets, remember
to set default gateway so that Switch-1 and the Syslog Server
can communicate with each other.
2 Confirm the service port number of the Switch-1 and the Syslog
Server are the same. (Default service port for the Syslog Server
in the Switch-1 is 514).
24/232
www.zyxel.com
1.5 How to configure the switch with a port name to quickly
identify directly connected devices
The example shows administrators how to configure the switch with a
port name to quickly identify directly connected devices. By doing this,
administrators and quickly identify which port connects to which device,
location, or section of the network.
Figure 5 Configure the port name of the switch
Note:
All network IP addresses and subnet masks are used as examples in this article.
Please replace them with your actual network IP addresses and subnet masks. This
example was tested using XGS2220-30 (Firmware Version: V4.80).
25/232
www.zyxel.com
1.5.1 Configure Switch-1
1 Enter the web GUI and go to Menu > Port > Port Setup. Type the
name of each directly connected devices on the
corresponding port name. For example, you can type Switch2 in port 2 and AP in port 3. Then click “Apply”.
2 Click Save to save the configuration.
26/232
www.zyxel.com
1.5.2 Test the Result
1 Go to Menu > Monitor > Port Status. You will see the name you
type in the column of name.
27/232
www.zyxel.com
1.6 How to collect the Diagnostic Info
The example shows local administrators how to collect the Diagnostic
Info by web GUI. The Diagnostic Info is a set of logs that includes useful
information such as System Information, CPU utilization history, system
logs and debug reports for issue analysis.
Figure 6 Collect the Diagnostic Info from web GUI
Note:
All network IP addresses and subnet masks are used as examples in this article.
Please replace them with your actual network IP addresses and subnet masks. This
example was tested using XGS2220-30 (Firmware Version: V4.80).
28/232
www.zyxel.com
1.6.1 Collect the Diagnostic Info from web GUI
1 Enter the web GUI and go to Menu > Maintenance > Tech-
Support. Click the Download button for All. You can also select
the specific Diagnostic Info you need. (Ex: Crash, ROM,…..)
29/232
www.zyxel.com
1.6.2 Test the Result
1 Open the file and you can view the Diagnostic Info. (In this
example, we use the Notepad++ to open the .txt file.)
30/232
www.zyxel.com
1.7 How to change the default administrator password
The example shows administrators how to change the default
administrator password used for management access. Failure to change
the default administrator password is a security risk that allows
unauthorized user access to your device’s management.
Figure 7 Change the default administrator password
Note:
All network IP addresses and subnet masks are used as examples in this article.
Please replace them with your actual network IP addresses and subnet masks. This
example was tested using XGS2220-30 (Firmware Version: V4.80).
31/232
www.zyxel.com
1.7.1 Change the default administrator password
1 Enter the web GUI and go to Menu > System > Logins. Enter the
Old Password and New Password. Then click “Apply”.
2 After clicking the “Apply”, the browser will show a message
similar below.
32/232
www.zyxel.com
1.7.2 Test the Result
1 Close the web GUI and login again with the OLD password.
The login page will show “Invalid username or password”.
2 Use the new password to login. Switch-1 web GUI should be
accessible.
33/232
www.zyxel.com
1.8 How to configure a whitelist for remote management to
prevent unauthorized access
The example shows administrators how to configure a whitelist for host
devices that prevents attempted access from unauthorized devices or
subnets. The whitelist inspects the source IP addresses of hosts and the
types of services accessing the switch (Ex: Telnet, FTP, HTTP…..).
Figure 8 Configure the whitelist for remote management
Note:
All network IP addresses and subnet masks are used as examples in this article.
Please replace them with your actual network IP addresses and subnet masks. This
example was tested using XGS2220-30 (Firmware Version: V4.80).
34/232
www.zyxel.com
1.8.1 Configure the whitelist of the remote management
1 Enter the web GUI and go to Menu > Security > Access Control
> Remote Management using AdministratorPC. Enter the range
of IP addresses and the corresponding types of services that
are allowed to access the Switch. Then click “Apply”.
35/232
www.zyxel.com
1.8.2 Test the Result
1 In the setting, we set the IP range: 192.168.10.100-
192.168.10.120, which is allowed to access the Switch by all
protocol types, EXCEPT HTTP. Therefore, if we use PC-1
(192.168.10.100) to access the Switch by HTTP, the Switch will
refuse the connection. If we try to access the web GUI by HTTPS
(Enter the https://192.168.10.1), PC-1 can connect to the Switch
successfully.
2 The PC-2 (192.168.10.200) is not in the range which is allowed to
access the Switch. PC-2 cannot access or ping the switch’s
management IP address.
3 AdministratorPC can access the Switch by all service types
successfully.
1.8.3 What could go wrong?
1 The IP address is setting up repeatedly, but the setting is
different. The logic rule of whitelist is OR.
36/232
www.zyxel.com
For example, if we set the range of the IP addresses shown
below. 192.168.10.120 is repeatedly set up accidently. The
result is that all types of services are ALLOWED for 192.168.10.120.
2 If the administrator has forgotten or lost track of the whitelisted
IP addresses, the administrator will not be able to access the
Switch. To solve this problem, use Console to verify the settings.
Administrators can find out which IP addresses are allowed to
access the Switch by reviewing the running configurations.
Note:
If the Switch does not support Console, please check the manual of your
Switch model to find out how to restore device to factory default settings.
37/232
www.zyxel.com
Designing the Local Area Network
2.1 How to configure the switch to separate traffic between
departments using VLAN
The example shows administrators how to set up the switch to make
separate traffic between departments. Using Static VLAN, hosts
accessing the same VLAN will only be able to communicate with hosts
accessing the same VLAN.
Figure 9 Set up VLAN to separate the traffic between
departments
Note:
All network IP addresses and subnet masks are used as examples in this article.
Please replace them with your actual network IP addresses and subnet masks. This
example was tested using XGS2220-30 (Firmware Version: V4.80).
38/232
www.zyxel.com
2.1.1 Configure Switch-1
1 Use AdministratorPC to set VLAN 1 in Switch-1: Port 1, 2 as
Normal port. (Prevent VLAN 1 broadcast packets to port 1, 2).
Enter the web GUI and go to Menu > Switching > VLAN > VLAN
Setup > Static VLAN > Select VID 1 > Add/Edit. Select port 1, 2
as Normal. Click “Apply”.
2 Use AdministratorPC to create VLAN 10 in Switch-1: Enter the
web GUI and go to Menu > Switching > VLAN > VLAN Setup >
Static VLAN > Add/Edit. Enable the Active setting. Type the
Name and VLAN Group ID=10. Select port 1, 5 as Fixed and
uncheck Tx Tagging (Untagged) on port 1 and check Tx
Tagging (Tagged) on port 5. Click “Apply”.
39/232
www.zyxel.com
3 Use AdministratorPC to create VLAN 20 in Switch-1: Enter the
web GUI and go to Menu > Switching > VLAN > VLAN Setup >
Static VLAN > Add/Edit. Enable the Active setting. Type the
Name and VLAN Group ID=20. Select port 2, 5 as Fixed and
uncheck Tx Tagging (Untagged) on port 2 and check Tx
Tagging (tagged) on port 5. Click “Apply”.
4 Set the PVID on Switch-1: Go to Menu > Switching > VLAN >
VLAN Setup > VLAN Port Setup. Set port 1 as PVID=10 (VLAN 10)
and port 2 as PVID=20 (VLAN 20).
40/232
www.zyxel.com
2.1.2 Configure Switch-2
1 Use AdministratorPC to set VLAN 1 in Switch-2: Port 3, 4 as
Normal port (this prevents VLAN 1 from broadcasting packets
to port 3, 4). Enter the web GUI and go to Menu > Switching >
VLAN > VLAN Setup > Static VLAN > Select VID 1 > Add/Edit.
Select port 3, 4 as Normal. Click “Apply”.
2 Use AdministratorPC to create VLAN 10 in Switch-2. Enter the
web GUI and go to Menu > Switching > VLAN > VLAN Setup >
Static VLAN > Add/Edit. Enable the Active setting. Type the
Name and VLAN Group ID=10. Select port 3, 5 as Fixed and
uncheck Tx Tagging (Untagged) on port 3 and check Tx
Tagging (tagged) on port 5. Click “Apply”.
41/232
www.zyxel.com
3 Use AdministratorPC to create VLAN 20 in Switch-2. Enter the
web GUI and go to Menu > Switching > VLAN > VLAN Setup >
Static VLAN > Add/Edit. Enable the Active setting. Type the
Name and VLAN Group ID=20. Select port 4, 5 as Fixed and
uncheck Tx Tagging (Untagged) on port 4 and check Tx
Tagging (tagged) on port 5. Click “Apply”.
4 Set the PVID on Switch-2: Go to Menu > Switching > VLAN >
VLAN Setup > VLAN Port Setup. Set port 3 as PVID=10 (VLAN 10)
and port 4 as PVID=20.
42/232
www.zyxel.com
2.1.3 Test the Result
1 The PC in the same VLAN can ping each other. PC-1 can ping
PC-3 successfully, but PC-1 cannot ping PC-2.
2 PC-2 can ping PC-4 successfully, but PC-2 cannot ping PC-3.
43/232
www.zyxel.com
2.2 How to configure the switch to route traffic across VLANs
The purpose of VLANs are to isolate one broadcast domain from another.
If we would like hosts from different VLANs to communicate with each
other, we have to set the switch to route traffic. The example shows how
to configure the switch to route traffic across one VLAN to another.
Figure 10 Set up switch to route traffic across VLANs
Note:
All network IP addresses and subnet masks are used as examples in this article.
Please replace them with your actual network IP addresses and subnet masks. This
example was tested using XS3800-28 (Firmware Version: V4.80).
44/232
www.zyxel.com
2.2.1 Configure VLAN 10
1 Use AdministratorPC to create VLAN 10. Enter the web GUI and
go to Menu > Switching > VLAN > VLAN Setup > Static VLAN >
Add/Edit. Enable the Active setting. Type the Name and VLAN
Group ID=10. Select port 1 as Fixed and uncheck Tx Tagging
(Untagged). Click “Apply”.
2 Go to Menu > Switching > VLAN > VLAN Setup > VLAN Port Setup.
Set the PVID. Set port 1 as PVID=10 (VLAN 10). Click “Apply”.
45/232
www.zyxel.com
3 Create a Static IP Address for Switch in VLAN 10 (To be the
gateway in VLAN 10): Go to Menu > SYSTEM > IP Setup > IP
Setup > IP Interface > Add/Edit. Set the Static IP Address:
192.168.10.1 for Switch in VLAN 10. Click “Apply”.
46/232
www.zyxel.com
2.2.2 Configure VLAN 20
1 Create VLAN 20. Follow the same steps. Go to Menu >
Switching > VLAN > VLAN Setup > Static VLAN > Add/Edit.
Enable the Active setting. Type the Name and VLAN Group
ID=20. Select port 2 as Fixed and uncheck Tx Tagging
(Untagged). Click “Apply”.
2 Go to Menu > Switching > VLAN > VLAN Setup > VLAN Port Setup.
Set the PVID. Set port 2 as PVID=20 (VLAN 20). Click “Apply”.
47/232
www.zyxel.com
3 Create a Static IP Address for Switch in VLAN 20 (To be the
gateway in VLAN 20). Go to Menu > SYSTEM > IP Setup > IP
Setup > IP Interface > Add/Edit. Set a Static IP Address:
192.168.20.1 for Switch in VLAN 20. Click “Apply”.
48/232
www.zyxel.com
2.2.3 Set the gateway on PC-1 and PC-2
1 Set the Gateway of PC-1 as 192.168.10.1 (The Static IP Address
of Switch in VLAN 10).
49/232
www.zyxel.com
2 Set the Gateway of PC-2 as 192.168.20.1 (The Static IP Address
of Switch in VLAN 20).
50/232
www.zyxel.com
2.2.4 Test the Result
1 PC-1 can ping PC-2 successfully.
51/232
www.zyxel.com
2.2.5 What could go wrong
1 If PC-1 cannot reach PC-2:
a. Verify that the subnet of PC-1 is not using the same
subnet as that of PC-2.
b. Verify that the default gateways of PC-1 and PC-2
matches the Switch’s IP interface on their respective
VLANs.
c. Make sure that there are no policy routes using the
subnet of PC-1 or PC-2 as a destination IP criteria.
52/232
www.zyxel.com
2.3 How to configure the switch to perform DHCP service in a
VLAN
The example shows administrators how to configure the switch to
provide dynamic IP addresses to hosts in each VLANs.
Figure 11 Perform DHCP service in different VLAN
Note:
All network IP addresses and subnet masks are used as examples in this article.
Please replace them with your actual network IP addresses and subnet masks. This
example was tested using XS3800-32 (Firmware Version: V4.80).
Only L3 Switch supports the function of DHCP Server. (The models: 3700 series, 3800
series and 4600 series)
53/232
www.zyxel.com
2.3.1 Configure VLAN 10
1 Use AdministratorPC to create VLAN 10. Enter the web GUI and
go to Menu > Switching > VLAN > VLAN Setup > Static VLAN >
Add/Edit. Enable the Active setting. Type the Name and VLAN
Group ID=10. Select port 1 as Fixed and uncheck Tx Tagging
(Untagged). Click “Apply”.
2 Go to Menu > Switching > VLAN > VLAN Setup > VLAN Port Setup.
Set the PVID. Set port 1 as PVID=10 (VLAN 10). Click “Apply”.
3 Create a Static IP Address for Switch in VLAN 10 (IP Address to
be DHCP Server in VLAN 10): Go to Menu > SYSTEM > IP Setup
> IP Setup > IP Interface > Add/Edit. Set the Static IP Address:
192.168.10.1 for Switch in VLAN 10. Click “Add”.
54/232
www.zyxel.com
55/232
www.zyxel.com
2.3.2 Configure VLAN 20
1 Create VLAN 20. Follow the same steps. Go to Menu >
Switching > VLAN > VLAN Setup > Static VLAN > Add/Edit.
Enable the Active setting. Type the Name and VLAN Group
ID=20. Select port 2 as Fixed and uncheck Tx Tagging
(Untagged). Click “Apply”.
2 Go to Menu > Switching > VLAN > VLAN Setup > VLAN Port Setup.
Set the PVID. Set port 2 as PVID=20 (VLAN 20). Click “Apply”.
3 Create Static IP Address for Switch in VLAN 20 (IP Address to be
DHCP Server in VLAN 20): Go to Menu > SYSTEM > IP Setup > IP
Setup > IP Interface > Add/Edit. Set the Static IP Address:
192.168.20.1 for Switch in VLAN 20. Click “Add”.
56/232
www.zyxel.com
57/232
www.zyxel.com
2.3.3 Configure the Switch and PC
1 Set up DHCP Server in VLAN 10: Go to Menu > Networking >
DHCP > DHCPv4 Server > DHCP Server Setup > Add/Edit. Set up
the VID (VLAN of PC-1). The Client IP Pool Starting Address refers
to the first IP Address the Switch will assign to DHCP clients. The
Size of Client IP Pool refers to the maximum number of IP
addresses the switch will provide. Set the gateway as the IP of
the Switch in VLAN 10 (192.168.10.1). Click “Add”.
2 Set up DHCP Server in VLAN 20: Go to Menu > Networking >
DHCP > DHCPv4 Server > DHCP Server Setup > Add/Edit. Set up
the VID (VLAN of PC-2). The Client IP Pool Starting Address refers
to the first IP Address the Switch will assign to DHCP clients. The
Size of Client IP Pool refers to the maximum number of IP
addresses the switch will provide. Set the gateway as the IP of
the Switch in VLAN 20 (192.168.20.1). Click “Add”. Click “Add”.
Note:
In this example, the pool size is 10 and the starting IP address is 192.168.10.11.
Therefore, the IP range that the DHCP Server will assign is between
192.168.10.11 and 192.168.10.20.
58/232
www.zyxel.com
3 Set PC-1 and PC-2 as DHCP clients by configuring IPv4 to
“Obtain an IP Address automatically”.
Note:
In this example, the pool size is 10 and the starting IP address is 192.168.20.11.
Therefore, the IP range that the DHCP Server will assign is between
192.168.20.11 and 192.168.20.20.
59/232
www.zyxel.com
60/232
www.zyxel.com
2.3.4 Test the Result
1 PC-1 can get the IP Address assigned by Switch successfully.
We can check this by using the command “ipconfig” in
command prompt. PC-1 will get an IP address in the range of:
192.168.10.11-192.168.10.20 and the gateway is 192.168.10.1.
2 PC-2 can get the IP Address assigned by Switch successfully.
We can check this by using the command “ipconfig” in
command prompt. PC-2 will get an IP address in the range of:
192.168.20.11-192.168.20.20 and the gateway is 192.168.20.1.
61/232
www.zyxel.com
2.3.5 What Could Go Wrong
1 If some devices are no longer receiving any dynamic IP
address from the DHCP server, consider increasing the Size of
Client Pool.
2 If you want to surf the Internet using a URL or domain name,
please remember to set up DNS Server.
62/232
www.zyxel.com
2.4 How to Configure the Switch to Translate Customer VLAN
to Service Provider VLAN
VLAN Mapping provides a mechanism to map a Customer VLAN to a
service provider’s VLAN (Translated-VLAN). Packets received on a port
will map to a Translated VLAN based on a port ID and customer VLAN ID
from packets.
VLAN Mapping also can be used to prevent traffic from forwarding
between different customers when they use the same VLAN in their own
networks. In the following example, both of company A and company
B use the same VLAN 10. When company A sends traffic to an ISP
network, the traffic is possible to be forwarded to company B across a
core switch because both of the companies are in the same VLAN 10.
Once VLAN Mapping is configured on edge switches, it can translate
customer VLANs of company A and company B to different VLANs
respectively. Thus, the traffic will not be forwarded between company A
and company B since they are in the different VLANs after processing
VLAN translation on edge switches.
63/232
www.zyxel.com
The following example will instruct how an administrator configures a
switch to achieve VLAN translation.
Note:
The example was tested using two GS2220 (Firmware Version: V4.80) as edge
switches, and one XGS2220 (Firmware Version: V4.80) as a core switch.
64/232
www.zyxel.com
2.4.1 Configuration on the Core Switch
1 Access to the web GUI, Go to Menu > Switching > VLAN
Mapping. Enable the Active setting and activate port 1.
2 Go to Menu > Switching > VLAN Mapping > VLAN Mapping
Setup > Add/Edit. Enable the Active setting and type the
Name. Set Port as 1, VID as 100, and Translated VID as 1001.
Select Priority value as 3 (Optional), and click “Apply”.
3 Go to Menu > Switching > VLAN > VLAN Setup > Static VLAN
Setup. Check the Active box, type the Name and VLAN
Group ID= as 1001. Select port 1, 26 as Fixed, and click
“Apply”.
65/232
www.zyxel.com
Note:
Create a Static VLAN only for the Translated VLAN, and set both of ports as
members for the Translated VLAN. Otherwise the packets from the Translated
VLAN received on port 26 will
NOT be forwarded to port 1.
66/232
www.zyxel.com
2.4.2 Configuration on the Edge Switch
1 Setup Customer Switch-1: Access to the web GUI. Go to Menu
> Switching > VLAN > VLAN Setup > Static VLAN Setup. (If you
are using V4.70 firmware, please go to Menu > Advanced
Application > VLAN > VLAN Configuration > Static VLAN
Setup.) Check the Active box, type the Name and VLAN
Group ID= as 100. Select port 1 as Fixed and uncheck Tx
Tagging (Untagged). Select port 9 as Fixed, and click
“Apply”.
2 Setup Customer Switch-1: Go to Menu > Switching > VLAN >
VLAN Setup > VLAN Port Setup (If you are using V4.70 firmware,
please go to Menu > Advanced Application > VLAN > VLAN
Configuration > VLAN Port Setup.) Set port 1 PVID= as 100 (VLAN
100), and click “Apply”.
67/232
www.zyxel.com
3 Setup Customer Switch-2: Go to Menu > Switching > VLAN >
VLAN Setup > Static VLAN Setup. (If you are using V4.70
firmware, please go to Menu > Advanced Application > VLAN
> VLAN Configuration > Static VLAN Setup.) Check the Active
box, type the Name and VLAN Group ID= as 1001. Select port
1 as Fixed and uncheck Tx Tagging (Untagged). Select port 9
as Fixed, and click “Apply”.
4 Setup Customer Switch-2: Go to Menu > Switching > VLAN >
VLAN Setup > VLAN Port Setup (If you are using V4.70 firmware,
please go to Menu > Advanced Application > VLAN > VLAN
68/232
www.zyxel.com
Configuration > VLAN Port Setup.) Set port 1 PVID= as 1001
(VLAN 1001), and click “Apply”.
69/232
www.zyxel.com
2.4.3 Test the Results
1 PC-1 can ping PC-2 successfully.
2 Configure Mirroring to verify the VLAN ID/Priority value in the
packets which are received on port 1 of the core switch, and
ensure they are the original value VLAN=100/Priority=0). Access
to the web GUI and go to Menu > Switching > Mirroring >
Mirroring. Switch on the mirroring. Set the Monitor port as port 2,
which is used to monitor the traffic, and check the destination
port 1 in this example. Select the direction as “Both”, and click
“Apply”.
3 Connect with another PC to port 2 of the core switch. Open
wireshark to monitor the packets, and filter “icmp”.
70/232
www.zyxel.com
4 Configure Mirroring to verify the VLAN ID/Priority in the packets
sent out from port 26 of the core switch and ensure they should
be the translated values (VLAN=1001/Priority=3). Go to Menu >
Advanced Application > Mirroring. Uncheck port 1 and check
port 26. Select the direction as “Both”, and click “Apply”.
5 Connect with another PC to port 2 of the core switch. Open
wireshark to monitor the packets, and filter “icmp”.
71/232
www.zyxel.com
72/232
www.zyxel.com
Improving Network Reliability
3.1 How to configure a stacked switch to ensure high server
availability
The example shows administrators how to configure a stacked switch to
ensure high server availability. In this example, we stack Switch-1 and
Switch-2 into one logical switch. By stacking the switch together, even if
one switch goes offline, clients can still reach the server. This ensures high
availability for servers. This example instructs administrators to disconnect
all links before configuring the switches to avoid any network outages
caused by broadcast storms.
Figure 12 Configure the stacked switch
3.1.1 Configure Switch-1 and Switch-2 for Stacking
1 Set up Switch-1: Enter the web GUI and go to Menu > System >
Stacking > Stacking Setup. Key in the system priority (The higher
the number is, the higher priority it is to become a master) and
Note:
All network IP addresses and subnet masks are used as examples in this article.
Please replace them with your actual network IP addresses and subnet masks. This
example was tested using XGS3800-28 (Firmware Version: V4.80) and GS2220-50HP
(Firmware Version: V4.80).
73/232
www.zyxel.com
click “Apply”. Enable the Active setting and click “Apply”.
Switch-1 will reboot.
2 Set up Switch-2: Enter the web GUI and go to Menu > System >
Stacking > Stacking Setup. Key in the system priority (The higher
the number is, the higher priority it is to become a master) and
click “Apply”. Enable the Active setting and click “Apply”.
Switch-2 will reboot.
3 Connect Switch-1 and Switch-2 together on port 28 using a 10-
Gigabit transceiver.
4 Switch-1 and Switch-2 becomes a stacked switch. The Stack ID
LED on the front panel of the switches should display “1” and
“2”.
Note:
In this example, we set the priority of Switch-1 higher than Switch-2.
Therefore, Switch-1 will become the Master.
Note:
The last four ports are usually reserved for stacking channels when the
switch is in stacking mode. These are ports 25, 26, 27, and 28 for the
XS3800-28 switch. If you are using other stackable models, please
refer to the user manual to confirm the ports used for stacking.
74/232
www.zyxel.com
5 Remember to save the configuration.
75/232
www.zyxel.com
3.1.2 Configure Link Aggregation on Stacked switch
1 Connect to the stacked switch. Enter web GUI and go to Menu
> Port > Link Aggregation > Link Aggregation Setting. Active T1
and T2. Select SLOT 1 and set the Group of port 1/1 and 1/2 as
T1 and T2, respectively. Click “Apply”. Select SLOT 2 and set the
Group of port 2/1 and 2/2 as T1 and T2 respectively. Click
“Apply”.
2 Go to Menu > Port > Link Aggregation > Link Aggregation
Control Protocol. Check the “Active” box, as well as for T1 and
T2.
3.1.3 Configure Link Aggregation on Switch-3
1 Go to Menu > Port > Link Aggregation > Link Aggregation
setting. (If you are using V4.70 firmware, please go to Menu >
Advanced Application > Link Aggregation > Link Aggregation
Setting.) Check the Active box for T1 and select the port 1 and
2 as Group T1. Click “Apply”.
76/232
www.zyxel.com
3 Go to Menu > Port > Link Aggregation > Link Aggregation
Control Protocal. (If you are using V4.70 firmware, please go to
Menu > Advanced Application > Link Aggregation > Link
Aggregation Setting >LACP.) Check the “Active” box, as well
as for T1.
77/232
www.zyxel.com
3.1.4 Test the Result
1 Configure Link Aggegation between the Server’s two NIC and
connect these ports to port 1/2 and 2/2 of the stacked switch.
2 Use PC to ping the Server (192.168.1.40). After few times of ping,
try to shut down Switch-1 (Master down). The ping will display
“timed out” a few times and then ping will be successful again
when Switch-2 (Backup) becomes the new Master.
78/232
www.zyxel.com
3.1.5 What Could Go Wrong
1 The stacking ports are usually the last 2 ports of the switch. If you
connect the two switches using a non-stacking port, you will
find that the two switches will not form a stacking system.
2 Remember to save the configuration before doing the test. If
you forget to save the configuration, after rebooting, all the
configurations will be lost. Therefore, the Link Aggregation will
disappear.
79/232
www.zyxel.com
3.2 How to configure RSTP in a ring topology
The example shows administrators how to set up RSTP (Rapid Spanning
Tree Protocol) in the ring topology to implement network redundancy.
Figure 13 Configure RSTP in a ring topology
Note:
All network IP addresses and subnet masks are used as examples in this article.
Please replace them with your actual network IP addresses and subnet masks. This
example was tested using XS3800-28 (Firmware Version: V4.80).
80/232
www.zyxel.com
3.2.1 Configure Switch
1 Make sure that the link between Switch-2 and Switch-3 is not
connected to prevent unintended loops before finishing the
RSTP setup.
2 Set up Switch-1: Enter the web GUI. Go to Menu > Switching >
Spanning Tree Protocol > Spanning Tree Setup. Check if the
Spanning Tree Configuration is Rapid Spanning Tree. If not,
select it and click “Apply”.
3 Set up Switch-1: Enter the web GUI. Go to Menu > Switching >
Spanning Tree Protocol > RSTP. Enable the Active setting. Set
the Bridge Priority = 4096. Active port 17, 18. Click “Apply”.
4 Set up Switch-2: Enter the web GUI. Go to Menu > Switching >
Spanning Tree Protocol > Spanning Tree Setup. Check if the
Spanning Tree Configuration is Rapid Spanning Tree. If not,
select it and click “Apply”.
5 Set up Switch-2: Enter the web GUI. Go to Menu > Switching >
Spanning Tree Protocol > RSTP. Enable the Active setting. Set
the Bridge Priority = 20480. Active port 17, 18. Click “Apply”.
81/232
www.zyxel.com
6 Set up Switch-3: Enter the web GUI. Go to Menu > Switching >
Spanning Tree Protocol > Spanning Tree Setup. Check if the
Spanning Tree Configuration is Rapid Spanning Tree. If not,
select it and click “Apply”.
7 Set up Switch-3: Enter the web GUI. Go to Menu > Switching >
Spanning Tree Protocol > RSTP. Enable the Active setting. Set
the Bridge Priority = 32768. Active port 17, 18. Click “Apply”.
8 Finally, connect the link between Switch-2 and Switch-3.
82/232
www.zyxel.com
3.2.2 Test the Result
1 Verify the status of Switch-1: Go to Menu > Switching >
Spanning Tree Protocol > Spanning Tree Protocol Status. The
Root Bridge ID and the Our Bridge ID should be the same. This
means that Switch-1 is the Root Bridge. Both port 17 and 18
should be in FORWARDING state, while both their Port Roles are
Designated Ports.
2 Verify the status of Switch-2: Go to Menu > Advanced
Application > Spanning Tree Protocol. Check the port status of
Switch-2. Port 18 should be the Root Port in FORWARDING state,
while port 17 should be a Designated Port also in FORWARDING
state.
3 Verify the status of Switch-3: Go to Menu > Advanced
Application > Spanning Tree Protocol. Check the port status of
Switch-3. Port 17 should be the Root Port in FORWARDING state,
while Port 18 is an Alternate Port in DISCARDING state.
83/232
www.zyxel.com
84/232
www.zyxel.com
3.2.3 What Could Go Wrong
1 If your Root Bridge is not the device you expected:
a. Decrease the Spanning Tree priority of this device.
b. Increase the Spanning Tree priority of the other devices.
The switch with the LOWEST bridge priority will be the Root
Bridge. If the priority is the same, the switch LOWEST MAC
address will be the Root Bridge.
2 If it is not possible to access the management of the switches
and the switch’s port LEDs are constantly flashing, you can
recover management access by removing or disconnecting
any redundant links to break the ring topology. This frequently
occurs before Spanning Tree is configured on the devices or if
Spanning Tree is configured incorrectly.
85/232
www.zyxel.com
3.3 How to configure VRRP to provide hosts with a redundant
gateway
This example shows how to configure gateway redundancy. Virtual
Router Redundancy Protocol (VRRP) is a feature that allows two
gateways to use the same IP address. This allows hosts in the local
network continues access to the Internet in the event of a failure on one
of the gateways.
Figure 14 Two gateways running VRRP on the same LAN
Note:
All network IP addresses and subnet masks are used as examples in this article.
Please replace them with your actual network IP addresses and subnet masks.
Only the GS/XGS/XS3700 Series Switch, XS3800 Series Switch and XGS4600 Series
Switch supports VRRP.
The L2 Switch can be any Zyxel switch using default configurations.
This example relies on two different Internet Service Providers (ISP) for Internet
access.
All UI displayed in this article are taken from the XGS3800 series switch.
86/232
www.zyxel.com
3.3.1 Configuration in the Gateway-A
1 Access the Gateway-A’s web GUI.
2 Go to Menu > Switching > VLAN > VLAN Setup > Static VLAN
Setup. Create/Edit VLAN 1 to make sure only Port 23 is a fixed
port. Click Add.
3 Go to Menu > Switching > VLAN > VLAN Setup > Static VLAN
Setup. Create/Edit VLAN 10 to make sure only Port 24 is a fixed
port. Click Add.
87/232
www.zyxel.com
4 Go to Menu > Switching > VLAN > VLAN Setup > VLAN Port
Setup. Configure port 24 with PVID 10. Click Apply.
5 Go to Menu > System > IP Setup > IP Setup > IP Interface >
Add/Edit. Configure the IP address for VLAN 1. Click Add and
do the same for VLAN 10.
88/232
www.zyxel.com
6 Go to Menu > System > IP Setup > IP Setup > IP Setup.
Configure the In-band Default Gateway. Click Apply.
7 Go to Menu > Networking > VRRP > VRRP Setup. Enable VRRP
for network “192.168.1.252/24”. Make sure that the priority is
“200”. Click Add.
89/232
www.zyxel.com
3.3.2 Configuration in the Gateway-B
1 Access the Gateway-B’s web GUI.
2 Go to Menu > Switching > VLAN > VLAN Setup > Static VLAN
Setup. Create/Edit VLAN 1 to make sure only Port 23 is a fixed
port. Click Add.
3 Go to Menu > Switching > VLAN > VLAN Setup > Static VLAN
Setup. Create/Edit VLAN 20 to make sure only Port 24 is a fixed
port. Click Add.
90/232
www.zyxel.com
4 Go to Menu > Switching > VLAN > VLAN Setup > VLAN Port
Setup. Configure port 24 with PVID 20. Click Apply.
5 Go to Menu > System > IP Setup > IP Setup > IP Interface >
Add/Edit. Configure the IP address for VLAN 1. Click Add and
do the same for VLAN 20.
91/232
www.zyxel.com
6 Go to Menu > System > IP Setup > IP Setup > IP Setup.
Configure the Default Gateway. Click Apply.
7 Go to Menu > Networking > VRRP > VRRP Setup. Enable VRRP
for network “192.168.1.252/24”. Click Add.
92/232
www.zyxel.com
3.3.3 Test the Result
1 Verify that Gateway-A is the Master VRRP Router. Go to
Menu > Networking > VRRP. VR Status should display
Master.
2 Verify that Gateway-B is the Backup VRRP Router. Go to
Menu > Networking > VRRP. VR Status should display
Backup.
3 Verify that Gateway-A and Gateway-B has a default
route to their respective USG in Menu > Monitor > Routing
Table > IPv4 Routing Table.
4 Configure the Host with a Static IP. The Host should be able to
ping the virtual IP address 192.168.1.254.
5 Disconnect port 23 or port 24 of Gateway-A. Hosts should still
be able to ping the virtual IP address 192.168.1.254.
93/232
www.zyxel.com
3.3.4 What Could Go Wrong?
1 If the hosts are not able to access the Internet when
Gateway-A has been disconnected from the network, the
following problems may have occurred:
a. Verify that the hosts and Gateway-B IP interface are in the
same subnet and VLAN.
b. Check for link failures on port 23 or port 24 of Gateway-B.
c. Check whether Gateway-B has a default route to USG-B.
94/232
www.zyxel.com
3.4 How to configure bandwidth control to limit incoming or
outgoing traffic rate
This example shows administrators how to configure bandwidth control
to manage traffic rates. We can limit either incoming traffic, outgoing
traffic, or both. In this example, we use two computers: FTP Client (PC)
and FTP Server (FTPServer). PC will either be uploading files or
downloading files from the FTP Server.
Figure 15 Configure bandwidth control to limit the traffic rate
Note:
All network IP addresses and subnet masks are used as examples in this article.
Please replace them with your actual network IP addresses and subnet masks. This
example was tested using XGS2220-30 (Firmware Version: V4.80).
95/232
www.zyxel.com
3.4.1 Configure Switch
1 Enter the web GUI. Go to Menu > Switching > QoS > Bandwidth
Control. Switch on the Bandwidth Control. Key in the rate in
Ingress Rate (PC Upload rate) = 10240 kbps and Egress Rate
(PC Download rate) = 20480 kbps. Remember to check the
port “Active” boxes as well. Click “Apply”.
96/232
www.zyxel.com
3.4.2 Test the Result
1 Use PC to upload a file to the FTP Server. Transfer rate should be
more or less 1.2 MB/s (or 10240 Mb/s).
2 Use PC to download a file from the FTP Server. Transfer rate
should be more or less 2.4 MB/s (or 20480 Mb/s).
97/232
www.zyxel.com
3.5 How to configure ACL to rate limit IP traffic
In some networks, it is necessary to configure rate limits among VLANs.
For example, VLAN 10 is for employees within the organization; VLAN 20
is for guests. By rate limiting VLAN 20, we can ensure better bandwidth
or network performance for users in VLAN 10. This example shows
administrators how to configure ACL to rate limit VLAN traffic. Results are
verified by observing and comparing the upload and download rate
between VLAN 10 and VLAN 20.
Figure 16 Configure ACL to rate limit VLAN traffic
Note:
All network IP addresses and subnet masks are used as examples in this article.
Please replace them with your actual network IP addresses and subnet masks. This
example was tested using XGS2220-30 (Firmware Version: V4.80) and GS2220-50HP
(Firmware Version: V4.80).
98/232
www.zyxel.com
3.5.1 Configure VLAN and Route Traffic
1 Configure the VLAN setting (VLAN 10 and VLAN 20) on Switch-
1 and Switch-2 (Please refer to the topic: 2.1 How to configure
the switch to separate traffic between departments).
2 Configure the route traffic on Switch-1 and Switch-2 (Please
refer to the topic: 2.2 How to configure the switch to route traffic
across VLANs)
99/232
www.zyxel.com
3.5.2 Configure the Classifier
1 Set up the Classifier on Switch-2: Go to Menu > Security >
Classifier > Classifier Setup. Set up 4 Classifier: Classifier for
download and upload in VALN 10 and VLAN 20. Therefore,
there are total 4 Classifiers.
2 The Classifier for download traffic in VLAN 10: Enable the Active
setting and key in the Name. Set Layer 3 > Destination as
192.168.10.0/24 (Means the destination is in VLAN 10) and
Source as 192.168.1. 100/32 (Means the source is FTPServer).
Press “Add”.
3 The Classifier for upload traffic in VLAN 10: Enable the Active
setting and key in the Name. Set Layer 3 > Destination as
192.168.1.100/32 (Means the destination is FTPServer) and
Source as 192.168.10.0/24 (Means the source is from VLAN 10).
Press “Add”.
Note:
ACL causes traffic that matches the criteria of a Classifier to follow its
corresponding Policy Rule.
100/232
www.zyxel.com
4 The Classifier of download in VLAN 20: Check the “Active” and
key in the Name. Set Layer 3 > Destination as 192.168.20.0/24
(Means the destination is in VLAN 20) and Source as
192.168.1.100/32 (Means the source is FTPServer). Press “Add”.
5 The Classifier of upload in VLAN 20: Check the “Active” and key
in the Name. Set Layer 3 > Destination as 192.168.1.100/32
(Means the destination is FTPServer) and Source as
192.168.20.0/24 (Means the source is from VLAN 20). Press
“Add”.
Loading...