VLANs and BBMDs seem at complete odds with each other. One’s meant to separate and segregate traffic. The other’s designed to broadcast messages across the network, without limit for which devices should get what messages.
BBMDs and VLANs do coexist on IP and MS/TP networks everywhere, and it’s important to know how to properly segregate traffic while making sure devices get the information they need.
Check out our webinar with Robert Lastinger from Distech Controls, for a live demo of VLANs and BBMDs on a BACnet MS/TP network, with key best practices you can apply to your networks today. Be sure to check out our previous sessions too!
The webinar dug into a lot of topics, including:
- Digging into an MS/TP network without segregation | 1:16 – 27:41
- Setting up VLANs on a network to limit traffic | 27:41 – 41:13
- Managing VLANs on the MS/TP network | 41:13
We focused this webinar on MS/TP networks, because we know so many BACnet networks out there are running on hard-wired connections.
MS/TP covers networking layers 1 and 2, the physical and data links. It has its own physical wires and connectors, and the master devices pass tokens between them to determine which devices can initiate messages on the network. There’s no layer 3 (network/routing), so each network is isolated. BACnet is an application layer protocol that works on top of MS/TP.
You can use a mix of both IP and MS/TP on your network. A BACnet MS/TP to BACnet IP router will simply take packets and translate them, removing MS/TP-specific messaging such as token-passing.
In this diagram, while there are two VLANs in place, VLAN 103 isn’t actually separating anything. Almost all the devices on the network are on the same VLAN, and when messages are broadcast, every device will see those messages. There might not be a ton of devices on this network, but it can still create some really nasty traffic, as we saw in the demo at 23:19.
The purpose of VLANs is to reduce the load on your network and isolate more security-sensitive services.
It’s a best practice to create VLANs around services and logical combinations, not devices that are geographically clustered. So, rather than grouping devices that are stationed in a room together, isolate your CCTV on one VLAN, doors on another VLAN, alarms on another VLAN, and so on.
Don’t fuss if you only have a handful of devices on a VLAN. The point is to limit the devices on a VLAN to those that need to communicate with one another.
To summarize best practices:
- Create VLANs around services, not geography
- Good service examples: HVAC, lighting, CCTV, doors, alarms, etc.
- Good non-service examples: isolate tenants or secure locations
- Bad examples: each floor or room gets a VLAN
BBMDs, on the other hand, are designed to broadcast traffic between unroutable locations in the network. They work by transforming the broadcast message into a unicast message to the destination BBMD, which then re-broadcasts on its subnet.
That might be across layer 3 routers — such as from one building in a campus to another — as layer 3 routers will only distribute unicast traffic. It could also be across VLANs, if one service needs to talk to another.
You should only have one BBMD per subnet, because more than that would overload the network. (Learn about the dangers of duplicate BBMDs.) You can also configure one BBMD to talk to various destinations.
We often hear of people struggling with VLANs and BBMDs on their network, of finding the balance on how to segregate traffic without blocking important messages between relevant devices. Hopefully this webinar helps you better understand how to segment your network traffic, properly, with a mix of VLANs, subnets, BBMDs, and foreign devices.
Robert left us with fantastic food for thought to end the webinar at 46:13:
“I can’t stress enough: don’t design your VLANs around your architecture, or around a specific number of devices. There’s other ways to deal with that. Even within the VLAN, you can have multiple subnets and segregate that way.
“If you have a building with 600 VAVs, and all of the VAVs are doing one thing and they all need to talk the same way to the same stuff, you can have a VLAN with just VAVs, and have two subnets there — that’s fine. It’s more important that you use VLANs to segregate those logical groups of controllers, and then use subnetting and other tools to break it up further if you need to. […]
“Once you’ve done those two steps, BBMDs and foreign devices are there to help you then get the communication across all of that where you need it. So you use them sparingly, and if you’ve designed the network well, on a big site, yeah you’re probably going to have a couple of BBMDs and maybe a few foreign devices. But that’s the idea. […]
“BBMDs aren’t bad. They’re just bad when they’re used across a site quite a bit. And if you have a large site, and you’re starting to get a lot of BBMDs — like 10, or 20, or 30 — you’ve really got to rethink that because you’re going to have a hard time troubleshooting issues.”