Managing VLANs And BBMDs

VLANs and BBMDs on the BACnet network

VLANs and BBMDs seem at complete odds with each other. One’s meant to separate and segregate traffic. The other is designed to broadcast messages across the network, without limit for which devices should get what messages.

BBMDs and VLANs coexist on IP and MS/TP networks everywhere, and it’s important to know how to properly segregate traffic while ensuring devices get the information they need.

Check out our webinar with Robert Lastinger from Distech Controls, for a live demo of VLANs and BBMDs on a BACnet MS/TP network, with key best practices you can apply to your networks today. Be sure to check out our previous sessions too!

The webinar dug into a lot of topics, including:

  • Digging into an MS/TP network without segregation | 1:16 – 27:41
  • Setting up VLANs on a network to limit traffic | 27:41 – 41:13
  • Managing VLANs on the MS/TP network | 41:13 

We focused this webinar on MS/TP networks because we know so many BACnet networks out there are running on hard-wired connections. 

MS/TP covers networking layers 1 and 2, the physical and data links. It has its own physical wires and connectors, and the master devices pass tokens between them to determine which devices can initiate messages on the network. There’s no layer 3 (network/routing), so each network is isolated. BACnet is an application layer protocol that works on top of MS/TP. 

You can use a mix of both IP and MS/TP on your network. A BACnet MS/TP to BACnet IP router will simply take packets and translate them, removing MS/TP-specific messaging such as token-passing.

VLANs and BBMDs on the BACnet network

In this diagram, while there are two VLANs in place, VLAN 103 isn’t separating anything. Almost all the devices on the network are on the same VLAN, and when messages are broadcast, every device will see those messages. There might not be a ton of devices on this network, but it can still create some nasty traffic, as we saw in the demo at 23:19

The purpose of VLANs is to reduce the load on your network and isolate more security-sensitive services.

It’s a best practice to create VLANs around services and logical combinations, not devices that are geographically clustered. So, rather than grouping devices that are stationed in a room together, isolate your CCTV on one VLAN, doors on another VLAN, alarms on another VLAN, and so on. 

Don’t fuss if you only have a handful of devices on a VLAN. The point is to limit the devices on a VLAN to those that need to communicate with one another. 

To summarize best practices:

  • Create VLANs around services, not geography
    • Good service examples: HVAC, lighting, CCTV, doors, alarms, etc.
    • Good non-service examples: isolate tenants or secure locations
    • Bad examples: each floor or room gets a VLAN

BBMDs, on the other hand, are designed to broadcast traffic between unroutable locations in the network. They work by transforming the broadcast message into a unicast message to the destination BBMD, which then re-broadcasts on its subnet. 

That might be across layer 3 routers — such as from one building on campus to another — as layer 3 routers will only distribute unicast traffic. It could also be across VLANs if one service needs to talk to another. 

You should only have one BBMD per subnet because more than that would overload the network. (Learn about the dangers of duplicate BBMDs.) You can also configure one BBMD to talk to various destinations. 


We often hear of people struggling with VLANs and BBMDs on their network, of finding the balance on how to segregate traffic without blocking important messages between relevant devices. Hopefully, this webinar helps you better understand how to segment your network traffic, properly, with a mix of VLANs, subnets, BBMDs, and foreign devices. 

Robert left us with fantastic food for thought to end the webinar at 46:13:

“I can’t stress enough: don’t design your VLANs around your architecture, or around a specific number of devices. There are other ways to deal with that. Even within the VLAN, you can have multiple subnets and segregate them that way. 

“If you have a building with 600 VAVs, and all of the VAVs are doing one thing and they all need to talk the same way to the same stuff, you can have a VLAN with just VAVs, and have two subnets there — that’s fine. It’s more important that you use VLANs to segregate those logical groups of controllers, and then use subnetting and other tools to break it up further if you need to. […] 

“Once you’ve done those two steps, BBMDs and foreign devices are there to help you then get the communication across all of that where you need it. So you use them sparingly, and if you’ve designed the network well, on a big site, yeah you’re probably going to have a couple of BBMDs and maybe a few foreign devices. But that’s the idea. […] 

“BBMDs aren’t bad. They’re just bad when they’re used across a site quite a bit. And if you have a large site, and you’re starting to get a lot of BBMDs — like 10, or 20, or 30 — you’ve really got to rethink that because you’re going to have a hard time troubleshooting issues.”

Share This Post

Don't want to wait?

Sign up now to get posts delivered right to your inbox the moment they go live.

An overhead photograph of a solar farm in an urban setting, possibly a parking lot.

How OT Networks Drive Decarbonization and Energy Efficiency

Energy efficiency is at the heart of many organizations’ policies to address their overall carbon footprints. For facilities operators, campus managers, and their vendors, the drive to decarbonize falls under their purview. Let’s look at what exactly decarbonization is, what impacts this policy has on OT networks, and some of the ways facilities and systems integrators have begun to tackle the problem.

Read More »
A photograph of a blue pad lock on top of an open laptop

Is BACnet/SC the Key to Securing OT Networks?

The success of BACnet/SC will depend on how widely it is adopted and how well it integrates with other security technologies. That said, with the right implementation strategies, and a focus on maintaining flexibility and interoperability, BACnet/SC has the potential to play a central role in securing OT networks against future threats.

Read More »

How OptigoVN Helps Hardware Sales

Selling hardware to your customers is a net positive for everyone. So how do you encourage customers to break into their budgets for upgrades and replacements? Leveraging OptigoVN is a great way to bring data-based proof to your customers when it comes time to make recommendations.

Read More »