This episode, we’re getting into VLANs.
In this latest episode of Your BACnet Questions, Answered, Ping dives into just a few of the many VLAN-related questions we’ve received.
What’s the deal with VLAN tagging and switches? – QoS and VLAN? – Domain sizes and VLANs for optimization?
Stay tuned… there’s a lot more coming.
Thanks for sending in all your questions! If you’d like us to tackle a particular topic—maybe about broadcast behavior, MS/TP chain length, or network segmentation—send them our way. We love digging deep to help make your BACnet/OT networks more reliable.
Send us a message on LinkedIn, Reddit, or Bluesky, or email us at marketing[at]optigo.net .
Here’s What Ping Covers in Episode 8:
Ping explains how VLANs separate and isolate ports on a switch, and how VLAN tagging works within Ethernet packets to identify which VLAN each packet belongs to. He describes how switches use these tags to keep network traffic organized and why unmanaged switches can cause unpredictable results on VLAN-tagged networks.
He also dives into the Quality of Service (QoS) bits within VLAN tags—how they can prioritize important packets, and why in most operational technology (OT) environments, it’s better to improve network design instead of relying on QoS to fix bottlenecks.
Ping shares best practices for network isolation and segmentation, noting when it’s beneficial for security or performance and when over-segmentation can create unnecessary routing bottlenecks.
Finally, he connects VLAN setup to BACnet performance, explaining how reducing broadcast domains can prevent network storms and limit congestion between BBMDs.
Transcript
VLAN is a method to segregate different ports or isolate different ports on a switch. So you can say that port 1 through 6 is on one VLAN and 7 through 12 is on a different VLAN. But VLAN also refers to a special tag—a special field inside the packet.
A tagged packet can tell the switch which VLAN this packet belongs to. Now, not all traffic that goes through a VLAN switch will be tagged. So in a case where there are different VLANs going through a port, you know that these packets are this VLAN and these packets are that VLAN.
The second part to the question is, what issue can we encounter when we plug in unmanaged switches on a VLAN tagged network? It becomes really unpredictable and undocumented behavior. Now most unmanaged switches today will just transparently pass all traffic, whether it’s tagged or not tagged, but that’s not guaranteed. Because an unmanaged switch is exactly what it sounds like—it has no awareness of VLAN. It can create unexpected distribution of the traffic. Now again, in general, an unmanaged switch will just pass whatever comes in, but be aware that it’s not guaranteed.
So inside this VLAN field, there’s this 3-bit that’s called the quality of service bit. It allows you to set a value between 0 and 7—7 is highest priority and 0 is the lowest priority. In general, if two packets come into the switch at the same time, it should take the higher priority packet first and then the lower priority when it has time.
Let’s say you had a few devices of much higher priority than other devices—your air handlers, for example. And you know that you’re running in a system and a network that is quite busy. You could configure the ports connected to these air handlers to tag the traffic with a higher priority so that as the packets come in with all the lower priority packets and hit the bottleneck, the switch will pass the traffic for the air handlers first. But it requires a tremendous amount of management and configuration to make this work.
Really, the advice in this example would be to fix the way your network works or your application works so you don’t run into these bottlenecks. VLAN is very good in the IT world. In the IT setting, it’s very bursty—there’s a lot of unpredictability in the network and system. That’s why you want to be able to play around with these quality of service settings. But in operational technology (OT) systems, it’s highly recommended not to design what we call an oversubscribed network. Therefore, quality of service bits in these cases should not come into play.
Network isolation and network segregation is a little bit of an art more than a science. If you have a system that’s very bursty, with a lot of broadcast traffic, and another network that doesn’t need to communicate with it, then put them on two different networks. That allows the noise from one network not to interfere with the other.
Another thing is security. Let’s say you have two vendors, and they do not need to work with each other. Their devices don’t need to communicate with each other. Why put them on one network and risk one vendor making a change that causes an issue on another system? That would be another good use of VLAN—to create these isolations.
In building automation, we often hear designs where every floor is put on a different VLAN. That’s not necessarily the best way to do it, because if there is cross-floor communication for air balancing, then every time communication occurs between two VLANs, it has to go through a router. That creates a single bottleneck. Sometimes creating VLANs by function is a better approach.
In a hospital setting, for example, one of the main considerations would be what services need to communicate with each other and what should be separated. That reduces the likelihood of issues crossing over.
A fantastic question, because this one crosses between IT systems and building automation/BACnet systems. First, BACnet discovery uses messages called Who-Is and I-Am. Who-Is messages are broadcast and allow one device to discover another’s address and location. The reply uses I-Am.
If you create one large BACnet system with a thousand devices, and each sends a Who-Is every 15 minutes, you’ll get a broadcast storm—massive ongoing broadcasts everywhere. If you instead create smaller islands or VLANs of, say, 250 devices, even if all 250 send Who-Is at once, your broadcast peak is smaller. Reducing broadcast domains improves overall performance.
That’s why in Optigo Visual Networks, we have a diagnostic called Global Discovery. It looks for these Who-Is messages that scan large address ranges—often over a thousand. Reducing VLAN size reduces the broadcast domain.
When we add BBMDs (BACnet Broadcast Management Devices), they allow BACnet broadcast traffic to cross from one subnet to another. But if you put BBMDs on both sides, you’re taking all broadcast from one network into the next, creating a bottleneck. Too many BBMDs make the system error-prone; too few and the broadcast storms persist.
