Separate building automation traffic into dedicated VLANs by system function—one VLAN per major subsystem (HVAC controllers, lighting, metering, fire/life safety) with static IP addressing and a /24 subnet per VLAN. Place a BBMD on each BACnet/IP VLAN to handle cross-subnet broadcast forwarding, apply ACLs at inter-VLAN boundaries to restrict traffic to known protocol ports (UDP 47808 for BACnet/IP, TCP 502 for Modbus TCP), and keep the BAS network completely isolated from the corporate IT VLAN. This structure contains broadcast storms, limits the blast radius of compromised devices, and gives IT teams granular control over which systems can communicate.
The Problem: Flat Networks and Uncontrolled Broadcasts
Many building automation systems (BAS) are deployed on flat Layer 2 networks—every controller, sensor gateway, and supervisory workstation sharing a single broadcast domain. This design was common when BAS networks were physically separate from IT infrastructure, but it creates serious issues as facilities converge OT and IT onto shared Ethernet backbones.
On a flat network, every BACnet WHO-IS broadcast reaches every device. In a 500-device campus, that means hundreds of broadcast packets flooding every port on every switch, consuming bandwidth and CPU cycles on embedded controllers that have limited processing power. Worse, a single misbehaving device—a controller stuck in a broadcast loop or a technician's laptop running a misconfigured discovery tool—can saturate the entire network and bring down building systems across multiple floors or buildings.
Without VLAN segmentation, there is also no security boundary between the BAS and corporate IT systems. A compromised BAS controller on a flat network has direct Layer 2 adjacency to every other device, including IT workstations and servers. Network segmentation through VLANs is the foundational step in addressing both the performance and security problems inherent to flat BAS deployments.
VLAN Design for Building Automation Systems
The goal of VLAN segmentation in a BAS context is to create logical broadcast domains that align with how building systems actually communicate. Unlike IT networks where VLANs often follow organizational boundaries (departments, floors), BAS VLANs should follow system function and trust level.
Subnet and VLAN Sizing
A /24 subnet (254 usable addresses) is the standard starting point for most BAS VLANs. It provides enough addresses for a full floor or building wing of controllers while keeping the broadcast domain small. For very large campuses, a /23 (510 addresses) can accommodate a bigger segment, but going beyond that reintroduces the broadcast problems you are trying to eliminate.
Use static IP addressing for all BAS devices. DHCP introduces unpredictability—address changes break firewall rules, BBMD tables, COV subscriptions, and alarm routing configurations. Reserve a DHCP range only for technician laptops on a dedicated service VLAN.
Recommended VLAN Structure
The following structure separates systems by function and trust level. Each VLAN gets its own /24 subnet, keeping broadcast domains tight and ACL rules straightforward:
| VLAN ID | Name | Subnet | Purpose |
|---|---|---|---|
| 110 | BAS-HVAC | 10.10.10.0/24 | HVAC controllers, VAV boxes, AHU controllers |
| 120 | BAS-LIGHTING | 10.10.20.0/24 | Lighting controllers, occupancy sensors, DALI gateways |
| 130 | BAS-METER | 10.10.30.0/24 | Power meters, water meters, Modbus TCP gateways |
| 140 | BAS-FIRE | 10.10.40.0/24 | Fire alarm panels, smoke control integration (often read-only) |
| 150 | BAS-ACCESS | 10.10.50.0/24 | Access control panels, card readers, elevator integration |
| 160 | BAS-SERVER | 10.10.60.0/24 | BAS head-end servers, supervisory workstations, BBMD hub |
| 199 | BAS-SERVICE | 10.10.99.0/24 | Technician laptops, commissioning tools (DHCP allowed) |
Use VLAN IDs in the extended range (above 1005) if your OT infrastructure needs to avoid collisions with existing IT VLAN assignments. Many IT departments reserve VLAN IDs 1–999 for corporate use, so starting BAS VLANs at 1100 or higher prevents conflicts during network convergence projects.
Protocol and Port Mappings for BAS Traffic
Understanding which ports and protocols each BAS subsystem uses is essential for writing accurate ACLs and firewall rules. The following table covers the most common building automation protocols encountered in a segmented network:
| Protocol | Transport | Port(s) | Traffic Type | VLAN Considerations |
|---|---|---|---|---|
| BACnet/IP | UDP | 47808 (0xBAC0) | Discovery (broadcast), reads/writes (unicast) | Requires BBMD for cross-VLAN broadcast forwarding |
| BACnet/SC | TCP (TLS/WSS) | 443 | All BACnet traffic over encrypted WebSocket | Hub-and-spoke model; no BBMD needed |
| Modbus TCP | TCP | 502 | Register reads/writes (unicast only) | No broadcast; simple ACL between meter VLAN and server VLAN |
| LonWorks/IP (EN-14908) | UDP | 1628, 1629 | LonTalk over IP encapsulation | Channel-based; configure IP multicast or unicast per channel |
| KNXnet/IP | UDP | 3671 | Tunneling and routing for KNX devices | Uses multicast (224.0.23.12); enable IGMP snooping on the VLAN |
| MQTT | TCP | 1883 / 8883 (TLS) | Publish-subscribe telemetry | Unicast to broker; permit traffic to broker IP only |
| HTTPS (BAS Web UI) | TCP | 443 | Supervisory dashboard, configuration interfaces | Restrict source to server VLAN and service VLAN |
| NTP | UDP | 123 | Time synchronization for all BAS devices | Allow from all BAS VLANs to designated NTP server |
Inter-VLAN Routing Considerations
Once BAS traffic is segmented into VLANs, a Layer 3 device—typically a managed switch with routing capability or a dedicated firewall—handles inter-VLAN routing. This is where you enforce access control.
Routing Architecture
The recommended approach is to route all inter-VLAN BAS traffic through a firewall or Layer 3 switch with ACL support. Avoid using "router-on-a-stick" configurations with a single uplink for large BAS deployments; the single link becomes a bottleneck and a single point of failure. Instead, use a dedicated Layer 3 switch stack or a firewall with multiple VLAN interfaces.
ACL Rules by Principle of Least Privilege
Each BAS VLAN should only be able to reach the specific VLANs and ports it needs. For example:
- BAS-HVAC (VLAN 110) needs UDP 47808 to BAS-SERVER (VLAN 160) for BACnet communication, and UDP 123 to the NTP server—nothing else.
- BAS-METER (VLAN 130) needs TCP 502 to BAS-SERVER (VLAN 160) for Modbus polling—no access to HVAC or lighting VLANs.
- BAS-FIRE (VLAN 140) should be restricted to read-only BACnet access from BAS-SERVER. Fire alarm systems often have code requirements mandating network isolation.
- BAS-SERVICE (VLAN 199) needs temporary, controlled access to other BAS VLANs during commissioning. Consider time-based ACLs or requiring technicians to request access through a change management process.
Block all traffic between peer BAS VLANs by default. HVAC controllers have no reason to talk directly to lighting controllers or access control panels. All communication should flow through the BAS server VLAN, where the head-end system aggregates and coordinates data.
BACnet Broadcast Handling Across VLANs
BACnet/IP relies on UDP broadcast for device discovery (WHO-IS/I-AM services). When you segment BACnet devices into separate VLANs, broadcasts are contained within each VLAN by design—which is exactly what you want for traffic management, but it breaks cross-subnet device discovery. This is where BACnet Broadcast Management Devices (BBMDs) become essential.
How BBMDs Work
A BBMD listens for BACnet broadcast traffic on its local subnet and forwards it as unicast UDP to BBMDs on other subnets. The receiving BBMD then re-broadcasts the message on its local subnet. This "two-hop" process preserves BACnet discovery across VLAN boundaries without requiring a flat network.
BBMD Placement Rules
- One BBMD per BACnet/IP subnet. Never configure two BBMDs on the same VLAN—this causes duplicate broadcast forwarding and can create packet storms.
- Configure the Broadcast Distribution Table (BDT) on each BBMD with the IP addresses of every other BBMD in the BACnet internetwork. Every BBMD must have a consistent, matching BDT.
- Only link VLANs that need to communicate. If your HVAC controllers never need to discover lighting controllers, do not include the lighting VLAN's BBMD in the HVAC VLAN's BDT. This selective BBMD configuration is how you maintain segmentation intent while enabling necessary BACnet communication.
- Place the primary BBMD on the server VLAN. The BAS head-end server (or a dedicated BBMD appliance on VLAN 160 in the example above) acts as the central hub for broadcast distribution. Controller VLANs each have their own BBMD that peers with the server VLAN's BBMD.
Foreign Device Registration
When a technician connects a laptop to the BAS-SERVICE VLAN and needs to discover BACnet devices on other VLANs, the laptop must register as a Foreign Device with the target VLAN's BBMD. This is configured in the BACnet tool (such as YABE or a vendor's commissioning application) by pointing it at the BBMD's IP address. The firewall ACL for the service VLAN must permit UDP 47808 from the service subnet to the BBMD address on the target VLAN.
BACnet/SC as an Alternative
BACnet Secure Connect (BACnet/SC) eliminates the need for BBMDs entirely. It uses a hub-and-spoke topology over TLS-encrypted WebSocket connections (TCP 443), where a central hub distributes messages to all connected nodes. For new deployments or major retrofits, BACnet/SC simplifies the VLAN design because you no longer need to manage BDTs or worry about broadcast forwarding. The trade-off is that all devices must support the BACnet/SC standard (ASHRAE 135-2020, Addendum BJ), which limits compatibility with legacy controllers.
Sample VLAN Plan: Mid-Size Office Building
The following is a complete VLAN plan for a 10-story office building with approximately 300 BAS devices. It demonstrates how the principles above translate into a real deployment.
# ============================================
# VLAN Plan: 10-Story Office Building BAS
# Approx. 300 devices, single BAS head-end
# ============================================
# --- BAS VLANs ---
VLAN 110 BAS-HVAC 10.10.10.0/24 # 85 VAV controllers, 12 AHUs, 6 plant controllers
VLAN 120 BAS-LIGHTING 10.10.20.0/24 # 40 DALI gateways, 20 occupancy sensors
VLAN 130 BAS-METER 10.10.30.0/24 # 30 power meters (Modbus TCP), 8 water meters
VLAN 140 BAS-FIRE 10.10.40.0/24 # 4 fire alarm panels (read-only BACnet integration)
VLAN 150 BAS-ACCESS 10.10.50.0/24 # 15 access control panels, 2 elevator controllers
VLAN 160 BAS-SERVER 10.10.60.0/24 # 2 BAS head-end servers, 1 BBMD appliance
VLAN 199 BAS-SERVICE 10.10.99.0/24 # Technician laptops (DHCP: .100-.200)
# --- BBMD Configuration ---
# VLAN 110 BBMD: 10.10.10.1 (AHU controller with BBMD capability)
# VLAN 120 BBMD: 10.10.20.1 (Lighting gateway with BBMD capability)
# VLAN 140 BBMD: 10.10.40.1 (Fire panel BACnet gateway)
# VLAN 160 BBMD: 10.10.60.5 (Dedicated BBMD appliance - hub)
#
# BDT on each BBMD includes: 10.10.10.1, 10.10.20.1, 10.10.40.1, 10.10.60.5
# VLAN 130 (meters) uses Modbus TCP - no BBMD needed
# VLAN 150 (access) uses proprietary protocol - no BBMD needed
# --- Inter-VLAN ACL Summary ---
# VLAN 110 -> VLAN 160: PERMIT UDP 47808 (BACnet), PERMIT UDP 123 (NTP)
# VLAN 120 -> VLAN 160: PERMIT UDP 47808 (BACnet), PERMIT UDP 123 (NTP)
# VLAN 130 -> VLAN 160: PERMIT TCP 502 (Modbus), PERMIT UDP 123 (NTP)
# VLAN 140 -> VLAN 160: PERMIT UDP 47808 (BACnet, read-only), PERMIT UDP 123 (NTP)
# VLAN 150 -> VLAN 160: PERMIT TCP 443 (HTTPS management), PERMIT UDP 123 (NTP)
# VLAN 199 -> ALL BAS: PERMIT UDP 47808, TCP 502, TCP 443 (controlled access)
# ALL BAS -> VLAN 160: PERMIT ICMP echo (for diagnostics)
# DEFAULT: DENY all other inter-VLAN trafficCommon Mistakes
- Putting all BAS devices on one VLAN. Consolidating everything into a single "BAS VLAN" is better than a completely flat network, but it still means every BACnet WHO-IS broadcast hits every controller, every meter, and every fire panel. A stuck device or broadcast storm affects the entire building automation system. Segment by subsystem to contain failures and reduce broadcast overhead.
- Using DHCP for BAS controllers. DHCP simplifies deployment, but it creates ongoing problems. When a controller's IP address changes after a lease renewal, BBMD tables become stale, COV subscriptions break, alarm routing fails, and firewall rules based on IP addresses stop working. Always use static IP assignments for permanent BAS devices and reserve DHCP only for the service VLAN.
- Forgetting to configure BBMDs after VLAN segmentation. This is the most common cause of "BACnet stopped working after the network upgrade." Before segmentation, BACnet broadcasts reached every device on the flat network. After segmentation, broadcasts are contained within each VLAN. Without BBMDs configured with correct BDTs, the BAS head-end can no longer discover or communicate with controllers on other VLANs.
- Allowing unrestricted inter-VLAN routing. Some IT teams enable full routing between all BAS VLANs to "make it work" after segmentation breaks communication. This defeats the purpose of segmentation entirely—a compromised meter on VLAN 130 can now reach HVAC controllers on VLAN 110. Always use explicit ACLs that restrict traffic to the specific ports and destination addresses each subsystem needs.
- Not documenting the VLAN plan. BAS networks outlive the IT staff who deploy them. Without a documented VLAN map that includes VLAN IDs, subnet ranges, BBMD addresses, BDT entries, and ACL justifications, the next technician will have no way to troubleshoot cross-VLAN communication issues or safely make changes. Store the VLAN plan alongside the BAS point schedule and network diagrams.
Platform Compatibility
VLAN segmentation is infrastructure-level and works with any BAS platform that uses standard IP networking. The design principles in this guide apply regardless of the BAS vendor or controller platform:
| BAS Platform | Protocol(s) | VLAN Notes |
|---|---|---|
| Johnson Controls Metasys | BACnet/IP, BACnet/SC | Supports BBMD on NAE/SNE controllers. Metasys 12.0+ supports BACnet/SC. |
| Siemens Desigo CC | BACnet/IP, BACnet/SC | PXC controllers support BBMD. Desigo CC 6.0+ supports BACnet/SC hub. |
| Tridium Niagara (JACE / Niagara Supervisor) | BACnet/IP, Modbus TCP, LonWorks/IP | JACE 8000 supports BBMD and Foreign Device registration. Niagara 4.13+ adds BACnet/SC. |
| Honeywell EBI / Niagara-based | BACnet/IP, LonWorks/IP | Spyder controllers support BACnet/IP. BBMD via Honeywell IP router or third-party. |
| Schneider Electric EcoStruxure | BACnet/IP, Modbus TCP | SmartX controllers support BBMD. Separate Modbus TCP VLAN for PowerLogic meters. |
| Distech Controls EC-BOS / ECLYPSE | BACnet/IP, BACnet/SC | ECLYPSE controllers support BBMD and BACnet/SC. EC-BOS acts as BACnet router. |
For the network switching hardware, any managed switch that supports IEEE 802.1Q VLAN tagging and Layer 3 routing or ACLs will work. Cisco Catalyst, HPE Aruba, and Juniper EX series are commonly deployed in BAS network environments. Ensure the switch supports IGMP snooping if you run KNXnet/IP or LonWorks/IP, as these protocols use multicast.
Source Attribution
This guide draws on technical documentation and community discussion from the following sources:
- Optigo Networks — Managing VLANs and BBMDs in BACnet Networks
- Cisco — Industrial Automation Security Design Guide: Segment the Network into Smaller Trust Zones
- Contemporary Controls — BASrouters: BACnet Routing Examples
- Johnson Controls — Metasys IP Networks for BACnet/IP Controllers Technical Bulletin
- Cisco Community — Getting BACnet to Communicate Between Two VLANs
- Global Business Engineering — Developing Logical IP and VLAN Infrastructure for OT Networks
- Stromquist & Company — Ethernet-Based BAS Network Guidelines
- BACnet Experts (David Fisher) — BACnet/IP and BBMDs Tutorial
- Cisco Blogs — Is BACnet a Secure Protocol?
- ASHRAE — BACnet Secure Connect: A Secure Infrastructure for Building Automation (Whitepaper)
Was this article helpful?
Related Articles
Need to do this remotely? SiteConduit connects remote technicians directly to the BAS VLAN without exposing corporate IT networks. Join the waitlist.
SiteConduit Technical Team
Idea Networks Inc.
SiteConduit builds managed remote access for building automation. Our knowledge base is maintained by BAS professionals with hands-on experience deploying and troubleshooting BACnet, Niagara, Modbus, and Facility Explorer systems.