Network security - Metasys - LIT-12013055 - Gateway/Router - Cisco Switch - 12.0

Cisco IE 2000 and IE 4010 Ethernet Switches for Metasys Networks Installation Instructions and Troubleshooting Guide

Product name
Cisco Switch
Document type
Troubleshooting Guide
Document number
Revision date

The switch configurations generated by the IP Network Wizard configuration tool apply the network security features. For example, an unconfigured port does nothing. Among the configured ports, the ring and chain ports have the most restrictive security settings. This is because, if we assume that the switch itself is in a locked closet or cabinet, the controller ports would have the less physical security. The service port has the least restrictive settings. Assuming that the network engine is also in a locked closet, the port to which it is connected also has more permissions than a chain or ring port.


Take a least privilege approach regarding network security in the Metasys BACnet/IP network. That is, only allow access to individuals, devices, and protocols that require access to the Metasys BACnet/IP network. Access to the network infrastructure by individuals is restricted through the use of passwords. Access to the switching and routing functions of the network infrastructure is restricted by limiting the number of configured switch ports, and restricting devices and protocols through the use of ACLs.


BACnet Secure Connect (BACnet/SC) is a new BACnet datalink ASHRAE 135-2020 Annex AB that provides secure message transport by using the standard IP application protocol, Secure WebSocket, which is an extension to HTTPS and runs over Transport Layer Security (TLS). BACnet/SC thereby provides a secure mechanism to authenticate and authorize a device to use the network. From a cybersecurity standpoint, mixing BACnet/IP and BACnet/SC compromises the security of the network. It is best practice to use only BACnet/SC for the entire site to safeguard a site's security, if possible. If you must connect BACnet/IP devices to the network, it is best practice to minimize the number of BACnet/IP devices and isolate them to one engine.