Network architecture - Metasys - LIT-12012458 - Field Device - 13.0

Metasys IP Networks for BACnet/IP Controllers Technical Bulletin

Brand
Metasys
Document type
Technical Bulletin
Document number
LIT-12012458
Version
13.0
Revision date
2023-10-23
Product status
Active
Language
English

The topologies described in Network topologies describe only the physical connection between devices. A Metasys BACnet/IP network needs additional capabilities. For example, the network is unlikely to work well if it is set up as a single local area network. In the same way that it was useful for an MS/TP network to be divided into separate MS/TP trunks, it is useful for a Metasys BACnet/IP network to be divided into separate subnets. If divided, then there is also a need for routing between subnets. Organizing a network into manageable pieces that relate to each other in limited but useful ways is a problem of network architecture.

When discussing switches, we often classify them by their function. Access switches provide physical access to the network. For example, they are used primarily to connect IP controllers. Aggregation switches are used primarily to connect access switches to other switches (aggregating traffic from the access switches) and to act as the primary router for the network.

If there were no constraints on networking, we would offer a single architecture and describe it in detail. However there are often constraints, so for Metasys we define several architectures that differ based on the relationship between the IT and BAS networks. The first option discussed below is a network that is separate from the general IT network. The other four options connect the BAS network to the general IT network with increasing levels of integration.

Isolated Metasys BACnet/IP Network: An isolated OT network may exist in parallel with an IT network if the IT department requires that the Metasys BACnet/IP network operate as a separate network. An isolated Metasys BACnet/IP OT network would also be applicable if there is no common IT network in the building in which the Metasys system is to be deployed (for example, all building tenants provide their own separate IT networks). For the case of new construction, an isolated OT network can be initially deployed and then can be easily transitioned to a connected network once the IT network is available.

Connected Metasys BACnet/IP Network: A connected network is a variation/evolution of an isolated OT network where a previously isolated OT network is connected to the IT network by way of a single routed port (a single Ethernet connection) once the IT network is available.

Segmented Metasys BACnet/IP Network: In a segmented network, most Metasys BACnet/IP devices are physically connected to OT network switches dedicated to the Metasys BAS system. A limited number of controllers as well as the NxE and SNE s can connect to the IT network and route through the IT network to the Metasys network. Most IP addresses assigned to the BACnet/IP Metasys devices are from the BAS OT network's private address space rather than from the IT network's address space.

Converged Metasys BACnet/IP Network: In a converged network, all Metasys BACnet/IP devices are physically connected to OT network switches dedicated to the Metasys BAS system, and the Metasys BAS OT network switches are physically connected to IT network infrastructure. All Metasys BACnet/IP devices are assigned IP addresses from the IT network's address space.

Integrated Metasys BACnet/IP Network: In an integrated network, all Metasys BACnet/IP devices are physically connected to IT network infrastructure and are assigned IP addresses from the IT network's address space.

The differences between these five options lie in how the physical and logical connectivity of the Metasys devices are divided between the IT and BAS networks. The following table highlights these differences.

Table 1. How Metasys devices are connected

Network architecture

Physical connectivity

Logical connectivity (VLAN, IP address)

Isolated

BAS Switch

BAS OT Network

Segmented and Connected

BAS Switch

Network engines - IT Network

IP-based controllers - BAS OT Network

Converged

BAS Switch

IT Network

Integrated

IT Access Layer Switch

IT Network

Replacing MS/TP controllers with BACnet/IP controllers raises the question of whether the devices must connect to the general IT network or a dedicated BAS OT network. The answer depends on the circumstances. Consider how connecting many BACnet/IP BAS devices to the IT network can affect the IT network. A significantly higher number of physical ports are required from IT. If the physical ports are available, updates to the switching infrastructure may be required, including changes to Dynamic Host Control Protocol (DHCP) server configurations, configuration of additional subnetworks and Virtual Local Area Networks (VLANs), and assignment of large numbers of physical ports to the BAS VLANs. Security is also important. The new devices increase the potential attack surface of the IT network. It is important to configure security features such as access controls for the physical ports. BACnet/SC can help to mitigate security concerns by using IT standardized security practices.

These issues are discussed for the architectures presented below.