Single IT VLAN-BAS access switches connected to the IT network with trunks - Metasys - LIT-12012458 - Field Device - Metasys BACnet/IP Controller - 13.0

Metasys IP Networks for BACnet/IP Controllers Technical Bulletin

Product
Document type
Technical Bulletin
Document number
LIT-12012458
Version
13.0
Revision date
2024-08-20
Product status
Active

When connecting the BAS access switches to the IT network by way of trunks, the network engine s are physically connected to the BAS access switches. The traffic from both network engine s and the BAS switches are allowed over the trunks connecting the BAS access switches to the IT access layer switches. The trunks must be configured on both the BAS switch and the IT access switch. Connecting the network engine s to the BAS access switches rather than the IT access layer switches reduces the number of switch ports which would have to be leased from IT. It also reduces the number of physical drops which would have to be run from an IT closet where the IT access layer switch resides to the mechanical room where the network engine resides. However, configuring a switch port as a trunk puts a larger burden on the IT department which they may not be willing to do.

Figure 1 illustrates an example Segmented Metasys BACnet/IP Network configured using a single IT VLAN with the BAS access switches connected to the IT network by way of trunks.

Figure 1. Single IT VLAN-BAS access switches connected with trunks

As can be seen in Figure 1, it is sufficient for IT to allocate a single VLAN and a very small subnet if the VLAN and subnet are to be dedicated to the BAS. In this example, the IT network allocates VLAN 5 and a subnet (192.168.5.0/29) that supports only six devices. In practice, at least a /28 subnetwork that supports up to 14 devices is preferable as it allows for future expansion without affecting the existing network plan. If the VLAN and subnet are to be shared with other devices, the subnet needs to be large enough to accommodate the non-BAS devices as well as the network engine s and BAS access switches.

The IP controllers reside in BAS VLANs and subnets from the BAS network's private address space. These VLAN numbers and the IP addresses allocated from the BAS network's private address space may already be in use by IT in the IT address space but it is not necessary to ensure uniqueness. Instead, the networks are separated by different routing domains (the BAS switches are layer 3 devices) so that devices with duplicate IP addresses are only visible in their respective network – the IT network or the BAS network. The table below details the recommended IP address assignments for the IP controllers in each VLAN/subnet within the BAS network:

Table 1. BAS private subnets for hosting IP controllers
VLAN Subnetwork SVI IP controllers
10 172.16.10.0/24 172.16.10.1 172.16.10.10-172.16.10.220
11 172.16.11.0/24 172.16.11.1 172.16.11.10-172.16.11.220
12 172.16.12.0/24 172.16.12.1 172.16.12.10-172.16.12.220

The switch ports to which the IP controllers and network engine are connected are configured as access ports. The switch ports for the network engine s are assigned to the IT VAN (5), and the switch ports for the IP controllers are assigned to their corresponding BAS VLAN (10, 11, or 12).

The following table details the IP address configurations for the devices in IT VLAN 5.

Table 2. IP address assignments for devices in IT VLAN 5 (Subnet 192.168.5.0/29)
Device/Interface IP address Default gateway
SVI in the IT network 192.168.5.1 Configured by IT
SVI on BAS Switch 1 192.168.5.2 192.168.5.1
network engine supervising VLAN 10 devices 192.168.5.4 192.168.5.2
network engine supervising VLAN 11 devices 192.168.5.5 192.168.5.2
SVI on BAS Switch 2 192.168.5.3 192.168.5.2
network engine supervising VLAN 12 devices 192.168.5.6 192.168.5.3

For the configuration described above, BAS Access Switch 1 acts as the router for the BAS network, routing traffic between the BAS network and the general IT network, as well as between the BAS private subnets in which the IP controllers reside. To achieve this behavior, the following route statements need to be included in the BAS access switch configurations:

Table 3. BAS access switch route statements
BAS access switch Destination subnet Route
1 0.0.0.0/0 192.168.5.1
172.16.12.0/24 192.168.5.3
2 0.0.0.0/0 192.168.5.2

On BAS Access Switch 2, all traffic which cannot be routed locally on BAS Access Switch 2 is routed to BAS Access Switch 1 (192.168.5.2). On BAS Access Switch 1, traffic to the BAS private 172.16.12.0/24 subnet is routed to BAS Access Switch 2 (192.168.5.3). All other traffic which cannot be routed locally on BAS Access Switch 1 is routed to 192.168.5.1 in the IT network. Routes are not required for the network engine s as the BAS access switches and network engine s all reside in the same VLAN (IT VLAN 5). Likewise the IP controllers connected to one BAS access switch can communicate with IP controllers connected to a different BAS access switch as all the routing is performed by the BAS access switches (no routing is required by the IT network switches since the BAS access switches are also in the same VLAN). This means that peer-to-peer references can be established between IP controllers in different BAS private subnets as long as a BBMD is configured in each of the BAS private subnets hosting the IP controllers.