Figure 1 illustrates an Isolated Metasys BACnet/IP network. In this example, the network is to be converted to a Connected network at some time in the future. The network engine s are placed in the same VLAN and subnet (VLAN 5 and subnet 192.168.5.0/24 would be the VLAN and subnet allocated by IT for the BAS network).
The subnetworks for the IP-based BAS devices are allocated from the BAS network's address space:
- VLAN 10: 172.16.10.0/24
- VLAN 11: 172.16.11.0/24
- VLAN 12: 172.16.12.0/24
The devices are assigned to VLANs (10 through 12) within the BAS network.
The network engine s, Metasys server , and access switches are placed in VLAN 5 and subnetwork 192.168.5.0/24. This is the VLAN and subnet pre-allocated by IT for when the BAS network will eventually be connected to the IT network. A firewall is connected to the BAS aggregation switch through an access port. The firewall routes traffic to the BAS subnet by way of a SVI (10.10.100.2) in a different VLAN (100) on the BAS aggregation switch. These are also pre-allocated by IT for when the BAS network will eventually be connected to the IT network. Figure 1 illustrates an Isolated Network using these VLAN and subnetwork values.
The BAS Access switches are interconnected with each other, providing link redundancy. Because the BAS switches are interconnected by way of trunks, Rapid Spanning Tree Protocol (RSTP) best practices must be followed when configuring the trunks between the BAS switches.
The following table details the recommended IP address assignments for the devices in each of the VLANs within the BAS network.
VLAN |
Subnetwork |
SVI |
IP controllers |
Network engine |
10 |
172.16.10.0 /24 |
172.16.10.1 |
172.16.10.10 - 172.16.10.220 |
192.168.5.4 |
11 |
172.16.11.0 /24 |
172.16.11.1 |
172.16.11.10 - 172.16.11.220 |
192.168.5.5 |
12 |
172.16.12.0 /24 |
172.16.12.1 |
172.16.12.10 - 172.16.12.220 |
192.168.5.6 |
The BAS aggregation switch acts as the primary router for the BAS network, routing traffic within the BAS network as well as routing traffic between the BAS network and the firewall. The firewall routes traffic between the BAS network and a VPN, allowing remote access to the BAS network. The following route statements are required to achieve this behavior:
Device |
Destination subnet |
Route |
Firewall |
0.0.0.0/0 |
To the Internet |
192.168.5.0/24 |
10.10.100.2 |
|
BAS Aggregation Switch |
0.0.0.0/0 |
10.10.100.1 |
172.16.10.0/24 |
192.168.5.2 |
|
172.16.11.0/24 |
192.168.5.2 |
|
172.16.12.0/24 |
192.168.5.3 |
|
BAS Access Switch 1 |
0.0.0.0/0 |
192.168.5.1 |
BAS Access Switch 2 |
0.0.0.0/0 |
192.168.5.1 |
The ports connected to the IP-based Metasys devices need to be configured as access ports for the appropriate VLAN (10, 11, or 12). In addition, the following switch port configurations are required:
Endpoint 1 |
Endpoint 2 |
Connection type |
VLAN membership/allowed VLAN(s) |
Aggregation Switch |
Firewall |
Access port |
100 |
Aggregation Switch |
Metasys server |
Access port |
5 |
Aggregation Switch |
Access Switches |
Trunk |
5 |
Access Switch 1 |
Access Switch 2 |
Trunk |
5 |