BACnet is an commonly used technology through building management services and allows cross platform communication between devices, and is both an American and European standard.
In today’s modern converged networks, it’s important that we segregate control devices such as AMX or Crestron Processors (which generally tend be on the same network as their end devices such as Touch Panels and Keypads) to BMS Networks (subnets) to prevent the unauthorised and misuse of BACnet end devices.
Separating these devices via VLAN’s / Subnet’s will mean that BACnet Who-Is broadcasts will need to directly broadcast from it’s original broadcast domain to the remote. When a Who-Is is initialised, a UDP packet on port 47808 is sent on the networks broadcast address.
In this scenario we’re using Cisco 3850’s, with IP Routing and we’ll be using two VLAN’s – 10 and 20.
VLAN 10 will be our originating subnet, with our “client” device. This could be a processor, which is sending temperature alteration for a meeting room.
End Device communicating to BACnet: 192.168.10.10
VLAN 20 will be our building management network which will contain our BMS equipment (which contains only the setpoints that we defined)
BACnet device communicating to End Device: 192.168.20.20
A few things are assumed in this scenario:
- Layer 3 Routing is enable in the Cisco Core Switch (with according ACL’s)
- BACnet devices have been configured with the according network settings
- When testing (and in operation), this was used for Trend IQ Vision as the headend BMS Server and AMX Processors.
Before we begin, it’s important to note that are we routing between subnets, a default gateway is critical in ensuring that the traffic reaches it’s originating source.
To start, we’re going to need to UDP Port 47808 to be forwarded In privileged exec mode:
Switch# ip forward-protocol udp 47808
Now, we’re going to need to add an IP Helper to forward the broadcasts from our VLAN 10 to VLAN 20 – you can do this in the configuration of the vlan interface, you could do this once you are in global configuration mode, and select the VLAN 10.
switch(config)# int vlan 10
Switch (config-if)# ip helper-address 192.168.20.255
Now, this will enable to the switch to forward the broadcast, to the subnet of the BACnet devices. We now need to enable the broadcasts to sent back, including the use of an ACL to prevent unauthorised access.
Switch(config)# int vlan 20
Switch (config-if)# ip directed-broadcast 20
The 20 at the end of the of the command indicates our ACL number (it’s good to use an ACL per network/subnet, we’re using 20 as it’s the ID of the VLAN).
ACL’s are configured at the global configuration level, and generally – directed broadcasts only use standard numbered ACL’s.
Switch(config)# access-list 20 permit 192.168.10.10
Note, that we are allowing the device here, rather than the bacnet device. Additional enhanced ACL’s should be in place to prevent further access (such as web access to the device).
Now, the all-important, don’t forget to write that configuration the start-up config!
Switch# copy running-config startup-config