IP networks with BACnet/IP nodes (and BBMD)

IP networks scenarios with BACnet/IP nodes (and BBMD)

Adding an FD node in a standard topology 

When speaking about BACnet/IP we are speaking about a protocol running over UDP that has its own layer-based architecture (Data-Link, network, application). The BACnet/IP Data-link layer is the IP's UDP layer and its lower layers.

A BACnet/IP network can be distributed in multiples IP networks (e.g.,, However, IP routing rules take precedence over the BACnet/IP datagrams. This is not different from any other protocol that runs over TPC or UDP.

The BACnet broadcast messages, used for many things, are IP broadcast messages. And thus, cannot travel between IP sub-networks. This is where the BACnet Broadcast Manager Device  (BBMD) enters the game as shown in image 1.1.

Image 1.1: A single BACnet/IP network over two IP networks

In the previous image, there are six BACnet/IP nodes divided into two different IP networks. All the six are under the same BACnet Network. The BBMD Z and Y must be present on each sub-network for all the BACnet nodes to communicate properly.

The BBMD could be seen as "switches" with tables (Broadcast Distribution Table or BDT) that only picks IP broadcasts messages with BACnet datagrams. In the previous example, the BBMD Z has a table with Y while BBMD Y does the same for Z.

Let's consider node A sends a Who-Is for everyone (Such as our BACnet client when doing a Discovery). There will be three IP datagrams as shown at Image 1.2:

  1. The original A's IP Broadcast message over the subnetwork.

  2. An IP unicast between  Z and Y.

  3. An IP broadcast over the subnetwork send by Y.

The first and third steps are Broadcast messages which will propagate only inside the Broadcast domain. The second step will only have success if Z’s unicasts can be routed to Y.  Normally, this falls under the IP routers jurisdiction.   

After the Who-Is message arrives at the nodes D to F, they will answer with their I-Am broadcast messages.  Therefore, the process repeats itself in reverse order for each one of those answers.

NOTE: This scenario covers the general cases.  Additionally,  no NAT will be involved in the rest of this section.

Image 1.2: A BACnet/IP broadcast message being shared between multiple IP networks

If eventually, we need to add a third BBMD node on the topology, for a third IP subnetwork,  we need to update its internal table with Z and Y.  AND,  Z and Y must be updated too.

But, what happens if we need only a single node in a third sub-network to communicate with the nodes A to F?  Adding a third BBMD will not only give access to said BACnet/IP node to the BACnet network, but also any other BACnet [rogue] node that is on the same IP network. We risk injecting or leaking traffic to our customer's BACnet network with this approach.

This is where the BACnet Foreigner Devices (FD) come into play. On image 1.3 it will be the node M. This node will send registration to the BBMD Z.  BBMD Z will register M into a second table (Foreign Device Table or FDT).  Therefore, after  M enters the network, the BBMD nodes will have the following values on their tables:

  • BBMD Z has two tables: BDT with Y  and  FDT with M.

  • BBMD Y has only the BDT table with Z.

Image 1.3: Adding an FD device as M

When node M sends a Who-Is (again, like our BACnet client discovery) there will be four IP datagrams:

  1. A unicast  from  M to  Z

  2. A broadcast done by Z.

  3. An unicast from Z to Y

  4. A broadcast done by Y.

If any other send a broadcast message, it will behave as before. The only new element is that Z will send a unicast to M.

NOTE The BBMD node to which M is connected MUST support the FD registers.


BACnet terms: 

  • BACnet/IP: A type of BACnet network whose nodes run over the TCP/IP stack.

  • BBMD:  BACnet Broadcast Manager Device, A type of BACnet/IP  node.

  • BDT: Broadcast Distribution Table,  internal tables handled by BBMDs.

  • FDT: Foreigner Device Table, a secondary internal table handled by some BBMDs.

  • FD: Foreigner Device,  a BACnet/IP node that subscribes directly to one BBMD’s FDT.

  • Who-Is:  A Broadcast message used to request BACnet Network address (and BACnet MAC address) from one or more nodes. 

  • I-Am: A Broadcast message  answering a Who-Is (or used to publicize a new node)

  • ReadProperty [service]: A unicast message to request one BACnet property from a BACnet instance.

  • BACnet network: BACnet nodes grouped by their [BACnet] data-link layer. 

  • BACnet router: A BACnet node that can inter-connect different [BACnet] data-link devices (E.g.   BACnet/IP nodes with BACnet/MTU nodes, or even with other sub-set of BACnet/IP nodes).

  • BACnet network address:  This is the address at the BACnet network layer. It is always composed by a BACnet Network number plus the BACnet MAC address. 

  • BACnet MAC address: This is the BACnet data-link address. For BACnet/IP nodes this is always the socket address (<IP address>:<UDP port>).