Use cases for network separation - Planning - PXC7.E400S - PXC5.E24-N - PXC4.E16-2 - PXC5.E24 - PXC7.E400L-N - PXC4.E16S-2 - PXC5.E003 - PXC4.M16S-2 - PXC7.E400L - PXC4.M16-2

Use cases for network separation

PXC5 and PXC7 devices support the flexible use of the Ethernet ports by enabling BACnet/IPv4 on the WAN port starting from device version 1.6 onwards. This increases the number of topologies available in the Desigo system. The addition of the WAN port permits operators to separate secure and unsecured networks. To this end, each port receives a MAC address to make it more secure.

Activating the WAN port with BACnet/IPv4 traffic allows the operation of two independent IP networks and segregates traffic by placing one BACnet network on the bridged LAN1/2 port and the other BACnet network on the WAN port. This means that separate secure or unsecured networks can be operated in Desigo.

2-port Ethernet switch (LAN1A/B)	WAN
BACnet/IPv4	BACnet/IPv4
BACnet/SC	BACnet/IPv4

Flexible use of Ethernet Ports and IPv6

The flexible use of Ethernet ports allows the segregation of network traffic across different IP subnets, enhancing network management and security. BACnet/IPv6 functionality is currently available on demand based on project requirements. In Building Automation, IPv6 support enables a stepwise migration from IPv4 to IPv6, allowing to adopt IPv6 gradually without disrupting existing IPv4 setups. This is beneficial when you want to future-proof your network infrastructure and are planning to transition to IPv6 in the future.

At the moment, from the Desigo range, Desigo CC is capable of operating in IPv6-only environments and in mixed IPv4/IPv6 environments. Desigo CC can handle both BACnet/IPv4 and BACnet/IPv6 traffic, including functionalities like static IPv6 addressing, DHCPv6 and SLAAC dynamic addressing and BBMD/FD. Desigo CC is BTL certified.

Separate MAC addresses for each port

Separate MAC addresses are assigned for each port at the factory and only apply to new devices (device version 1.6 and higher).

Port	Devices with 3 ports (PXC4.E16-2, PXC4.E16S-2, PXC5.E003)	Devices with 4 ports (PXC7.E400x, PXC5.E24)
LAN 1A	MAC 1 (DMC)	MAC 1 (DMC)
LAN 1B	MAC 2	MAC 2
WAN		MAC 3
WLAN	MAC 3	MAC 4

The Data Matrix Code (DMC) on the device cover always displays the MAC 1 address. The other MAC addresses are calculated by + 1 (Hex).

For further details, refer to the ABT Site online help.

Use case 1: Project extension with BACnet/SC communication

The typical deployment scenario may be a campus project with a new building on BACnet/SC to interface with an old installed base of buildings on BACnet/IP. The IT-department might enforce separate IP-networks to ensure cybersecurity.

Using the extension in Desigo CC: Route the BACnet/IP network from existing devices via the WAN port to the PXC5/7 device and to Desigo CC over the BACnet/SC network on LAN port 1A. Use LAN port 1B to connect to other automation stations.

Security aspects:

The BACnet/SC network ensures a high level of network security in the extended project area.
Locked and controlled cabinet access protects the residual (and unsecured) BACnet/IP network.

Engineering and customer data:

No additional graphical or data engineering is required for Desigo CC; existing data for trends, alarms, logs, etc. are not lost.
Set up and operate the new BACnet/SC network.
No additional engineering is required for PXC00 ... PXC200 devices with Xworks Plus (XWP). Connect the new network (/IP) to the WAN port on the PXC5/7 device.

Financial aspects:

Sets the groundwork for subsequent migration to PXC7 devices.

Use case 2: Improve the network security outside the control cabinet

Install a PXC7 device at the top of the control cabinet and route all the traffic in the cabinet through the new device. The legacy devices connect to the PXC7 via BACnet/IP and the hub connects directly to Desigo CC.

This use case can also cover a step-by-step migration from BACnet/IP to BACnet/SC: Take the full of a BACnet/IP network, extend it with a PXC5/7 device as a “head” station, and funnel that BACnet/IP network by BACnet routing to the BACnet/SC side of the project.

Security aspects:

The BACnet/SC network provides a high level of network security.
A locked and controlled cabinet physically secures the unsecured BACnet/IP network from eavesdropping.
Disable unused Ethernet ports.

Engineering and customer data:

No additional engineering is required for Desigo CC.

Financial aspects:

Protect your investment by replacing devices with PXC7:

The PXC housing is the same size as the PXC100 ... PXC200.
The island bus connection is the same as the PXC100 ... PXC200

The PXC5.E003 cannot be used in this scenario (due to a lack of island bus) and the PXC5.E24 housing is larger than the PXC100 … PXC200.

Use case 3: Separate two unsecured BACnet/IP networks

This use case has the benefit of separating two unsecured BACnet/IP networks to hide all other room automation protocols behind a PXC5/7 device. In addition, gradual adoption of BACnet/SC can be achieved for projects that do not use BACnet yet, by implementing BACnet/IP first and allowing a sustainable BACnet learning curve.

Restrictions

WAN port

The WAN port does not support BACnet/SC. Use a LAN port to operate BACnet/SC. When using the WAN port for BACnet/SC, the LAN port is exposed as unsecure (since BACnet/IP is not a secure protocol). Depending on your use case, when using the Northbound and Southbound terminology, it may mean that the Southbound interface can correspond to the WAN port (without BACnet/SC support), while the Northbound interface can correspond to the LAN port.
Engineering and commissioning on WAN side is not supported. It is not possible to load devices from the WAN side. Only the LAN and WLAN ports support engineering and commissioning.

Fieldbus level protocols

Fieldbus level protocols, such as Modbus TCP or KNX Net, are not supported on WAN port.