This is a high level summary of the BACnet specification as outlined in ASHRAE Standard 135-2004. It is content that I wrote in a graduate course on networking technologies several years ago.


This paper will discuss the BACnet communication protocol, which is the American Society of Heating, Refrigerating, and Air Conditioning Engineer’s (ASHRAE) building automation and control networking protocol. This protocol was developed for building automation control systems including heating and ventilation (HVAC), process control, lighting automation, and fire detection and control systems. The protocol is intended to provide a standardized means for all building systems to exchange data with one another using standard models and methods of data representation. (ASHRAE Standard 135-2004, 2004, page vii) Most current commercial building automation systems, sometimes referred to within the context of “intelligent buildings,” implement control systems which are designed around BACnet to some extent. Many manufacturers of even basic and traditionally stand-alone unitary equipment (i.e. building humidifiers, variable speed motor drives, various specialized meters and sensors)  are using micro controllers that have the ability to communicate on some form of BACnet network. This concept of designing building equipment that can be networked is not necessarily new; however, it has only been within the past decade or so that all manufacturers have rallied around a single protocol to such a large extent. This has greatly reduced the complexity and cost of creating sophisticated networks of building equipment and allowing a central automation system to more effectively optimize a buildings performance and efficiency, as well as provide interoperability between systems. A simple example could be scheduling lighting and HVAC systems that serve a common area for normal, standby, and off settings concurrently with a single automation system software platform.

The focus of this paper will ultimately be on the technical aspects of the data communications involved, and the details of the protocol itself. An overview of the protocol architecture will be provided, followed by a more concise coverage of the BACnet standard used over both MS/TP and IP networks. The Transport, Network, Data Link and Physical Layer (with respect to the OSI 7-layer model) aspects will primarily be covered, but it should be noted that there are key elements required for a functional BACnet network in the application layer that are necessary for the protocol to work. In addition to these functional components, the application layer specifications provide the framework for the typical BACnet specific objects, format, and overall feel for a working building control system that industry personnel would generally be familiar with. Context and example applications will be used as needed to help construct a clear picture of the topic in accordance with the goals of this paper.

Overview of the BACnet Architecture

The foundation for the BACnet protocol is found in the traditional 7-layer Open System Interconnection (OSI) model (ISO standard 7498). OSI “is an international standard that defines a model for developing multi-vendor computer communication protocol standards.”  (ASHRAE Standard 135-2004, 2004, page 10) Using the existing model and protocols as much as possible for BACnet saved significant cost and time when compared to development from the ground up. Additionally, when only the pieces of the OSI model that are required for the reduced complexity of building automation networks are used, the overall architectural complexity, and subsequently cost to implement, is reduced.  (ASHRAE Standard 135-2004, 2004, page 9)

The OSI model was intended as the original network communications model by the International Organization for Standardization (ISO), and was originally intended to be the framework that would be used for all data communications. However, after 1990, the TCP/IP protocol suite became the most dominant architecture since it was tested and used extensively in the Internet.  (Forouzan, 2007, page 29) BACnet is a simplified, or collapsed, architecture when compared to the full OSI model, using only what is necessary from the model. It is made up of the physical, data link, network, and application layers.  The other layers thus effectively go unused, which simplifies the implementation of BACnet and reduces message length. The application layer and a simple network layer are what are actually defined as being exclusive to BACnet in the protocol standard; in addition the MS/TP specifications which deal with the physical and data link layers. MS/TP was developed by ASHRAE along with the overall BACnet standard as a serial bus communication standard for building control networks. It is built on top of the physical layer standard EIA-485, and handles the medium access control at the data link layer (ASHRAE Standard 135-2004, 2004, page 18)

The full 7-layer OSI Model (ASHRAE Standard 135-2004, 2004)

The collapsed BACnet Architecture (ASHRAE Standard 135-2004, 2004)

The 5 options ASHRAE provides for the physical and data link layers are listed below (ASHRAE Standard 135-2004, 2004, page 18):

  • Link control (LLC) protocol defined by ISO 8802-2 Type 1, combined with the ISO 8802-3 medium access control (MAC) and physical layer protocol (Ethernet).
  • ISO 8802-2 Type 1 protocol combined with ARCNET (ATA/ANSI 878.1).
  • A Master-Slave/Token-Passing (MS/TP) protocol designed specifically for building automation and control devices as part of the BACnet standard. The MS/TP protocol provides an interface to the network layer that looks like the ISO 8802-2 Type 1 protocol and controls access to an EIA-485 physical layer. As will be discussed below, MS/TP is the primary protocol used for the physical and data link layers for BACnet system-level controller LAN’s. The term system-level controller is used to describe the micro controllers that are receiving and sending actual inputs and outputs to physical mechanical and electrical equipment; it is essentially a PLC, but the term PLC is not used as frequently in the building control industry as compared to industrial and process control applications.
  • Point-To-Point protocol: provides mechanisms for hardwired or dial-up serial, asynchronous communication.
  • LonTalk protocol, which is characterized by short messages (very few bytes), low per-node cost, multiple available communications media, low bandwidth, and low maintenance.  (LonTalk Protocol Specification, Version 3.0, 1994, page 7)

Physical and Data Link Layer – MS/TP

MS/TP is the most common example of BACnet physical and data link layers today. It is common for a typical automation system to have many MS/TP buses in a facility, with various types and manufacturer’s equipment sharing them. Using MS/TP for BACnet networks is comparable to the use of Ethernet in typical LAN’s; it is the dominant technology used, and the one which each respective industry has come to regard as the dominant technology. As stated previously, BACnet MS/TP uses an EIA-485 serial bus for the physical layer. The physical layer is what actual carries the physical bits over a physical medium.

Since the EIA-485 standard essentially specifies only the driver, receiver and transceiver chips for the micro controllers UART communicating on the bus, it’s left to the designer of a system to determine specifications  such as performance (data rates), timing, signal quality, what protocol is used, voltages, specific types of wiring, and so forth.  (Understanding EIA-485 Networks, 1999, page 1) ASHRAE specifies many of these items for BACnet MS/TP. For example, it provides specific wiring specifications, recommended maximum distances, and connections and terminations, timing characteristics, the information and structure of data frames, error detection, and so forth.  (ASHRAE Standard 135-2004, 2004)

The physical cable is specified to be shielded twisted-pair cable with characteristic impedance between 100 and 130 ohms. The maximum recommended length of an MS/TP bus segment is 4000 feet with AWG 18 (0.82 mm2 conductor area) cable. However, this can vary slightly from manufacturer to manufacturer.  (ASHRAE Standard 135-2004, 2004, page 74)

BACnet MS/TP uses polar NRZ, or Non-Return-to-Zero, encoding (which is why polarity of terminations becomes very critical for the serial bus). To summarize NRZ, it uses two levels of voltage amplitude to represent 0’s and 1’s, and these two voltages do not ever return to zero volts, hence the naming convention “NRZ”. The positive amplitude is a set voltage above zero, and the negative is a set voltage below zero.  (Forouzan, 2007, page 107) ASHRAE does not specify whether the Level or Invert method is used to determine the value of a bit. The data frames contain one start bit, eight data bits, no parity, and one stop bit. The start bit has a value of zero, while the stop bit has a value of one, and the data bits are transmitted with the least significant bit first.  (ASHRAE Standard 135-2004, 2004, page 75)

Specific timing characteristics are provided for the BACnet MS/TP physical layer when using an EIA-485 serial bus. Various baud rates are supported in implementations throughout the industry; however, ASHRAE specifies a minimum of one standard baud rate that must be a selectable option, of 9600 baud, regardless of what other baud rate options are available in their implementation. Other allowable options for baud rate are 19200, 38400, and 76800 baud.  (ASHRAE Standard 135-2004, 2004, page 75).

As its name implies, MS/TP, or master-slave/token-passing, uses token passing for media access control. In a token passing network, a token is passed among the nodes. When a node possesses the token, it is allowed to send data on the bus. If any node on the network has data to send, it waits until it receives the token, at which time it can send its data, for a definite period of time. If a node receives the token and has no data to send, the token is passed to the next logical node.  (Forouzan, 2007, page 381) Token frames are not acknowledged by a node after receiving them. “If the acknowledgment of a token were lost, the token’s sender might retry, resulting in the creation of two tokens. Instead, after a node passes the token, it listens to see if the intended receiver node begins using the token.”  (ASHRAE Standard 135-2004, 2004, page 78) ASHRAE defines usage in this case “as the reception of Nmin_octets octets from the network within Tusage_timeout  after the final octet of the token frame is transmitted.”  (ASHRAE Standard 135-2004, 2004, page 78)

There is a specific frame format for BACnet MS/TP, which is shown below (ASHRAE Standard 135-2004, 2004, page 76):

Preamble                    two octet preamble: X’55’, X’FF’

Frame Type                one octet

Destination Address    one octet address

Source Address           one octet address

Length                        two octets, most significant octet first

Header CRC               one octet

Data                            (present only if Length is non-zero)

Data CRC                   (present only if Length is non-zero) two octets, least significant octet first

(pad)                           (optional) at most one octet of padding: X’FF’


The frame type is an important field in the data frame—depending on what it is, what the various nodes on an MS/TP network do after receiving it can vary greatly. There are 256 possible frame types. ASHRAE makes the following important statement about the frame type field:

“Frame Types 8 through 127 are reserved by ASHRAE. Frame Types 128 through 255 are available to vendors for proprietary (non-BACnet) frames. Use of proprietary frames might allow a Brand-X controller, for example, to send proprietary frames to other Brand-X controllers that do not implement BACnet while using the same medium to send BACnet frames to a Brand-Y panel that does implement BACnet. Token, Poll for Master, and Reply To Poll For Master frames shall be understood by both proprietary and BACnet master nodes.”  (ASHRAE Standard 135-2004, 2004, page 76)

This flexibility is well received by the industry. Despite the interoperability that BACnet allows, many systems can be comprised of devices of only one manufacturer’s nodes. Therefore, optimizations and additional features can be implemented while still allowing the same product line to be capable of residing on a true, multi-vendor basic BACnet MS/TP communication bus, but possibly without the vendor specific optimizations or special features.

The BACnet Network Layer

The network layer in the OSI model is layer 3; below the transport layer and above the data link layer. Generally speaking, the primary purpose of the network layer is to provide logical grouping of heterogeneous physical networks. It is ultimately responsible for carrying a packet from one computer to another.  (Forouzan, 2007)

The BACnet network layer “provides the means by which messages can be relayed from one BACnet network to another, regardless of the BACnet data link technology in use on that network. The data link layer provides the capability to address messages to a single device or broadcast them to all devices on the local network, the network layer allows messages to be directed to a single remote device, broadcast on a remote network, or broadcast globally to all devices on all networks. A BACnet Device is uniquely located by a network number and a MAC address.”  (ASHRAE Standard 135-2004, 2004, page 47) A local broadcast makes use of the broadcast MAC address appropriate to the local network’s LAN technology,  i.e., X’FFFFFFFFFFFF’ for ISO 8802-3 (Ethernet), X’00’ for ARCNET, X’FF’ for MS/TP, or X’00’ in the DstSubnet field of Address Format 0 in LonTalk. A remote broadcast is made on behalf of the source device on a specific distant network by a router directly connected to that network. In this case, DNET (DNET is a “proprietary software suite of network protocols created by DIAB, originally deployed on their Databoard products. It was based upon X.25” and was “connection-oriented, datagram-based, supported out-of-band (interrupt) messages.”  (DNET, 2012)) shall specify the network number of the remote network.”  A global broadcast is sent through all routers to all networks. (ASHRAE Standard 135-2004, 2004, page 54)

BACnet routers are devices that interconnect two distinct BACnet local networks, and provide a relay function. Disparate BACnet networks using a router to connect them become BACnet internetworks. BACnet routers make use of BACnet network layer protocol messages to maintain their routing tables, which consist of the following information  (ASHRAE Standard 135-2004, 2004, pages 47, 58, 60):

(a) the MAC address of the port’s connection to its network;

(b) the 2-octet network number of the directly connected network;

(c) a list of network numbers reachable through the port along with the MAC address of the next router on the path to each network number, and the reach-ability status of each such network.

Upon the initial start up of a BACnet router, it broadcasts a I-Am-Router-To-Network message, which “lists each accessible network number except the number of the network on which the broadcast is being made. This broadcast allows other routers to update their routing tables whenever a new router joins the internetwork.”  (ASHRAE Standard 135-2004, 2004, page 61))


BACnet/IP is similar to BACnet MS/TP in that it specifies how BACnet messages are transmitted and received between nodes on a BACnet network, but there are some differences to consider. For instance, MS/TP was developed specifically for building automation control networks, albeit on top of some existing standards such as EIA-485 for the physical layer. But what happens at the data link layer in BACnet MS/TP is in many ways specific to the BACnet protocol. BACnet/IP does not have any specific requirements at any layer lower than the network layer, and even then, much of what is specific to BACnet/IP versus, for example, TCP/IP, deals with the application layer itself. The concept of BACnet/IP is that it “shall function in concept identically to the other non-IP network types with respect to directed messages and broadcast messages, including local, remote, and global broadcasts,” (ASHRAE Standard 135-2004, 2004, page 575)  as defined in other sections of the BACnet specification.  To summarize this reference, ASHRAE states that a “directed message shall be sent directly to the destination node; a “local broadcast” shall reach all nodes on a single B/IP network;  a “remote broadcast” shall  reach all nodes on a single BACnet network with network number different from that of the originator’s network; a “global broadcast” shall  reach all nodes on all networks.” (ASHRAE Standard 135-2004, 2004, page 575) These specifications are found in clause 7 of the BACnet specification, which deals with the network layer, which was discussed in the previous section.

BACnet/IP is based on UDP (User Datagram Protocol), and to some extent the ‘BACnet’ part of BACnet/IP can be thought of as another transport layer protocol such as TCP and UDP. TCP is not used by BACnet in any form.  (Fisher, 2012)  In BACnet/IP, the message is sent using IP. The payload contains a UDP frame which itself has a source and destination port number and a payload. Typically BACnet/IP uses UDP port 47808 (which is 0xBAC0 in hexadecimal). (Fisher, 2012) The TCP standard was being developed at roughly the same time as BACnet , and was originally studied and analyzed considerably as an option based on how BACnet was envisioned to be used. UDP was chosen for a couple of primary reasons. First, it is a connectionless transport model; second, it uses a binary payload where TCP uses a more text stream oriented model. In regards to UDP being a connectionless transport model, a packet is simply sent from the sending node, compared to TCP where a more resource and time intensive process of a handshake, mutual acknowledgements, and the requirement to maintain state information regarding the connection between two communicating nodes. However, it is important to note that some of the functions that TCP provides (acknowledgements, etc.) are provided in the application layer of BACnet/IP.  (Fisher, 2012)

Addressing on a BACnet/IP network is accomplished by using the standard 4 octet IP address, combined with a 2 octet UDP port number. This MAC addressing scheme functions in the same way as when used with the Ethernet, MS/TP, LonTalk, and Arcnet technologies referenced previously.  A BACnet/IP network functions the same way conceptually as the other types of BACnet networks. (ASHRAE Standard 135-2004, 2004, page 565)

The communications between the network layer and the specific underlying communication subsystem used is accomplished with the BACnet Virtual Link Layer (BVLL). BVLL message has three fields. The 1-octet BVLC Type field indicates which underlying communication subsystem is in use. In this case, a BVLC Type of X’81’ indicates the use of BACnet/IP. The 1-octet BVLC Function field identifies the specific function to be carried out in support of the indicated communication subsystem type. The 2-octet BVLC length field is the length, in octets, of the entire BVLL message. The BACnet/IP section of the specification specifies the BACnet Virtual Link Control (BVLC) functions required to support BACnet/IP directed and broadcast messages. (ASHRAE Standard 135-2004, 2004, page 565)

When a BACnet network consists of nodes on 2 or more subnets, a BACnet Broadcast Management Device (BBMD) is required. Since standard IP routers do not forward broadcasts, an additional device is required to perform this function. In these cases each subnet in a BACnet/IP network requires one (no more than one) BBMD which has a Broadcast Distribution Table (BDT). The BDT is the same in every BBMD on a given BACnet/IP network, and contains an entry for each BBMD on a BACnet/IP network.  (ASHRAE Standard 135-2004, 2004, page 569)

2 subnets with BACnet/IP devices on each.  (ASHRAE Standard 135-2004, 2004, page 569)

BACnet/IP devices communicate directly with one another by using BACnet/IP addresses. On a single subnet, a BACnet/IP broadcast message will automatically reach all nodes by using a “BVLL Original-Broadcast-NPDU (Network Protocol Data Unit)” message. When two or more subnets are used for a BACnet network, a “local broadcast” uses the BACnet/IP broadcast address, and the NPDU shall be transmitted in a BVLL Original-Broadcast-NPDU message using the BBMD.  (ASHRAE Standard 135-2004, 2004) A BBMD can send messages to other subnets in two ways. The first method is a directed broadcast, (which is also known as one-hop distribution). “This involves sending the message using a B/IP address in which the network portion of the address contains the subnet of the destination IP subnet and the host portion of the address contains all 1’s.” However, this method requires that the IP router be able to be, and to be configured to support these directed broadcasts. (ASHRAE Standard 135-2004, 2004, 569) The second method is referred to as a two-hop distribution, and transmits it using the BACnet/IP broadcast address. The two-hop method is always available.  (ASHRAE Standard 135-2004, 2004, page 569)


The BACnet protocol is based on a collapsed version of the 7-layer OSI network model. It includes a physical, data link, network, and application layer. There are many aspects of BACnet that are based on existing, proven and easily implemented protocols and technologies that provide widespread industry support, such as EIA-485, Ethernet, UDP/IP, among others. The protocol was intended to provide a common method to implement internetworked building and process control systems to allow intelligent buildings to be implemented with less complexity, less cost, more robustly, and in more efficient ways.

Today, BACnet is utilized to the full extent of its creator’s vision; perhaps even to a greater extent. It has been widely adopted in the industry as the primary standard communication protocol. The companies who did not fully embrace it initially have been playing catch up ever since. Even as early as 2001, just a few years after its inception, “BACnet systems were installed in 82 countries and the international territory of Antarctica.  A year later, more than 183,000 BACnet units were sold.” (Swan, 2004)

Building designs that call for greater control of energy use typically have more complex heating, ventilation, and air conditioning (HVAC) mechanical equipment and control algorithms. They may be designed around limiting the use of specific equipment to the least amount of time as possible while maintaining environmental control. There is a specific subset of the construction industry referred to as Green and Sustainable Building Construction. This industry concerns the construction of energy efficient buildings. Generally, these buildings will be identified as striving for some level of Leadership in Energy and Environmental Design (LEED) certification, which is administered by the U.S. Green Building Council (USGBC) (Ripley, Kathleen, 2011). Green and Sustainable Building construction is expected to continue a strong growth pattern for the foreseeable future, and the use of BACnet is projected to follow a similar trajectory. (Ripley, Kathleen, 2011)

By Andrew Martin, owner and founder of BlueRithm


ASHRAE Standard 135-2004. (2004). Atlanta, GA: ASHRAE.

Fisher, D. (2012, October 28). How do you separate a BACnet/IP LAN? BACnet Discussion Group .

Forouzan, B. A. (2007). Data Communications and Networking. New York, NY: McGraw Hill.

LonTalk Protocol Specification, Version 3.0. (1994). Palo Alto, CA: Echelon Corporation.

Ripey, Kathleen. (2012). Industrial Buliding Construction in the U.S. IBIS World.

Understanding EIA-485 Networks. (1999, Spring ). The Extension: A Technical Supplement to Control Network .

Swan, B. (2004). Past & Future of BACnet®. ASHRAE Journal, 46(10), S7.

Swan, W. O. (2004). BACnet retrospective. Heating/Piping/Air Conditioning Engineering:HPAC, 76(10), N44-N46. Retrieved from

Leave a Reply

Your email address will not be published. Required fields are marked *