Commercial Networks

Commercial and enterprise installations present unique challenges for Matter smart lighting. This guide addresses network architecture, security requirements, and integration with existing enterprise infrastructure.

Enterprise Network Overview

Key Differences from Residential Networks

Commercial networks differ significantly from residential setups:

AspectResidentialCommercial
Network complexitySingle routerMulti-layer architecture
Security requirementsBasicEnterprise-grade firewalls, policies
Device scale10-50 devices100-10,000+ devices
IT involvementNoneRequired approval and coordination
Network segmentationRareStandard practice (VLANs)
Support structureSelf-serviceIT helpdesk

Matter Protocol Requirements

Matter devices require specific network capabilities that may conflict with default enterprise security policies:

mDNS/DNS-SD - Required for device discovery

IPv6 - Required for Matter communication

Multicast traffic - Required for group communication

Local device communication - Devices must reach each other

Thread mesh networking - For low-power device communication

VLAN Configuration Examples

Segmenting IoT devices on dedicated VLANs is best practice for commercial installations.

VLAN 10 - Corporate (Main Network)
VLAN 20 - Guest Network
VLAN 30 - IoT/Matter Devices (Recommended)
VLAN 40 - Security/Cameras
VLAN 50 - Voice/VOIP

VLAN Configuration for Matter

1

Create Dedicated IoT VLAN

Create a VLAN specifically for Matter and other IoT devices. This isolates smart devices from corporate resources while allowing necessary communication.

2

Configure DHCP Scope

Set up DHCP for the IoT VLAN with sufficient address space. For 100 fixtures, allocate at least a /24 subnet (254 addresses) to allow for growth.

3

Enable IPv6 on IoT VLAN

Matter requires IPv6. Configure IPv6 addressing on the IoT VLAN, either via SLAAC or DHCPv6.

4

Configure mDNS Forwarding

Enable mDNS reflection or forwarding between VLANs if the control devices (phones, tablets) are on a different VLAN than the Matter devices.

Sample Cisco Configuration

! Create IoT VLAN
vlan 30
 name IoT-Matter

! Configure VLAN interface
interface Vlan30
 description IoT Matter Network
 ip address 192.168.30.1 255.255.255.0
 ipv6 address 2001:db8:30::1/64
 ipv6 enable

! Enable mDNS gateway
mdns-sd gateway
  mode service-peer
  service-policy PROLICHT-MDNS
  vlan 30
  vlan 10

! Allow Matter service types
mdns-sd service-list PROLICHT-SERVICES match
  _matter._udp.local
  _matterc._udp.local
  _matterd._udp.local

Sample Ubiquiti Configuration

In the UniFi Controller:

  1. Settings → Networks → Create New Network

    • Name: IoT-Matter
    • Purpose: Corporate
    • VLAN ID: 30
    • IPv4: 192.168.30.1/24
    • IPv6: Enable, configure prefix

  2. Settings → Networks → Multicast DNS

    • Enable mDNS across required VLANs
    • Add service filters for Matter types

  3. Settings → System → Advanced

    • Enable Multicast Enhancement (IGMPv3)
    • Configure multicast DNS settings

Firewall Rules for Matter Traffic

Enterprise firewalls must be configured to allow Matter traffic while maintaining security.

Required Firewall Rules

Inbound Rules (to IoT VLAN)

  • Allow UDP port 5353 (mDNS) from control devices
  • Allow UDP port 5683 (CoAP) for Matter communication
  • Allow TCP/UDP ports for Thread mesh (if applicable)
  • Allow IPv6 traffic on all Matter-related ports

Outbound Rules (from IoT VLAN)

  • Allow DNS (UDP/TCP 53) to DNS servers
  • Allow NTP (UDP 123) for time synchronization
  • Allow HTTPS (TCP 443) for firmware updates
  • Allow mDNS to control device VLANs

Sample Firewall Configuration

! Allow mDNS between Corporate and IoT VLANs
access-list MATTER-MDNS permit udp any any eq 5353
access-list MATTER-MDNS permit udp any any eq 5353

! Allow Matter CoAP communication
access-list MATTER-COAP permit udp any any eq 5683
access-list MATTER-COAP permit udp any any eq 5684

! Apply to interfaces
interface Vlan30
 ip access-group MATTER-IOT-IN in
 ip access-group MATTER-IOT-OUT out

Cloud Service Access

Matter devices may require cloud access for:

  • Firmware updates: Vendor update servers
  • Remote access: Platform-specific cloud services
  • Time synchronization: NTP servers

Ensure firewall allows outbound HTTPS to vendor domains:

  • Apple: *.apple.com, *.icloud.com
  • Google: *.google.com, *.googleapis.com, *.nest.com
  • Amazon: *.amazon.com, *.alexa.amazon.com
  • Samsung: *.smartthings.com

Multi-Site Considerations

Organizations with multiple locations require additional planning.

Distributed Architecture Options

1

Independent Systems

Each site operates independently with its own hub and Matter fabric. Simple to implement but requires separate management for each site.

2

Centralized Cloud Management

Use platform-specific multi-site features (e.g., Apple Home with multiple homes, Google Home with multiple structures). Allows unified management through cloud services.

3

Hybrid Approach

Independent local systems with centralized monitoring through a building management system (BMS) or custom integration.

Site Interconnection

For Matter traffic between sites:

  • Matter does not natively support cross-site communication
  • Each site requires its own Matter fabric
  • Remote control is achieved through platform cloud services
  • Do not attempt to bridge Matter traffic over VPN between sites

Synchronization Considerations

When managing multiple sites:

  • Standardize device naming conventions across all sites
  • Use consistent firmware versions where possible
  • Document site-specific configurations
  • Plan for coordinated updates and maintenance

Integration with Existing Systems

Building Management Systems (BMS)

Prolicht Matter fixtures can integrate with BMS through several approaches:

Platform Bridge Integration

Many BMS platforms offer integration with Apple Home, Google Home, or Amazon Alexa. Use official bridges to connect Matter devices to BMS.

Home Assistant as Middleware

Home Assistant can act as a bridge between Matter devices and BMS via MQTT, REST API, or Modbus. This provides maximum flexibility for custom integrations.

Occupancy Sensor Integration

Connect occupancy sensors through the same Matter network for automated lighting control based on room occupancy.

Lighting Control Systems

For installations with existing lighting control:

  • DALI Integration: Use Matter-to-DALI bridges for hybrid systems
  • DMX Integration: Stage or architectural lighting can coexist with Matter systems

Access Control Integration

Coordinate with access control systems:

  • Lights can activate on door unlock events
  • Motion sensors can trigger both lighting and security responses
  • Schedule lighting changes based on access control schedules

Security Considerations

Enterprise Security Requirements

Commercial installations must address specific security concerns:

⚠️ Device Authentication - Ensure only authorized devices join the Matter fabric

⚠️ Network Isolation - Prevent Matter devices from accessing corporate resources

⚠️ Firmware Management - Establish process for security updates

⚠️ Access Control - Limit who can commission and control devices

⚠️ Audit Logging - Track device changes and access patterns

Matter Security Features

Matter includes built-in security:

  • Device attestation: Verifies device authenticity during commissioning
  • Encrypted communication: All Matter traffic is encrypted
  • Secure commissioning: QR code authentication prevents unauthorized devices
  • Access control lists: Control who can interact with devices

Best Practices

  1. Maintain physical security of QR codes—they provide commissioning access
  2. Limit Matter administrator access to authorized personnel
  3. Document all commissioned devices for audit purposes
  4. Establish firmware update procedures for security patches
  5. Monitor for unauthorized devices appearing on the network

Performance Optimization

Network Capacity Planning

Ensure adequate network capacity:

  • Wi-Fi bandwidth: Each Matter device uses minimal bandwidth (~1-5 Kbps)
  • Concurrent devices: Plan for peak activity when all devices may respond simultaneously
  • Multicast traffic: High device counts can generate significant multicast traffic

Access Point Placement

For optimal coverage:

  • Signal strength: Minimum -67 dBm at all fixture locations
  • Overlap: 20-30% overlap between AP coverage areas
  • Channel planning: Minimize interference between APs
  • Load balancing: Distribute devices across available APs

Thread Mesh Optimization

For Thread-based deployments:

  • Border router placement: Position Thread border routers centrally
  • Mesh density: Ensure adequate Thread device density for reliable mesh
  • Channel selection: Avoid Wi-Fi channel conflicts (Thread uses different frequencies)

Working with IT Departments

Pre-Engagement Preparation

Before engaging IT:

  1. Prepare network requirements document (use this guide as reference)
  2. Document device count and locations
  3. Identify required firewall exceptions
  4. Prepare VLAN configuration recommendations
  5. List required cloud services and domains

IT Communication Points

1

Present Business Case

Explain the benefits: energy savings, improved workspace, modernization. Quantify where possible.

2

Address Security Concerns

Present Matter’s built-in security features. Explain VLAN isolation approach. Provide documentation of security architecture.

3

Define Support Boundaries

Clarify what IT will support (network infrastructure) versus what the installation team handles (device commissioning, user support).

4

Plan Change Management

Work with IT change management process. Schedule installations during maintenance windows if required.

Common IT Objections

“IoT devices are security risks”

  • Explain Matter’s security architecture
  • Propose isolated VLAN with strict firewall rules
  • Offer device attestation verification

“We don’t support consumer devices”

  • Frame as commercial lighting control system
  • Emphasize enterprise features and certifications
  • Provide technical documentation

“No IPv6 on our network”

  • Explain IPv6 is required for Matter
  • Propose IPv6 on isolated IoT VLAN only
  • Most modern network equipment supports IPv6

Documentation for IT

Provide IT with:

  • Network requirements summary
  • Firewall rule specifications
  • VLAN configuration examples
  • Device MAC address list (for MAC filtering if required)
  • Cloud service domains for whitelisting
  • Support contact information