982 Zigbee Network Formation and Commissioning

How Zigbee networks are created, devices join, and commissioning options

982.1 Learning Objectives

By the end of this chapter, you will be able to:

Explain the network formation process initiated by the Coordinator
Describe how Routers and End Devices join an existing network
Understand PAN ID selection and channel scanning
Compare different commissioning methods (Trust Center, Touchlink, Install Codes)
Troubleshoot common network joining issues

982.2 Introduction

Network formation is the process of creating a Zigbee network and adding devices to it. Understanding this process is essential for successful deployment and troubleshooting joining issues.

For Beginners: Network Formation Explained

Think of network formation like starting a new company:

Coordinator = CEO opens the office, sets company name (PAN ID)
Routers = Managers join the company, help new employees
End Devices = Employees join through a manager

Just like a new employee needs ID badge and security clearance, new Zigbee devices need network address and encryption keys to participate in the network.

982.3 Network Formation by Coordinator

The Coordinator initiates the network by performing these steps:

982.3.1 Step 1: Channel Selection

The Coordinator scans available channels to find one with minimal interference:

Channel Scan Process:
1. Perform Energy Detect (ED) scan on channels 11-26
2. Measure noise/interference level on each channel
3. Select channel with lowest ED value
4. Alternatively, use pre-configured channel

Typical Results:
Channel 11: -65 dBm (Wi-Fi Ch 1 interference)
Channel 15: -72 dBm (Wi-Fi Ch 6 interference)
Channel 20: -68 dBm (moderate)
Channel 25: -85 dBm (clean) ← Selected
Channel 26: -82 dBm (clean)

982.3.2 Step 2: PAN ID Selection

The Personal Area Network ID uniquely identifies the network:

PAN ID Selection:
1. Generate random 16-bit PAN ID (0x0001 - 0xFFFE)
2. Scan for existing networks on selected channel
3. If PAN ID conflict detected, generate new one
4. Extended PAN ID (64-bit) provides additional uniqueness

Example:
PAN ID: 0x1A2B
Extended PAN ID: DD:DD:DD:DD:DD:DD:DD:DD
Channel: 25

982.3.3 Step 3: Security Initialization

The Coordinator establishes as Trust Center:

Trust Center Setup:
1. Generate 128-bit Network Key (random)
2. Configure Trust Center Link Key (default or custom)
3. Set security policies (join time window, key distribution)
4. Initialize device tables (empty)

Example Network Key: AB:CD:EF:12:34:56:78:90:AB:CD:EF:12:34:56:78:90

982.3.4 Step 4: Network Operational

%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#E67E22', 'secondaryColor': '#7F8C8D', 'tertiaryColor': '#ECF0F1', 'fontSize': '12px'}}}%%
flowchart TD
    A[Coordinator Powers On] --> B[Channel Scan]
    B --> C{Clean Channel<br/>Found?}
    C -->|Yes| D[Select Channel]
    C -->|No| E[Use Least Noisy]
    E --> D
    D --> F[Generate PAN ID]
    F --> G{PAN ID<br/>Conflict?}
    G -->|Yes| F
    G -->|No| H[Initialize Security]
    H --> I[Start Trust Center]
    I --> J[Begin Transmitting<br/>Beacons]
    J --> K[Network Ready<br/>for Joins]

    style A fill:#E67E22,stroke:#2C3E50,stroke-width:2px,color:#fff
    style K fill:#16A085,stroke:#2C3E50,stroke-width:3px,color:#fff

Figure 982.1: Coordinator startup sequence from power-on to network ready

982.4 Router Joining Process

When a Router powers on near an existing network:

982.4.1 Phase 1: Network Discovery

Router Scan Process:
1. Active scan: Send beacon requests on each channel
2. Collect beacon responses from nearby devices
3. Filter by:
   - Permit Join = TRUE (accepting new devices)
   - Signal strength (RSSI > threshold)
   - Network capacity (can accept children)

Beacon Response Contains:
- PAN ID: 0x1A2B
- Source Address: 0x0000 (Coordinator)
- Permit Join: TRUE
- Router Capacity: YES
- End Device Capacity: YES

982.4.2 Phase 2: Association

Association Sequence:
1. Router selects best parent (Coordinator or another Router)
2. Sends Association Request to parent
   - Includes 64-bit IEEE address
   - Requests Router capability
3. Parent forwards to Trust Center
4. Trust Center approves and allocates address
5. Parent sends Association Response
   - Includes 16-bit network address
   - Status: Success

982.4.3 Phase 3: Security Key Distribution

Key Distribution:
1. Router requests Network Key from Trust Center
2. Trust Center verifies device (if using Install Codes)
3. Trust Center encrypts Network Key with Trust Center Link Key
4. Sends encrypted Network Key to Router
5. Router decrypts and stores Network Key
6. Router can now participate in network

982.4.4 Phase 4: Router Active

%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#16A085', 'signalColor': '#E67E22', 'actorLineColor': '#2C3E50', 'fontSize': '11px'}}}%%
sequenceDiagram
    participant R as New Router
    participant C as Coordinator<br/>(Trust Center)

    Note over R: Power On

    rect rgb(230, 126, 34)
        Note over R,C: Phase 1: Discovery
        R->>C: Beacon Request (broadcast)
        C->>R: Beacon Response<br/>(PAN ID, Permit Join)
    end

    rect rgb(22, 160, 133)
        Note over R,C: Phase 2: Association
        R->>C: Association Request<br/>(IEEE addr, capabilities)
        C->>C: Allocate address 0x0001
        C->>R: Association Response<br/>(Network addr: 0x0001)
    end

    rect rgb(44, 62, 80)
        Note over R,C: Phase 3: Security
        R->>C: Request Network Key
        C->>R: Encrypted Network Key<br/>(AES-128 wrapped)
        R->>R: Decrypt & store key
    end

    Note over R: Router Active<br/>Address: 0x0001

Figure 982.2: Router joining sequence from discovery through security key acquisition

982.5 End Device Joining Process

End Devices follow a similar process but with power-saving considerations:

982.5.1 Differences from Router Joining

Aspect	Router	End Device
Scan type	Active (faster)	Passive (lower power)
Parent selection	Any router/coordinator	Must select parent
Post-join	Always on, routing	Sleep mode
Poll interval	N/A	Configure (7.5s typical)

982.5.2 Parent Selection

End Devices must choose a parent Router carefully:

Parent Selection Criteria:
1. Signal strength (RSSI > -70 dBm preferred)
2. Link Quality Indicator (LQI > 200)
3. End Device capacity (parent can accept children)
4. Depth in network (prefer shallower)

Selection Algorithm:
- Collect all beacon responses
- Score each candidate: Score = RSSI + (LQI/10) - (Depth * 5)
- Select highest score
- Send association request to winner

982.5.3 Poll Configuration

After joining, End Devices configure their polling behavior:

Polling Setup:
End Device → Parent: "I'll poll every 7.5 seconds"
Parent: "OK, I'll buffer messages for you"

Power Impact:
- 1 second poll: High power, fast response
- 7.5 second poll: Medium power, slight delay
- 30 second poll: Low power, noticeable delay

Typical Configuration:
- Motion sensors: 3-5 second poll (fast response needed)
- Temperature sensors: 30-60 second poll (data not urgent)
- Door sensors: Event-driven + 10 second poll

982.6 Commissioning Methods

982.6.1 Trust Center Commissioning (Standard)

The default method uses the Trust Center Link Key:

Default Trust Center Link Key:
5A:69:67:42:65:65:41:6C:6C:69:61:6E:63:65:30:39
(ASCII: "ZigBeeAlliance09")

Process:
1. New device uses default link key
2. Trust Center sends Network Key encrypted with default key
3. Anyone knowing default key can join network

Security Concern:
- Default key is publicly known
- Attacker could capture Network Key during join
- Suitable for consumer devices, not high-security

982.6.2 Install Code Commissioning (High Security)

Install codes provide per-device security:

Install Code Process:
1. Each device has unique Install Code (printed on label)
   Example: 83FE:D340:7A93:9F2B:CAFE
2. Administrator enters Install Code into Coordinator
3. Trust Center derives unique Link Key from Install Code
4. Network Key sent encrypted with device-specific key
5. Attacker cannot decrypt without Install Code

Security Advantage:
- No publicly known keys used
- Per-device key derivation
- Recommended for commercial/industrial

982.6.3 Touchlink Commissioning (Consumer)

Proximity-based pairing for ease of use:

Touchlink Process:
1. Bring devices within 10-20cm of each other
2. Initiator scans for Touchlink-capable targets
3. If RSSI > threshold, considered "close enough"
4. Devices exchange network credentials
5. Target joins initiator's network

Use Cases:
- Consumer lighting (Philips Hue)
- No hub required for basic setup
- Simplified user experience

Security Consideration:
- Proximity is the security factor
- Attacker must be physically close
- Less secure than Install Codes

982.6.4 Commissioning Comparison

Method	Security	Ease of Use	Best For
Default TC Key	Low	Easy	Consumer, non-critical
Install Codes	High	Moderate	Commercial, sensitive
Touchlink	Medium	Very Easy	Consumer lighting
Out-of-Band	Highest	Complex	High-security

982.7 Permit Join Window

Networks control when new devices can join:

Permit Join Settings:
- Permit Join = TRUE: Network accepting joins
- Permit Join = FALSE: Network closed

Time Window:
- Typical: 60-180 seconds
- Opens when admin initiates pairing
- Closes automatically after timeout
- Can be limited to specific Routers

Command:
Coordinator: "Permit Join ON for 180 seconds"
All Routers: Enable join acceptance
After 180s: Automatically disable

982.7.1 Security Best Practice

Secure Deployment Pattern:
1. Configure all devices with Permit Join = FALSE (default)
2. When adding device:
   - Open Permit Join for 60 seconds only
   - Add single device
   - Close Permit Join
3. Never leave Permit Join permanently open
4. Log all join events for auditing

982.8 Address Assignment

The Coordinator manages 16-bit address allocation:

982.8.1 Stochastic Assignment (Default)

Random Address Selection:
Address Pool: 0x0001 to 0xFFFD (65,533 addresses)
Reserved:
- 0x0000: Coordinator
- 0xFFFF: Broadcast

Process:
1. Generate random address
2. Check not already assigned
3. If collision, generate new
4. Assign to joining device
5. Store in device table

Advantage: Simple, no pre-planning
Disadvantage: Addresses not meaningful

982.8.2 Distributed Assignment (Optional)

Hierarchical Addressing:
Based on network depth and parent address

Coordinator (depth 0): 0x0000
├── Router 1 (depth 1): 0x0001
│   ├── End Device 1: 0x0002
│   └── End Device 2: 0x0003
├── Router 2 (depth 1): 0x1000
│   └── Router 3 (depth 2): 0x1001
│       └── End Device 3: 0x1002

Advantage: Address reveals network topology
Disadvantage: Requires pre-planning maximum children per device

982.9 Timing Details

Understanding join timing helps with troubleshooting:

Phase	Duration	Notes
Channel scan	100-500ms	Passive: 500ms, Active: 100ms
Beacon collection	500-2000ms	Wait for all beacons
Association	100-500ms	Request + response
Key exchange	100-300ms	Trust Center round-trip
Total join time	1-5 seconds	Typical successful join

982.9.1 Timeout Values

Configurable Timeouts:
- Association timeout: 3 seconds
- Network key timeout: 5 seconds
- Permit join window: 60-255 seconds
- Orphan timeout: 30 seconds

If timeouts exceeded:
- Device retries from beginning
- May select different parent
- After 3-5 failures, report error

982.10 Troubleshooting Joining Issues

982.10.1 Common Problems and Solutions

Symptom	Likely Cause	Solution
Device not finding network	Permit Join closed	Open Permit Join on Coordinator
Association fails	Network full	Check device table capacity
Key exchange timeout	Range issue	Move device closer
Device keeps rejoining	Parent offline	Check parent Router power
Wrong network joined	Multiple PANs nearby	Specify PAN ID manually

982.10.2 Diagnostic Steps

Troubleshooting Checklist:
1. Verify Permit Join is OPEN (check Coordinator logs)
2. Check device is in pairing mode (LED blinking)
3. Confirm device is within range (< 10m for initial join)
4. Verify channel matches (no interference)
5. Check Install Code entered correctly (if using)
6. Reset device to factory and retry

Coordinator Logs to Check:
- "Association Request from [MAC]" - Device found network
- "Association Response sent" - Address assigned
- "Network Key transported" - Security established
- "Device [addr] online" - Join complete

982.11 Summary

This chapter covered Zigbee network formation and commissioning:

Coordinator Startup: Channel selection, PAN ID generation, security initialization
Router Joining: Active scan, association, key distribution, routing activation
End Device Joining: Passive scan, parent selection, poll configuration
Commissioning Methods: Default key (easy), Install Codes (secure), Touchlink (proximity)
Address Assignment: Stochastic (random) or distributed (hierarchical)
Timing: Typical join completes in 1-5 seconds

Key best practices: - Keep Permit Join closed except during device addition - Use Install Codes for commercial/security-sensitive deployments - Ensure adequate range during initial joining - Log and audit all join events

982.12 What’s Next

In the next chapter, Zigbee Security, we dive deeper into the Trust Center, network keys, link keys, and encryption mechanisms that protect Zigbee communications.

Related Chapters

Zigbee Protocol Stack - Layered architecture
Zigbee Network Topologies - Device roles
Zigbee Security - Encryption and key management
Zigbee Application Profiles - Profile-specific commissioning