In Smart Buildings there is a large number of connected devices. Each of them is possibly vulnerable, so that an attacker could make use of a single smart device to run attacks in the Smart Building network. We propose a concept to partition the network into trust zones depending on the application layer, so that devices that are logically linked on application layer are able to communicate on MAC layer. A trusted device is used to bootstrap new devices and reconfigure existing trust zones. We restrict the communication as far as possible, so that the potential damage caused by a compromised device is limited. In principle, malicious behavior of devices could lead to an exclusion on MAC layer. The general concept is described using a typical IoT protocol stack containing IEEE 802.11s, IP, UDP/DTLS, and CoAP.