0

I had an interesting discussion on Facebook a few weeks ago with another network engineer, which went something like this:

Me:

I'd like to smack the person who thought it would be a good idea to put a network of 200+ devices onto a subnet of 192.168.2.0/23 (no, that ending 3 is not a typo), as well as (quite possibly) the same person who thought it would be a good idea to install a headless firewall onto hardware without VGA or Console [or serial] output.

Him:

I don't get it. If I'm creating a network for 200+ devices and I want them to all be on the same broadcast domain, /23 is the ticket bud with 510 useable. Is it the fact there is no network segmentation that bothers you?

Me:

Creating a 10/16 would have been a much better way to go (in terms of making it clean and easy to deal with later down the road). Plus, this particular client is growing like mad and should have 500+ devices by next year.

Him:

I would avoid anything over /22 for a broadcast domain unless you had a really good reason. What kind of switching and routing you got? Sounds like its time for an SVI or a router on a stick.

Basically, my annoyance was that whoever setup the original network did so with a 192.168.2.0/23, causing the 192 network to be slit into 2 separate IP blocks (I didn't like the fact that the ending octet was different, but the same subnet).

So here's my question:

Is there a network performance concern to setting up networks with a lower subnet mask than is actually required by the number of devices on the network? Are there any other reasons why this is a bad idea (Aside from the security & logical reasons of creating smaller subnets - creating certain VLANs, separating 1 part of the network from the other, etc....)?

As an aside, I skimmed through top answer to the Canonical Question on IPv4 Subnetting, and learned a few things, but it didn't directly answer my question from a performance point of view. Specifically, though, I found the "Top three main reasons why you would subnet a network" section towards the end of that answer helpful.

In my mind, if I were to put a total of 30 devices onto a 10/16 subnet, there wouldn't be a problem. However, if I were to put 2048 devices, or so, onto a 10/16 without any routers in between or layer 3 switching, then obviously there would be a problem, with a lot of devices trying to broadcast.

Community
  • 1
David W
  • 3,405
  • 5
  • 34
  • 61
  • 2
    I think you're conflating collision domains with broadcast domains. Collision domains (thankfully) thankfully went the way of the dodo with the demise of the network hub. – EEAA Mar 28 '14 at 18:27
  • 2
    Also, there's no "right" answer to this. It's completely dependent on your network traffic. If your devices happen to be very quiet, with not a lot of broadcasts, then having 1k on a single broadcast domain shouldn't cause a problem. That said, I tend to typically *only* deploy `/24`s unless I have a very good reason to go larger than that. Unless your devices are **extremely** chatty, you'd be hard-pressed to see any performance degredation on even a `/22`. – EEAA Mar 28 '14 at 18:29
  • Ah yes, indeed - "Collision domains" vs. "Broadcast Domains" - I'll update the question accordingly. Thanks for this. Also, when you say you only deploy to /24 unless you have a good reason to go larger than that.... do you mean larger subnet (/23, /22, etc..) or a smaller netmask (/25, /26, etc...) – David W Mar 28 '14 at 18:37
  • 1
    In general, when speaking of a "larger subnet", the "larger" applies to the number of IP addresses in that subnet. So - "larger subnet" means numerically-smaller netmask. – EEAA Mar 28 '14 at 18:58

2 Answers2

6

I'd like to smack the person who thought it would be a good idea to put a network of 200+ devices onto a subnet of 192.168.2.0/23 (no, that ending 3 is not a typo)...

Why is this a bad thing? I agree with your FB friend: this subnet size seems to be the perfect size for the use case.

...as well as (quite possibly) the same person who thought it would be a good idea to install a headless firewall onto hardware without VGA or Console [or serial] output.

I'm with you there. I run many headless firewalls (pfSense on embedded hardware), but they all have serial consoles.

Creating a 10/16 would have been a much better way to go (in terms of making it clean and easy to deal with later down the road). Plus, this particular client is growing like mad and should have 500+ devices by next year.

A 10.0.0.0/16?!? As a single subnet? For 500 devices? Sure, it'll work, but it seems incredibly wasteful. You want to give yourself some breathing room in subnet allocations, but that's extreme.

Basically, my annoyance was that whoever setup the original network did so with a 192.168.2.0/23, causing the 192 network to be slit into 2 separate IP blocks (I didn't like the fact that the ending octet was different, but the same subnet).

So you don't like the /23 because it looks odd? Seems like something you probably need to get over.

Under the covers, it's all binary.

Is there a network performance concern to setting up networks with a lower subnet mask than is actually required by the number of devices on the network?

By "lower", I presume you mean "larger"? If not, let me know and I'll revise.

In short, no. Assuming the same number of devices and the same traffic profile, performance would be the same on a /30 as it would on a /8.

Are there any other reasons why this is a bad idea (Aside from the security & logical reasons of creating smaller subnets - creating certain VLANs, separating 1 part of the network from the other, etc....)?

For one, as I mentioned earlier, it's incredibly wasteful to create huge subnets if you don't need them. Sure, there's no cost to RFC1918 IP addresses, but creating subnets that are larger than necessary limits your flexibility in the future if you need to change things up.

As a general rule, for end-user segments, I prefer /24 networks. If there's a significant technical need, I'll go up to a /22, but never any larger than that. I'll go to great lengths to segment the network into smaller subnets (and smaller broadcast domains) before moving to a larger subnet.

However, if I were to put 2048 devices, or so, onto a 10/16 without any routers in between or layer 3 switching, then obviously there would be a problem, with a lot of devices trying to broadcast.

There may be a problem. But there may not. It's not obvious. It depends completely on the nature of your use case.

If you don't like how your predecessor set up the network, well then consider changing it. But don't do it for aesthetic reasons ("/23 looks odd"). Do it for sound technical reasons, and make sure whatever architecture you change to is actually better than what you're deprecating.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • This was both really helpful *and* amusing. Thanks! – David W Mar 28 '14 at 18:55
  • You're welcome. Glad to be of help. Hopefully you'll get a few more good answers in addition to this one. Happy Friday! – EEAA Mar 28 '14 at 18:56
  • 1
    1. `In short, no, with the same number of devices and the same traffic profile, performance would be the same on a /30 as it would on a /8.` - I can't tell you how many times I have to make this point to people during conversations about networking. Thanks for including this in your answer. – joeqwerty Mar 28 '14 at 19:05
  • 2
    2. `If you don't like how your predecessor set up the network, well then consider changing it. But don't do it for aesthetic reasons ("/23 looks odd"). Do it for sound technical reasons` - I can't tell you how many times I hear people say they need to implement something because they think they should or because someone told them they should but lack any clearly defined business or technical reason for doing so. Thanks for including this in your answer as well. – joeqwerty Mar 28 '14 at 19:05
1

The main reason to avoid one big broadcast domain is because one dirty NIC can take down your network. In other words, if you have 4 networks (172.18.1.0/24 thru 171.18.4.0/24 let's say) and one of the networks has a NIC on it that is spitting out tons of bad packets, you are going to be having bad network performance on that one networks. The troubleshooting process will be a lot easier.

The other reason for splitting things up is to quickly identify where a device is by IP address. I've never run into an office space that has more than 254 end user devices in a room (though I'm sure they exist). The only time I like a network larger than /24 is for servers.

Alex Herweyer
  • 11
  • 1