2

We've standard /24 subnet for users, computers and other devices. We're getting to the point where we have more users and want to go with multiple subnets for different type of devices. While this is simple to implement one of the other ways to have more devices on the network was to simply expand the network to /23 or /22 mask.

I've heard from multiple sources that it's not encouraged to use larger subnets because of broadcasting and other issues/problems that will arise from this. I've tried finding a proper source for those issues and problems and couldn't find one article (maybe I'm that bad at google) that would give me a clear pro's and con's for larger subnets, potential issues. While I understand that larger subnets such as /16 or so would be really bad for some things I am trying to understand what would be so problematic on those a bit larger than standard networks (/23 or /22). I'm also aware that having VLANs will give additional security boosts but while I can understand the pro's of having VLAN's I can't find what's so bad about larger subnets and what impact it can have on the network/devices.

Current: 

Address:   192.168.0.1           11000000.10101000.00000000 .00000001
Netmask:   255.255.255.0 = 24    11111111.11111111.11111111 .00000000
Wildcard:  0.0.0.255             00000000.00000000.00000000 .11111111
=>
Network:   192.168.0.0/24        11000000.10101000.00000000 .00000000 (Class C)
Broadcast: 192.168.0.255         11000000.10101000.00000000 .11111111
HostMin:   192.168.0.1           11000000.10101000.00000000 .00000001
HostMax:   192.168.0.254         11000000.10101000.00000000 .11111110
Hosts/Net: 254                   (Private Internet)

Planned:

Address:   192.168.0.1           11000000.10101000.000000 00.00000001
Netmask:   255.255.252.0 = 22    11111111.11111111.111111 00.00000000
Wildcard:  0.0.3.255             00000000.00000000.000000 11.11111111
=>
Network:   192.168.0.0/22        11000000.10101000.000000 00.00000000 (Class C)
Broadcast: 192.168.3.255         11000000.10101000.000000 11.11111111
HostMin:   192.168.0.1           11000000.10101000.000000 00.00000001
HostMax:   192.168.3.254         11000000.10101000.000000 11.11111110
Hosts/Net: 1022                  (Private Internet)

Would really appreciate if someone took a time and actually gave a nice overview for this.

MadBoy
  • 3,703
  • 13
  • 61
  • 93
  • The [canonical subnetting Q&A](https://serverfault.com/q/49765/37681) mentions the commonly cited reason for limiting the size of subnets: *"In an Ethernet network, you might **use subnetting to limit the amount of broadcast traffic** in a given portion of the network. Application-layer protocols use the broadcast capability of Ethernet for very useful purposes. As you get more and more hosts packed into the same Ethernet network, though, the percentage of broadcast traffic on the wire can increase to such a point as to create problems for delivery of non-broadcast traffic."* – HBruijn May 12 '17 at 11:26
  • @HBruijn the question is when it's getting to a problem. While I understand this, and it makes some sense I need to know when it's still ok to use, and when I should use VLAN instead. – MadBoy May 12 '17 at 11:30
  • 1
    @MadBoy: The answer to this is naturally "It depends", namely on the types of clients you have and the amount of broadcast traffic they generate. Analyze your current situation and extrapolate what would happen if you grow your network with `n` clients in a `/23` or `/22` network. – Sven May 12 '17 at 11:42
  • 2
    (I reached the maximum length for a comment, to continue:) That is for a large part more of an historic problem that people had with broadcast traffic in 10 Mbit/s networks with hubs. In modern networks that are fully switched and which typically run at least at gigabit speeds achieving a significant bandwidth percentage with only broadcast traffic is much more difficult. For a practical upper limit to a subnet size would be that there limits in the MAC table modern switches can hold. – HBruijn May 12 '17 at 11:42
  • Right now we just have Users, Printers, Scanners, Mobile Phones and switches/routers in same /24 subnet. Nothing else is there. Servers are all located in colocation and if there will be any servers it will be simple file servers, ad and maybe deployment (for images) server. At the moment we don't have that. – MadBoy May 12 '17 at 11:44
  • This is an old story but my university early in the internet days were assigned a class B address space that we at that time masked at /16. This was ok at first but as time went on and more and more nodes were generating more and more traffic, we went to /24 and that has been fine, even with some broadcast domain binding of certain sub-nets. – Eddie Dunn May 12 '17 at 13:11
  • I'd also keep in mind that once you start using IPV6 that subnet will be larger than the /24 you have today. It might be nice to have both address spaces more closely aligned. – Jim B May 12 '17 at 13:16

3 Answers3

2

Your network is your first layer of defense. Large subnets are fun for home but for business I would strongly advise against it. Network segmentation is a must if you want to secure your environment.

There seems to be this new idea that protecting your network on Layer 7 (Application Protocols) is enough but a lot of communication/data exchange is done on Layers 2-6 this is why subnetting is so important.

Pros:

  • The only real advantage of a large subnet is that devices on the same network can continue talking to each other if router fails. On the other hand if your router fails I don't think this will solve much.
  • Cheaper network devices.

Cons:

  • Broadcast storms, all devices talk to all devices on the same network constantly.
  • ARP scan/poisoning, you can find and manipulate all devices within that subnet.
  • You can see a lot of communication between devices on the same subnet, this can include strings of data with company/user/device information.
  • Man in the Middle, if a server is in the same subnet you can broadcast your device with its IP and now you are the server all clients talk to.
  • DHCP Spoofing, put your own DHCP in there and you can now spoof whatever you want, Domain Controllers, DNS Servers, etc.
  • Malware/Ransomware, large subnet = virus free card your company might be the next one in the news that was fully encrypted by ransomware.
  • Hackers, love large subnets. Makes it real easy. Example: Someone clicked on a phishing link at home and run an application, reverse tcp could now be setup on their client. Next day they are at work connected to the subnet now all devices in the subnet are compromised.

Why take these risks? Part of an IT professional's job is network design including segmentation. Normally you segment by device function. Example:

  • User clients.
  • Printers.
  • VoIP.
  • IT clients.
  • DMZ.
  • Backend.

Why? If there is a CVE known for a Printer if its on the same subnet as the rest now everything is vulnerable instead of just the printers. I would even go as far as segmenting every app frontend and backend into their own subnets to keep a Cyberattack isolated from the rest of my infrastructure.

Large subnet fun for home, very risky for business and to be honest I find VLANs/segmentation easier to document and setup than having the chaos of 1 large subnet.

Dave M
  • 4,494
  • 21
  • 30
  • 30
Paulus
  • 21
  • 2
2

Pros

  • Its easy to remember i mean you can add /16 and all pc,printers,servers will be on the same network
  • Less cost, you will need no routers to routing from one network to another
  • You will have already a large IP pool for future if you want to add more devices

Cons

  • Security, if you are on a college etc you dont want to have educational and bussiness network together
  • More chaos, to have this large IP pools you dont have flexible network
N3kos
  • 17
  • 2
2

There are no specific problems with larger networks, they might work properly. The issues that potentially might arise are not connected with the IP address ranges (L3), but from the number of hosts that are online within single broadcast domain (i.e. L2).

  1. There is almost no difference between having 192.168.0.0/24 plus 192.168.1.0/24 in the same network segment, than having single 192.168.0.0/23 (almost - because if someone sets IP conflicting with default gateway, in former case breaks only the half of the hosts, while in later breaks entire network),

  2. the "large broadcast volume" argument is mostly outdated; any single host can generate flood breaking entire collision domain (historically speaking), unless blocked by some kind of traffic limiter (supported by many switches), while regular traffic would not usually exceed network limits,

  3. large network size is rather a symptom of another problem, than problem itself: too large broadcast domain.

Large L2 network creates real problems:

  1. large number of MAC addresses might overflow on some switches,
  2. any topology problem would span across entire network (e.g. a single loop might break entire VLAN, unless blocked by loop detection on some switch),
  3. any rogue DHCP server might interfere with all the hosts (unless blocking untrusted DHCP servers/ports on switches),
  4. large L2 segment usually means there is a chaos in maintenance, no management database or rules of assignment; which eventually are required when dealing with large number of hosts.

So, if you are asking such question, the only answer is: no, large L3 network is not a problem, but it is high time to introduce VLANs in underlying L2 network.

Tomasz Pala
  • 398
  • 1
  • 6