Hello @mag01 

The "one subnet per VLAN" rule is a fundamental network design principle that ensures network efficiency, security, and manageability. VLANs are designed to isolate broadcast domains, meaning that devices within the same VLAN share the same subnet and broadcast domain. Mixing multiple subnets within a single VLAN can lead to excessive broadcast traffic, complicate routing, and make security policies harder to enforce. This setup can also increase the complexity of network management and troubleshooting, as it disrupts the straightforward correlation between VLANs and subnets.

Aligning each VLAN with a single subnet simplifies network architecture, ensuring that traffic within the VLAN is switched at Layer 2 and routed at Layer 3 when moving between VLANs, making the network more predictable and easier to manage.

Your network team's resistance to grouping IPs into VLANs without aligning them with distinct subnets stems from the potential risks and complexities this could introduce, especially in a production environment where stability is crucial. Deviating from this principle could lead to inconsistent network behavior, complicate routing decisions, and make security enforcement challenging, ultimately increasing the likelihood of network issues and downtime. While redesigning the network to adhere to this principle involves significant upfront work, such as readdressing hosts and reconfiguring firewalls and applications, it ensures long-term network reliability and security. The effort to maintain the one subnet per VLAN rule is justified by the stability, simplicity, and ease of management it brings to your network infrastructure.

Well, we're not dealing with multiple subnets At The Moment. It's (except from the DB tier) only one big net and a F5 as FW/LB.

Currently we're talking about 500 Hosts and Prod Network also means functionalyty must be mainained at any time.
So to do this we'll have to setup a subnet, swap the machines to this new, run all connection tests and hope we've not overlooked something. Plus the new sub-nets need to be "future proof" ... just in case new hosts are added.

However, I fully understand your argument about security, simplicity and management. But isn't this a bit of a departure from the idea of "saving network resources (hw/sw) by logical grouping" ?

Hmm, never heard of one subnet per VLAN being called a "Golden Rule", but I can see why it could be.

The reason for such a rule is pretty simple, it's done so L2 bolsters some of the reasons we subnet, a principle reason being to reduce the scope/impact of broadcasts.  Also, having multiple networks on a network device interface has its own "challenges".

You mention 500 hosts.  That possibly is starting to push "safe" operational sizes, but conversely normally you wouldn't need to subdivide it by 16.

Agreed host readdressing isn't fun.  Its pain can be mitigated by using DHCP (including for some servers) and running multiple subnets on the same VLAN might be temporarily used to transition hosts.