Subnetting best practice??

cengelhard · ‎02-14-2005

Hi all. I've run in to an awful lot of network professionals who use the subnet mask 255.255.255.0 almost exclusively in their designs, and when I've asked why, they all seem to claim it is the result of a best practice in design. Yet when I ask for an explanation, all I get is something mumbled about broadcasts and controlling them.

OK...so they can't be talking about Ethernet broadcasts, since whatever you do in layer 3 shouldn't affect that. And they can't be talking about 255.255.255.255, because that'll hit ALL subnets no matter what your subnet mask. So they must be talking about a subnet broadcast, i.e. 192.168.1.255/24.

Here is the "best practice": Having fewer hosts in your subnetting scheme cuts down on the impact broadcasts have on your network. For example, 192.168.1.0/24 is a better idea than 10.1.0.0/16.

Now, from what I understand about how a broadcast works, it doesn't matter what your subnet mask is, a subnet broadcast will be processed by all hosts who are members of that subnet, and the broadcast scope is controlled by the layer 3 devices that define the subnet itself....therefore, using 10.1.0.0/16 is no worse or no better than 192.168.1.0/24 (except that with 10.1.0.0/16, you have more host addresses to play with).

Am I missing something?

Kevin Dorrell · ‎02-14-2005

You say "And they can't be talking about 255.255.255.255, because that'll hit ALL subnets no matter what your subnet mask." But that is not quite right, because real brodacasts do not pass through the router. Their impact is limited to the single VLAN / subnet, unless you deliberately decide to forward them, and even then you usually do so in a controlled manner.

I have always taken the /24 "best practice" with a pinch of salt, because it also depends on the structure of your network. There are some circumstances where a wider netmask is appropriate, and some where a narrower one is appropriate. But /24 isn't bad as a rule-of-thumb.

The other thing to remember is that "except that with 10.1.0.0/16, you have more host addresses to play with", so there can be more machines on the VLAN generating the broadcasts.

Hope this makes sense.

Kevin Dorrell

Luxembourg

cengelhard · ‎02-14-2005

Hmmmm. Maybe I should be clearer.

My point was that broadcast traffic is a direct function of the number of actual live hosts using broadcast technologies. The potential number of hosts in one subnet has no effect on this.....however, I understand it opens the potential to grow to an unacceptable number of hosts, all potential candidates for broadcast/multicast traffic.

*Sigh*. Splitting hairs? I guess. I suppose you could also say that subnetting with /16 is wasteful if you're never going to have 16,000 some hosts.

Thanks for your answers. Let me know if there's something else that I'm missing.

ehirsel · ‎02-14-2005

The /24 mask represents a good tradeoff for future growth in the vlan as well as keeping the routing table small enough to be manageable. I believe at one time, cisco layer 2 cat switches had issues with more than 200 devices in a single vlan; that may not be true anymore with the higher end (4000, 5000, and 6000) series.

Using a /24 mask will allow for easy summarization towards to core, so that it will allow your core to expand as well. That is, not only does /24 represent a good trade off with respect the growth in each vlan at the edge, but you won't wind up wasting a lot of address space as new edge networks come into place (due to mergers and acquisitions).

That's my opinion.

Richard Burts · ‎02-14-2005

I think there is another aspect to why the /24 subnet is used so frequently and may sometimes be referred to as best practice: it is EASY. Poeple do not have to think about where subnet boundaries are because they operate on octet boundaries. You do not have to think any binary aritimetic to use them as you might if the sunet mask as /26 (or /29 or /19 etc.)

I believe that for most of us simple, reliable, and easy is quite a virtue and sometimes outweighs the fact that a different mask might actually be a more efficient fit to the network.

HTH

Rick

HTH

Rick

konigl · ‎02-15-2005

A subnet mask of 255.255.0.0 (/16) allows for more hosts on an IP subnet than 255.255.255.0 (/24). You don't actually have to put 65,000+ hosts on a /16 subnet, but you can.

Realistically, if you did put 65,000+ desktop hosts into the same subnet, the amount of broadcast traffic generated during the course of normal network computing activity could actually impact the processing power of each computer on that subnet. That's because each computer has to interrupt what it is doing to listen to the broadcast and determine whether it's something they need to pay attention to or not. (Most of the time the answer is "not".) The more computers each has to listen to broadcasting, the less CPU time the computer has to actually do work.

Computers with faster CPUs might not notice it as much, but slower computers can be significantly impacted by excessive broadcast traffic. It used to be that you could demonstrate excessive broadcast traffic as a problem by running a CPU-intensive desktop application locally: benchmark the performance somehow, while the computer is on the LAN; then detach the computer from the LAN and run the same benchmark again. If it runs faster OFF the LAN, then being on the LAN is actually causing performance degradation. And almost always this was the result of vigh volumes of broadcast traffic. (Sometimes it could also be a focused Denial of Service: depends on whether multiple machines/users on the subnet report the slowness, or only one.)

Smaller subnet masks like a /24 limit the number of hosts that can be impacted by broadcast traffic on a subnet. (Unless you support multiple /24 subnets layered onto the same Ethernet broadcast domain using "secondary" IP addressing on the same router or L3 switch interface. In which case performance problems are more likely to be caused by the bottleneck of routing from one subnet to another, in and out on the same interface. The fix here is to either break out each /24 to a separate broadcast domain/VLAN, or come up with an aggregating mask like a /22 or /23 that lets the hosts talk to each other directly across the broadcast domain, rather than funneling in and out of the router's interface.)

Having large subnets like a /16 can be a problem for routers when that subnet is the target of an intensive sequential IP address scan. You can have a Denial of Service on that subnet when the router interface involved has to ARP for thousands of unknown IP addresses and wait to see if anything responds. All that ARPing and buffering ties up router CPU and memory resources, and can result in severe performance degradation. With smaller subnets like a /24, you can mitigate the impact such an attack can have.

cengelhard · ‎02-16-2005

THANK YOU. Out of all the replies, yours hits the nail on the head.

Personally, I'm pretty lucky that on our current network we don't have any instances of attacks or services that iterate through all possible addresses on the subnet, but I will definitely keep that in mind. I was just really bothered that out of all these experts, no one could explain this clearly.

cengelhard · ‎02-16-2005

/16 is on an octet boundary too, so it doesn't really apply to my original question.