It was recommeneded to me to take a /24 network and split it up.  the first have for management and the second for production.  I think this is a huge no no.  I was told its to save IP's.  I don't understand that if we have an entire /16 network that we can carve out another /24.  One entirely for production and the other for managment.  I'm looking for some documentation stating this is best practice unless there is a shortage of IP's.

It was recommeneded to me to take a /24 network and split it up.  the  first have for management and the second for production.  I think this  is a huge no no.  I was told its to save IP's.  I don't understand that  if we have an entire /16 network that we can carve out another /24.  One  entirely for production and the other for managment.  I'm looking for  some documentation stating this is best practice unless there is a  shortage of IP's.

We use subnets not only to save IP's address, but also to tackle some issues at Layer 2 as well as Layer 3.

We should allocate the block considering the requirement and future expansion, because re-desinging the network is very difficult and unmanaged network in very difficult to troubleshoot. Large block size also leads to security issues as well as scalability issues. So its better to select the block size very carefully.

Below are some useful links and some stuff.

Check out the below link:

http://www.cisco.com/en/US/docs/solutions/Verticals/EttF/ch3_EttF.html#wp1016570

Cisco IP Address Guide PDF

Here is some stuff, hope you find it useful: (source Cisco Press: ICND 1 & 2)

A poorly designed network has increased support costs, reduced service availability, security risks, and limited support for new applications and solutions. Less-than-optimal performance affects end users and access to central resources directly. Some of the issues that stem from a poorly designed network include the following:

• Failure domains: One of the most important reasons to implement an effective network design is to minimize the extent of problems when they occur. When Layer 2 and Layer 3 boundaries are not clearly defined, failure in one network area can have a far-reaching effect.

• Broadcast domains: Broadcasts exist in every network. Many applications and network operations require broadcasts to function properly; therefore, it is not possible to eliminate them completely. In the same way that avoiding failure domains involves clearly defining boundaries, broadcast domains should have clear boundaries and include an optimal number of devices to minimize the negative impact of broadcasts.

• Large amount of unknown MAC unicast traffic: Cisco Catalyst switches limit unicast frame forwarding to ports that are associated with the specific unicast address. However, when frames arrive at a destination MAC address that is not recorded in the MAC table, they are flooded out of the switch ports in the same VLAN except for the port that received the frame. This behavior is called unknown MAC unicast flooding.Because this type of flooding causes excessive traffic on all the switch ports, network interface cards (NIC) must contend with a larger number of frames on the wire. When data is propagated on a wire for which it was not intended, security can be compromised.

• Multicast traffic on ports where it is not intended: IP multicast is a technique that allows IP traffic to be propagated from one source to a multicast group that is identified by a single IP and MAC destination-group address pair. Similar to unicast flooding and broadcasting, multicast frames are flooded out all the switch ports. A proper design allows for the containment of multicast frames while allowing them to be functional.

• Difficulty in management and support: A poorly designed network may be disorganized and poorly documented and lack easily identified traffic flows, which can make support, maintenance, and problem resolution time-consuming and arduous tasks.

• Possible security vulnerabilities: A switched network that has been designed with little attention to security requirements at the access layer can compromise the integrity of the entire network.

--

Regards,

Sakun Sharma

There is no technical problem with taking a /24 and splitting it into 2 /25s. The only issue is the capability of the it support staff to properly configure routing, subnetting, gateway configuration, acls, dhcp and other services using a network address boundary they are possibly unfamiliar with.

Sent from Cisco Technical Support iPad App

Jeff - that was my point exactly.  There for if there is no reason in this case to try and save IP's it's not a good idea.

"It was recommeneded to me to take a /24 network and split it up.  the  first have for management and the second for production.  I think this  is a huge no no.  I was told its to save IP's.  I don't understand that  if we have an entire /16 network that we can carve out another /24.  One  entirely for production and the other for managment.  I'm looking for  some documentation stating this is best practice unless there is a  shortage of IP's."

Jeff's point above is made in regards to how those subnet boundaries function and how your support staff can manage those. Take for example if you have a /25 subnet for a server zone. Then you network gateway and subnet will be something different than the typical /24 block and that may cause confusion with some server admins. However proper communication can resolve those issues.

However to the point of your above comment was to conserve IP address, just because you have a /16 does not mean you should be wasteful of how you address server blocks, network management devices, user workstations ect..

If you have a network that consists of 2 distribution switches, 2 edge routers, 10 additional network device (misc routers and switches), and 2 firewalls, then you could conscievable only need 18 IP addresses for these devices to be connected. In that case is it really necessary to allocate 254 IP's to manage your network devices? I would think that a /25 or even a /26 would be more than sufficient as this would give you ample IP's for you immidiate as well as more than plenty for growth, and you will likely still have waste. You could then carve the rest of the IP's out into /30's (for point-to-point routed connections), or some other smaller networks for device connectiity.

Likewise you should allocate server blocks based off of the needs of your business. If your company works with virtualized servers that utilize many IP's then you may want to look at creating server blocks that are in the realms of /23's, but if your company relies on physical servers and you only have 2 or 3 of those, then again why not use a /25 IP block for these. This will again allow your current needs as well as future growth.

You should break up your /16 into logical blocks (maybe in /20 blocks). This can be used for creating a hierachry of IP addressing that is useful for summarized routes in your routing table.

If you are designing a network you need to take into the needs of your business currently as well as try and predict what will be needed in the future. Split the networks out as appropriate, summarize when possible, and certainly do not waste IP space just to be lazy or have the thought process that "we have a lot of IP's so why split up our blocks". I have worked in many environments where someone that that was a great idea 10 years ago, and trying to fix that mess is a nightmare in a production environment.

-Toby

Please don't forget to rate any helpful post.

_____________________________________
There are no great limits to growth because there are no limits of human intelligence, imagination, and wonder.
- Ronald Reagan