Showing results for 
Search instead for 
Did you mean: 


Layer 2 Access Design Recommendations

Recently I worked through a project in which we redesigned the VLAN stucture at a large nubmer of our branch sites. The result of this was a series of subnets at each branch which were all /24 or smaller within larger networks as large as /20 for each branch.

I'm now in the middle of a discussion with one of the technicians in the field who supports a large number of these branches about whether or not it's a good idea to do the following:

At one of our larger sites, combine all data VLANs for client devices (Windows, IOS, Android) into one VLAN with a mask of /21. This would also include combining the server VLAN into this /21 VLAN. The only VLAN partitions in the data IP space would be for Printers and Network Managment devices.

Combining all of the VOIP VLANs into one VLAN with a /20 mask.

Now this particular site is one of our larger branches, and everything in my soul screams that this is a bad idea. I've always understood that IP VLANs shouldn't exceed about 500 devices maximum, but I can't find anything more recent than 2006 here in the forums or in Cisco Press documentation concerning VLANs and Layer 2 considerations.

I've looked through the Top Down Network Design books, and the last book that contained anything hard and fast was two editions ago. I've looked through ICND as well as CCDA books and they have nothing recent either.

I need some help with solid references to Cisco best practices on this subject so I can counter this recommendation.

Any help out there?

David Earney
Cisco Employee

Layer 2 Access Design Recommendations

Hi David,

Most of those design recommendations still hold true today. While there is no hard and fast rule as to the number of devices within a VLAN, some things to consider are:

  • All devices in a broadcast domain have to process broadcasts received from other devices. This means an increase in CPU ultilization as the number of broadcasts increase. The more broadcasts in a VLAN the more wasted bandwidth, and consider what happens if one of those devices gets a bug or becomes defective and starts chatting up a broadcast storm on your LAN, which brings me to my next point.
  • Large sprawling VLANs equals large sprawling fault domains. It can become increasing difficult to locate and troubleshoot faults in larger broadcast domains because you have to spend time hoping from switch to switch looking at the CAM table which is time consuming. If there is a chatty device or broadcast storm, all devices in the same broadcast domain will be affected and come to a screaching halt.

I would personally use /24 and nothing larger in my designs.



VIP Expert

Re: Layer 2 Access Design Recommendations


The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.


Sizing switched VLAN subnets is limited principally by broadcast traffic.

Effectively, broadcasts change your switched network to a share media network.

Consider 1,000 hosts, each with a 100 Mbps port.  If just one host injected 100 Mbps of broadcast packets, every other host's port would be 100% utilized.  Or, if all 1,000 hosts each injected 100 Kbps of broadcast packets, again every other host's port would be 100% utilized.

Another problem with broadcast packets, each host needs to actually accept the packet for further analysis.  Because of share LAN media, host NICs usually can ignore unicast packets not addressed to the host, similar for multicast packets that the host isn't registred for.  However, broadcast packets cannot be ignored because they are addressed to all hosts.

Today, host LAN bandwidths often have more bandwidth then of years ago, and host processing is often faster too, and TCP hosts tend to be less chatty then something like NetBUIE.  So, given the same level of broadcasts, you can often size subnets larger.  However, also often today L3 switches are used rather than pure routers, so you don't have the L2 performance advantage as you used to either.  So, considering the potential for broadcast issues, what's the real advantage of using large subnets?

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards