Currently we use 192.168.0.0/24 network with 254 IP addresses available but only about 10 addresses are left. Within a year there will be some installations which requires about 50 new addresses and we need to increase amount of them. One way would be to change subnet mask to 23 bits (255.255.254.0), this would give additional 254 addresses but increase the broadcast domain and can affect performance (all switches are 1 Gb). The other way would be to add new subnet with the same 24 bit mask but another network ID (say 192.168.1.0/24) and then properly route it in the router (we dont have Layer 3 switches). This also could affect overall performance. Which of the ways would be prefered with this setup?
You should definitely limit broadcast by using different subnets.
I personally assign 254 addresses for every branch office and route traffic between them.
Thank you. Have you experienced any issues with 23 bit mask subnets?
I’m not such a huge fan of slavishly limiting network segments to 253 user stations (remember that the router takes an address out of the 254 usable addresses too) just because of broadcast limitations. This makes management much more involved and labor / documentation / planning intensive.
One single computer can broadcast flood a network with today’s hardware.
If you’re trying to prevent workstations from seeing each other, then putting them into small groups isn’t going to make your network “secure” - it’s just fooling yourself into thinking that you’ve limited the scope of damage that one user can cause - but if a malicious user or virus can see 252 neighbors, then that’s 252 too many anyway.
The efficiency of a network vs the number of active hosts is much much higher in today’s world of switches than it was back in the “good old days” when some of these rules of thumb got ingrained into us old timers’ heads. Back then, ethernet was half duplex and had collisions to contend with. Now, switches handle this much better.
With host isolation and broadcast storm control / multicast rate limiting in switches, there’s no reason to cling to the dogma of /24 being the largest network size. With these measures in place, the only reason to put two hosts into two different networks is for policy reasons (routing policy, different security policy, etc). If you have a single type of network policy for a group of users, then make the network large enough to carry them all.
Of course, you don’t want to take this too far and bend over backwards to bridge a single network all over the place - a large bridge domain has plenty of its own pitfalls, but if you have a wlan and want to serve more than 250-ish hosts, just use a /23 or /22 as the network range. Make your management easier, because that’s what’s going to give you the most headaches later: keeping track of everything and considering it in future network changes.
That is true, however it very much depends on what is in the network - and the poster did not mention that.
For example, when there is a lot of “server” infrastructure in nicely locked rooms, and also office computers on an essentially open network, it can be argued that can better be put in separate subnets so a malicious user cannot assign the address of a server to his office PC and cause big havoc on the network. This of course is dependent on the presence of such malicious users as well.
(is this a company with people who just want computers to work for them, or is it a school or university network, to name some extremes)
However, when there is a lot of traffic between those servers and the office computers, the resulting routing can be a bottleneck when there are no L3 switches.
I would say when having L3 switches, do subnet, but when everything is on L2 switches and you want to have the guaranteed 1Gbit speed, don’t subnet and rather focus on some sensible settings to reduce the broadcast traffic.
(e.g. make sure that multicasting name services are not used, but rather a DNS service is implemented)
This is a policy reason to split networks, and a very valid one.
My post was meant to say in a nutshell: If you just need more capacity, use a larger subnet and not multiple lan segments.