Subnet size in modern networks

Unanswered Question
Aug 10th, 2009

Traditional LAN design suggests limiting subnet sizes with a /24 being one of the more commonly seen subnet sizes per VLAN. This is typically to limit the number of broadcasts & un-bounded multicasts.

I imagine these suggestions came from the days were 10Mb/s NICs the the most common and workstations / server CPUs were much slower (not to mention NIC hardware processing capabilities themselves).

In a modern network with 100Mbps NICs, fast CPUs and even things like checksum offloading to the NIC, in addition to the percentage of traffic per host that is made up of broadcasts & multicasts, I can't think why there would be any problems with /23, /22 and even /21 subnets.

Running a wireshark on my workstation (on a /24 subnet, with about half of those hosts active) I see ~ 24KB of traffic in a one minute period (equaling about 0.5KB/s). If we extrapolate this from the ~128 hosts up to say a /22 subnet, we get around 5KB/s of additional traffic for each workstation to process. I do not see this as much of an issue in a modern network with modern workstations & servers which should have no problem with 100Mb/s or 1000Mb/s of network traffic. In fact, even on an old network, this is a negligible amount of traffic.

Additionally, the only useful non-network (CDP, HSRP, STP) traffic seen in my Wireshark was ARP, DHCP & NetBIOS. If this network management traffic was eliminating from the user VLAN, the figures listed above would be even lower.

Can anyone point me to some modern network design requirements that do not flippantly suggest broadcasts as the reason for limiting subnet size or weigh in on anything I may have missed.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Tue, 08/11/2009 - 05:01


It is not just about broadcasts that you would want to limit the size of vlans. There are quite a few other considerations.

1) Design. If you wanted to use a L3 routed access-layer then it is unlikely that per floor you would have that many users to justify a /22 or /21.

If you used a /22 or /21 within your building you would then be forced to use L2 links between access-layer switches and dsitribution switches.

The addressing should not dictate this ie. you shouldn't, in my opinion, decide to use a /21 and then have to use L2 because that's the only way you can get /21 to work.

2) Fault isolation - regardless of normal levels of broadcast traffic, a faulty workstation(s)/server(s) can have serious consequences on the amount of traffic generated with the vlan. Or a developer may write and test some software within the same vlan that has similiar effects.

With a /22 or 21 this will impact a large number of users. Using smaller subnets/vlans limits the potential damage.

3) Security - following on from 2, a virus etc. on a host within the vlan could rapidly affect the entire vlan.

In addtion any user that connects to your network has access to every other user on the same subnet at L2. In most companies not all users are equal and certainly not all servers are equal and you may well want/need to segregate certain users/servers from others with firewalls/IDS etc.

4) QOS - again not all users are equal and not all applications are equal. Having multiple subnets allows you to be more granular in your approach to QOS.

5) Manageability. This is a sort of catchall that includes some of the above. Imagine how complicated an acl could get if you need to filter certain users traffic within your /21 based on source and destination.

Imagine how much easier it is to track down a certain IP address within a large campus building if you have designed your network so that specific subnets are on specific floors.

And to manage multiple /24 or even /25 vlans really isn't that much of headache. Most of the work involved is setting up the DHCP scope and we can usually leave that to the server guys :-).

Finally with L3 switching the arguments for larger subnets are even less persuasive although again that's my opinion. I would argue that rather than have to justify /25 or /24 subnets it should be the other way round ie. if you want to deploy a /22 or /21 then fine but what are the reasons for it.


jfraasch Tue, 08/11/2009 - 12:16

Another way to think about this is in thinking about more than just the speeds that have come about in the last 10+ years. 10 years ago EVERYTHING was on a hub. There were usually huge broadcast domains.

Nowadays over 80% of networks are switched with each individual port being its own broadcast domain. This change to switches for the most part has offset any kind of speed gains/application noise increases over that same time period.

Whereas in the past each NIC would be required to look at every packet on the network, nowadays it only sees broadcasts and unicast packets, not data packets destined for some other unicast address. Essentially, the switch has offloaded much of the old overhead that was there.

Otherwise, I like what Jon says below. There are many reasons to reduce subnet sizes. Heck, I just broke out a /24 into a bunch of /28's to implement a ACE Appliace. This was done to for security reasons and to segment traffic to make access list rules between VLANs much easier to implement.

Hope that helps.



This Discussion