4

I have ran into a 10.10.50.0/20 network that is having issues with packets dropping. They run all unmanaged switches and I imagine the huge amount of devices on one subnet is causing issues.

I've looked at breaking the network down into separate VLANS but the cost of Layer3 switches is too high. What options do I have? They use all unmanaged switches and an NSA 2400 sonicwall.

womble
  • 96,255
  • 29
  • 175
  • 230
Jason
  • 317
  • 1
  • 6
  • 17
  • 4
    What model of switches are you currently using? 10.10.50.0/20 is actually not the right address of the subnet if it really is a /20. The correct subnet addr is 10.10.48.0/20. How many physical user ports in how many different closets? – Mike Pennington May 24 '11 at 19:59

3 Answers3

11

How many computers are actually in the subnet?

The size of the subnet has no effect on broadcast traffic. You can run a /8 with 12 hosts in it and you'll see the same composition of traffic as a /24 with the same number of hosts. It's the number of computers that matters.

Personally, I wouldn't put more than about 512 Windows PCs into a single subnet. If you're below that, though, you're probably better off figuring out what the root cause of the problems is because you're likely going to find out, after wasting a lot of time and spending a lot of money, that the problem will still be with you.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • +1 although managed switches (with SNMP, port mirroring, etc.) may be the only practical way long-term to manage/monitor/troubleshoot problems on a (I'm assuming) large-ish network. – gravyface May 25 '11 at 02:28
  • @gravyface: Agreed re: managed switches. I wouldn't want to have more than a handful of machines on unmanaged switches, personally. Not having per-port statistics from your switches is like flying blind. Fortunately a good managed layer 2 Ethernet switch feature set is pretty cheap today. – Evan Anderson May 25 '11 at 17:18
8

Well, first you don't need L3 switches to VLAN, you can use normal L2 switches and then have a router, a single L3 switch or just use the NSA 2400 to route and firewall between subnets.

You are going to have to buy some form of equipment to segregate the networks. Your options are to either A) go the old school way with physical LANs separated by a router, or B) use VLANs.

The first option allows you to avoid spending on a whole new set of switches, BUT will be a management nightmare.

Zypher
  • 37,405
  • 5
  • 53
  • 95
  • Well I think I can get them to replace all their switches with L2 switches at a minimum. My understanding was the sonicwall could not do intervlan routing though – Jason May 24 '11 at 20:00
  • @Jason It's been a long time since I dealt with SonicWalls IIRC it was a license add on ... but anyway you could do a single L3 Switch or get a router, or if things are really tight you could build out a *nix box to do your routing. – Zypher May 24 '11 at 20:02
  • 1
    @Jason - take a look at PFSense if you need to build your own router. It's stable, fast, has a nice web UI, and fully supports 802.1q VLANs, which will likely be crucial in your environment. – EEAA May 24 '11 at 20:04
  • 1
    @Jason, The Sonicwall docs indicate that the [NSA 2400 supports up to 25 vlans](http://www.sonicwall.com/us/products/NSA_2400.html#tab=specifications). It would be insane for them to claim vlan support but not route between them. – Mike Pennington May 24 '11 at 20:06
  • 1
    @Mike Pennington: I wouldn't put it past SonicWall, though, to make intra-VLAN routing a license option. They're a nickel-and-dime kind of company in my experience. The "supports up to 25 VLANs" may mean "supports 25 VLANs sending traffic to / from the WAN interface". – Evan Anderson May 24 '11 at 20:14
  • @Evan, it's pretty hard to sustain a business when your competitors run circles around you. Think about what Juniper did to Cisco in the service-provider market when Jnpr offered "line-rate ACLs". Point is, it's rather unlikely they are dumb enough not to support inter-vlan routing; licenses are another issue and completely understandable. – Mike Pennington May 24 '11 at 20:20
5

I wouldn't want to guess as to what's causing the problem, I would want to know what's causing the problem. My recommendation would be to run some packet captures at various points in the network and see what the evidence shows you.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • 2
    +1, he should be ensuring there is no current bcast storm if he has large numbers of users on interconnected consumer-grade switches – Mike Pennington May 24 '11 at 20:07