8

We've started a small debate in the office, and I've hit the point where I no longer have the technical knowledge to continue.

Is there such a thing as having too many IP addresses? I'm not suggesting we use the entire private 10.* Class A, but I don't see why we couldn't if we wanted too.

I honestly think "subnet fragmentation" is an outdated way of thinking, but I'm want to continue the technical discussion.

Currently, our primary subnet mask is configured to use 4 class B's, which is way overkill in terms of the sheer number of available IP addresses, for our small business.

But the question is, what problems (if any) does having a wide private IP space create?

VxJasonxV
  • 911
  • 1
  • 16
  • 29
  • 1
    Class A/B/C/D hasn't been used in what, 10 years? There's your first ammo :) – Mark Henderson Nov 10 '09 at 00:26
  • I'm confused. I thought CIDR was entirely prevalent, more so in the last 10 years. Perhaps I should stop saying Class A/B/C/D, and start saying /8, /16, /24, /32? (I thought they were the same thing, but perhaps that was my own mistake.) – VxJasonxV Nov 11 '09 at 05:28
  • 1
    Class D =/= /32. I'm just saying :) Most people know what you mean when you say "class A", but technically, that refers to an IP that starts with 00 binary, not a network of a given size. "Slash 8" is normally what I say instead. – Bill Weiss Feb 03 '10 at 17:22

10 Answers10

9

The only problem is possible conflicts when connecting to partner's networks or during mergers/acquisitions. Some of those issues can be mitigated by using source and destination NAT on edge devices. Additionally, just because you use 10.1.0.0/24 does not mean you won't run into the exact same problems.

Doug Luxem
  • 9,612
  • 7
  • 50
  • 80
  • 1
    Its also very nice to have for security purposes. Not to mention you will eventually get to having too many broadcasts going on. As switch speeds increase and the "need goes away" we also put more and more importance on the LAN staying up at all times. – sclarson Nov 09 '09 at 22:54
5

Compliance to various standards will become impossible, securing networks becomes harder, a virus will spread easier, quality of service becomes harder, MAC/CAM tables become full.

There are still all sorts of problems with just lumping everything in one bucket.

Also don't forget as the speed on LANs increases so do the uses. Especially when it comes to the data center. Many places run with 50+% utilization on their trunks. I've seen some that run higher than 65% constantly on 10gig trunks. Tell those people to add unnecessary traffic.

Using large subnets for no reason other than "you can" is fine when you're a tiny place that really has no need for more than 2 VLANs. Once you leave the small business world you'll find things increase in complexity quite a bit.

The other obvious reason would be to stop your CAM tables from filling which can be outage causing depending on the implementation in the firmware for how things are handled with the switches table fills.

sclarson
  • 3,684
  • 22
  • 20
5

Not really - as long as you limit the amount of actual devices to something the network will handle... but then again, why have such a huge amount of possible nodes in that network if you won't use them all?

Segmenting networks are good for many a things including providing a logical structure and overview, tightening security by splitting roles and/or locations into different networks and so fourth.

One thing people don't usually think of is splitting off printers and other highly vulnerable and unprotected network devices into their own network - with access only to say a specific print server. And then there's all the usual ones depending on your organisations information security demands.

Security comes with layers, network segmentation is one of many to help make stuff less vulnerable to security issues (=access, integrity and availability).

Oskar Duveborn
  • 10,760
  • 3
  • 33
  • 48
  • 2
    I generally agree. I'm not onboard w/ "logically" organizing devices by subnet, unless there's either a traffic problem or a need to filter traffic. Interesting that you mention putting printers into an isolated layer 2 w/ limited access. I've tried to get that across to people for years with different degrees of success. Some (typically non-IT) people in positions of authority implicitly trust printed output. As such, a possible "social engineering" hack would involve modifying / falsifying printed output. Ever hear about inmates being released from prison based on forged faxes? It happens! – Evan Anderson Nov 09 '09 at 23:48
  • I've never even heard of a inmate being freed on the basis of a fax. Must be a local problem. ;) – John Gardeniers Nov 10 '09 at 00:47
  • Well, these two are from Florida and Kentucky respectively, so I'm sure there was some local influence... heh heh... http://www.heraldtribune.com/article/20090716/ARTICLE/907161067?Title=Two-inmates-freed-by-mistake and http://www.freerepublic.com/focus/f-news/1821482/posts – Evan Anderson Nov 10 '09 at 02:17
  • 1
    There's a reason Fark has a dedicated "Florida" category, FWIW. – VxJasonxV Nov 11 '09 at 05:30
  • Oh yeah, and uhh. No comment on the Kentucky comment ;D. – VxJasonxV Nov 11 '09 at 05:31
2

The problem I see with that many IP's is not limiting the broadcast domain. On the other hand with 1Gb switches, i can't really say that matters a ton anymore, unless you are trying to dig though switch and firewall logs.

Skaughty
  • 733
  • 1
  • 5
  • 12
1

Other than potential conflicts with partner networks connected through VPN, no problems.

What I usually recommend is to use /24 chunks anyway, regardless of the range you're splitting them off of. So, let's say, you assign 10.27.1/24 to the office, 10.27.2/24 to the DB subnet at the datacenter, 10.27.3/24 to the apps subnet at the datacenter, 10.27.100/24 for the VPN clients, and so on.

Florin Andrei
  • 1,208
  • 1
  • 12
  • 18
  • 1
    Now that sounds like extra work for no reason, along with adding extra load on your layer 3 devices. – Doug Luxem Nov 09 '09 at 22:31
  • 1
    It's 2009; that isn't a problem unless you go way overkill. – duffbeer703 Nov 09 '09 at 22:32
  • 1
    @DLux I was assuming a routed network, not a flat topology. Look at the examples I gave, those are usually physically separated networks, with routing in between. If it's flat then you don't have to fragment it (but you still can if you choose so). – Florin Andrei Nov 09 '09 at 22:42
  • 1
    I see what you are saying now. :) Generally, I would subnet at security partitions/zones which is pretty much what you said. – Doug Luxem Nov 09 '09 at 22:56
  • 2
    There are only two reasons to subnet a switched Ethernet LAN: Mitigating performance problems (excessive broadcast traffic or flooding of frames to unknown destinations), or to impose packet filtering functions at layer 3 or higher at the "choke points" where routers move packets between subnets (typically for security). Any other reason (aesthetic, mainly-- "I want all of xxx computers to be in the same subnet because it looks nice...") is an invalid reason. – Evan Anderson Nov 09 '09 at 23:41
1

Depending on the size of your subnet broadcasts might be a problem, although depending on the speed of your network they might not.

One disadvantage however is that you're limiting your future expansion capability. You may only need one subnet now, but who's to say you won't need more in the future? You might expand, you might want to set up separate subnets for some parts of your network, and so forth.

I'd also drop the "class" thinking and use CIDR for your subnets. Classes don't really exist anymore outside of university courses and history books, and CIDR just gives you so much more flexibility.

A good rule of thumb with these things is to take what you think you need and double it, so if you have 50 hosts (and don't forget to include servers, printers, switches, etc here) a 25 bit netmask (giving you 128 hosts, less 2 for network and broadcast) will cover what you need and give you some headroom.

Maximus Minimus
  • 8,987
  • 2
  • 23
  • 36
0

One network I inherited was full of /16s.. ie 10.1.x.x, 10.2.x.x..

It was nice for grouping ip ranges and you could look at an IP and know exactly what it was.. Oh the 10.4.20.Xs are all databases, etc... BUT...

Eventually we had to clean it up, and finding all the random one off IPs was a chore.

It's a lot easier to do a nmap ping scan of a /24 than a /16.

In the redesign, we settled on /22s. (1024 ips)

I think a general rule of allocate for what you need today with a healthy overhead to grow in to is a good practice.

Joel K
  • 5,853
  • 2
  • 30
  • 34
0

I would start with the max number of devices that would ever be on a network, and double or triple it, and then see if I had enough networks. By using the TEN net it shouldn't be hard to find a balance. For example, say that 100 devices was the max. If you picked /22 as your mask you would have 16,384 networks that could have 1022 devices:

Mask:255.255.252.0   Host/Net - 1022
Network          Broadcast
10.0.0.0         10.0.3.255
10.0.4.0         10.0.7.255
10.0.8.0         10.0.11.255
10.0.12.0        10.0.15.255
10.0.16.0        10.0.19.255
10.0.20.0        10.0.23.255
10.0.24.0        10.0.27.255
10.0.28.0        10.0.31.255
10.0.32.0        10.0.35.255
10.0.36.0        10.0.39.255
10.0.40.0        10.0.43.255
dbasnett
  • 683
  • 5
  • 11
0

Well, The Switch connected to your Uber-IP server does have a limited Number of entries available in the ARP table. As well you would see a lot of gratuitous ARP on your Broadcast Domin.

Honk
  • 143
  • 1
  • 12
  • That would only be affected by the number of devices on a subnet, not the size of the subnet itself. – Doug Luxem Nov 09 '09 at 22:21
  • 1
    .... and swicthes don't do ARP – Javier Nov 09 '09 at 22:22
  • You don't think switches have an ARP table? – sclarson Nov 09 '09 at 22:48
  • 1
    I would give both of you guys rep for this if I could. Actually, I upvote you, DLux, so I guess I can. I am so sick of hearing about switches and "ARP tables" when people mean to say "bridging / MAC tables". – Evan Anderson Nov 09 '09 at 22:48
  • 2
    @sparks: Layer 3 devices have ARP tables. Switches, strictly operating at layer 2, don't have ARP tables. If the switch has a management interface that communicates at layer 3, or a routing engine, then those devices will have ARP tables. – Evan Anderson Nov 09 '09 at 22:49
  • Sorry, meant MAC, or more accurately CAM, tables. Either way the statement that switches don't do ARP is inaccurate since L3 Switches are still switches ;) There is no clear cut definition on switching like there is bridging. Switches are just marketing for "has ports" not really a defined device type. – sclarson Nov 09 '09 at 23:08
  • 1
    I find it helpful explain "layer 3 switches" as layer 2 switches (which I explain as multi-port bridges) with a very fast router hiding inside. I try to explain the routing functionality separately from the switching functionality. The box does both things, but different parts of the box do different things. (Some old Catalyst supervisor modules worked like that, too-- there was router silicon sitting on the SUP blade and it had its own management interface.) – Evan Anderson Nov 09 '09 at 23:44
  • 1
    a switch is a multiport bridge. anything over that is better understood as a separate device integrated in the same box – Javier Nov 10 '09 at 22:51
0

None that I can think of other than being slightly more difficult to setup (and possibly administer). And then there is the issue of waning amounts of IP addresses (until IPV6).

Nori
  • 211
  • 3
  • 10
  • The statement of "private IP addressing", and the example of using a 10/14 makes the "waning amount of IP addresses" a bit irrelevant. – VxJasonxV Nov 11 '09 at 05:35