5

I would like to get some advice on this, because I see it being mentioned repeatedly, but why are VLAN subnets recommended to be /24? What are the downsides to assigning VLAN's a subnet that are smaller such as /25, /26 or anything smaller if you know the number of devices in that VLAN will not exceed a certain amount of hosts in a long period of time?

The only reason I can think of is having to readjust all your IPs if your VLAN subnet goes over the allocated amount of hosts. Are there any other cases where doing less than /24 is a bad idea?

EDIT: I should have clarified I was referring to /24 in a private IP setting (192.168..., 172.16..., 10....).

Ron Maupin
  • 99,565
  • 26
  • 120
  • 195
Alex Mikhaelson
  • 53
  • 1
  • 5
  • 2
    Recommended by who? A LAN (and thus VLAN) can be any size you need. I know some metro-e installations that have /30 (and /31) VLANs. – Ricky Jul 21 '16 at 02:26
  • I recommend it based on the reasons in my answer below. - Ron Royston CCIE# 6824 – Ronnie Royston Jul 21 '16 at 04:17
  • 1
    On the network I manage we go all the way down to /28s for small sites, due to a historical decision to use 172.16.0.0/12 for a large corporate network, and the top-level assignment of the /16s that was done initially. Adjusting the subnet size to each site's immediate needs is necessary because of the lack of space, but is also a pain because you are constantly having to re-IP sites as they grow. One benefit though is that people get into the habit of checking the subnet mask, and reasoning accordingly, rather than assuming everything is /24 and getting thrown off by anything different. – Jeremy Gibbons Jul 21 '16 at 06:17
  • @JeremyGibbons I appreciate your dilemma. You inherited an over-engineered network and as a result the network admins have to burn brain cycles every time they administer/handle addressing. Too bad it was not done correctly (simply) when initially installed. – Ronnie Royston Jul 21 '16 at 16:12

3 Answers3

6

VLANs can be many different sizes. The length of the mask you choose depends on how many hosts you have in a network, and how much room for growth you build in. A lot of companies have networks of varying sizes.

Many people automatically assume /24 because they are lazy, and really don't understand how to use masks which don't end on an octet boundary. Granted, /24 is a pretty convenient size for many user networks, but there are cases where it is overkill, e.g. a site with a server, a couple of printers, and 12 users with no real room for growth. There is also something to be said for consistency, where you can have the exact same configurations for the network devices at multiple sites, and /24 will allow for a pretty large range of site sizes.

The only real concern is for the number of IPv4 addresses which you have, whether or not you are wasting too many addresses of a limited number. It is often harder to try to steal addresses from networks which are too large than it is to combine addresses into a larger network. Either way, it is no fun.

Ron Maupin
  • 99,565
  • 26
  • 120
  • 195
  • It's not a matter of lazy. It's a matter of simplicity. VLAN's, virtual Local Area Networks, are typically privately addressed and there are way more subnets available to you than you will need. So, just keep it simple - the KISS principle. – Ronnie Royston Oct 22 '16 at 03:15
  • I think you picked a single thing out of the whole answer. If you read the entire answer, you will see it is fair and balanced, and overall, it basically says there is nothing wrong with using /24 networks, assuming you have the addresses. My point about lazy is that I have seen too many network or server engineers just use /24 networks for things like a network for a heartbeat between two devices. You could use those same 256 addresses for 128 heartbeat links with /31 networks, but the engineers couldn't figure out that one even and the next higher odd address are the two for a network. – Ron Maupin Oct 22 '16 at 16:31
3

In network addressing there is a tradeoff between ease-of-use and efficient utilisation of addresses.

Putting subnets on octet boundries makes it much easier for humans to see what is going on. Especially in IPv4 where addresses are typically expressed in decimal dotted-quad.

On the other hand putting networks on octet boundries can waste a lot of addresses.

In public IPv4 space nowadays you generally have to be frugal, unless you are lucky enough to have a legacy allocation that massively exceeds your needs (e.g. MIT).

Some very large companies (e.g. Comcast) also need to be frugal in private IPv4 space but for most of us 10.0.0.0/8 is vast enough that we really don't need to worry about efficient allocation.

In IPv6 there is genereally no need to be frugal at all, it's normal to give every subnet a /64

Peter Green
  • 13,303
  • 2
  • 21
  • 47
-4

It is good practice to use /24 subnets because doing so conforms with the KISS Principle, namely the first host address in the subnet gets .1 and the last host gets .254. The broadcast address is .255.

If you have a /27 for example, you might end up with available hosts being .193 - .222 and a broadcast address of .223. See the difference.

Network Design should adhere to the KISS principle. That being said, there are cases where IP address availability is restricted and VLSM is necessary but in 99% of private networks VLSM is not necessary and would be over-engineering.

Ronnie Royston
  • 4,399
  • 1
  • 12
  • 28
  • Whoever downvoted my answer, can you explain why over 30,000 /24 subnets is not sufficient for 99% of private networks, e.g. 10.0.0.0/8. Do you not recognize the ease of using /24's? Or, are you a troll vandalizing this site? – Ronnie Royston Jul 21 '16 at 04:16
  • 2
    (not the one downvoting) your answer seems to assume this question is about private IP space, as becomes clear only by your comment. In my experience, there's a big difference in how public and private address ranges are assigned. The OP never mentioned if this question is about public or private networks, so you should at least mention this assumption in your answer. – Teun Vink Jul 21 '16 at 06:57
  • Somebody gave me a down vote, too. So, what? Everyone is entitled to their own opinion and to vote the way they want to vote. @TeunVink is correct. If you are lucky enough to have a public /24 block, will you use it all on one network because that is easy, or will you subnet it? FWIW, my company uses all three RFC 1918 address spaces, a whole lot of public IPv4 address space (multiple /16 and /24 blocks), all of it is variably-subnetted ("right-sized"), and still we don't have nearly enough public or private IPv4 address space. If you always think small, you will remain small. – Ron Maupin Jul 21 '16 at 14:05
  • This web application suggest when one votes down that they provide feedback. It's not a requirement. The reason I asked is understand why. As for your network, it's over-engineered in terms of VLSM and whoever comes behind the current network admin is going to be stuck with it. – Ronnie Royston Jul 21 '16 at 16:04
  • @TeunVink " there are cases where IP address availability is restricted and VLSM is necessary but in 99% of private networks VLSM is not necessary" I didn't mention public IP space. VLAN means Virtual LAN. LAN means Local Area Network. Local Area Networks are typically privately addressed. – Ronnie Royston Jul 21 '16 at 16:06
  • 1
    How do you come to the conclusion that our network over-engineered, especially without knowing the first thing about it? We have over 10,000 sites, from the very small (one user VLAN) to the very large (hundreds of user VLANs). There are extremely large data centers, PCs, IP phones, printers, WAPs, WLCs, building automation, and on and on. The sheer number of network infrastructure devices is mind boggling. There simply are not enough RFC 1918 addresses to use /24 networks everywhere. – Ron Maupin Jul 21 '16 at 17:56
  • Assuming your description of your network, it is not representative of 99.99% of business / Enterprise networks. In fact, I don't believe you. 10,000 sites is not true. 200 sites per US state? McDonald's maybe? – Ronnie Royston Jul 21 '16 at 18:02
  • 1
    I don't care whether or not you believe it. Most of the sites are in the U.S., but there are also sites in other countries. There are over 1/4 million employees, most of which are based in the U.S. It is not unusual to have 200 sites in a state. – Ron Maupin Jul 21 '16 at 18:21
  • I was actually one downvoting your answer for several reasons. Foremost, in my opinion your answer is at least incomplete, if not wrong. You are right that the network should be designed as easy as possible. However in disagree that using /24s is a one-fits-all solution, as @RonMaupin f.e.pointed out. I don't see the reason wasting IP addresses (even private ones, which may also run short). Subnetting is something you learn at CCNA level (as you got your number, you should probably know). Showing off w/ your number and trolling other people does neither show respect nor maturity. – Daniel Jul 22 '16 at 10:13
  • @waza-ari "there are cases where IP address availability is restricted and VLSM is necessary" is inconsistent with your claim of "a one-fits-all solution". – Ronnie Royston Jul 22 '16 at 16:25
  • I have some student labs to manage in addition to the admins, utility and teacher rooms managed with DHCP giving fixed addresses. I assigned a single private /24 range for the labs but subnetted it in /27 chunks of 30 hosts to identify each one. That way I have the capability to give distinct Internet access rules for each and also can find where are the problematic pcs when an issue is detected. When we grew over the eight /27 spaces available, I increased the main range to a /23 and got another eight labs (I had left space to grow, we never know if there is a future need ;^) ). – Fjor Nov 01 '23 at 18:04