Broadcast Domains.... how big is TOO big?

[chilipepperz]

Last night at a dinner party I was talking to a local service provider and somehow we got on the topic of whiskey and IP broadcast domains.

Let's say you have 200VMs and another 40 physical servers and hosts. What I want to do is be able to make a VM and then assign VMs static IPs using DHCP mapping using their MAC addresses.

I said I was planning to use a /21 or /22 of IP space, then using different IP ranges for different items to keep it all organized. He was saying a /22 even I'd see network degradation due to all of the broadcast traffic with around 250 VMs/ phys servers if I'm on 10G Ethernet.

Is that crazy? This guy is doing mostly professional offices for physical therapists and everything so I don't think he deals with big networks. It just seems like today's network gear wouldn't lose even 10% performance from having a /21 with 250 IPs used.

 

[cesmith9999]

He is right about the degradation, the real question is what are his numbers and what is the degradation at the various scope sizes?

It is also a question of how your network is laid out and can you support multiple vlans and if it is practical. where I work, we have so many vlans that everything is segmented. for a small/medium network that may not be practical. in most cases the degradation is slight and can be handled without any apparent service degradation.

Chris

 

[maze]

Honestly i'v Seem both designs - small and large subnet - used poorly.

In my old job we had a guy who was nicknamed Johnny Vlan... there was a reason we had to cleanup old vlan numbers

Its all about the gear in the network. I'v done /22's for school wifi and it worked great. But he has a point.

The pieces of gear you put into a vlan makes or breakes the size. We had a customer who insisted running zyxel and D-link (iirc) switches, that kept doing some Odd broadcast. The clients were impacted by it, and this was a /24 subnet. After changing to manager switches from a somewhat reputable brand, it worked a lot better.

But, the weakest link is the clients/servers you have in the network. I personally would never do vugger than a /25 for a server vlan.. who needs that many services in the same network? Rather do a LAN, DMZ, Server-Lan-prod, server-Lan-staging, server-Lan-demo ... etc.

Also makes Security better between services

 

[av00va]

I've been weighing this concept in my head. My clans are mgmt, dmz, lan, wifi, and san. San in routed to prevent lagging down my Ubiquiti ER-X. The SAN has a direct port to all of the vlans requiring it, so my router doesn't have to switch that traffic. Other than that, I have my mgmt vlan separate to prevent script kiddies from running nmap and discovering these devices exist. The mgmt vlan is, however, routed to my regular lan. Acls do isolate the dmz from anything, with the exception of pinholes from my lan to dmz for the usage of network services. I wonder if that is a stupid thing to do. I'm trying my best to build a security-centric network. Tips?

Sent from my SM-N910V using Tapatalk

 

[wildchild]

Routed san.?. not running iscsi i hope

 

[av00va]

Routed san.?. not running iscsi i hope

It is running iscsi and it isn't routed

Sent from my SM-N910V using Tapatalk