Flat vs Segmented Network Design

Discussion in 'Cisco' started by bobneworleans@yahoo.com, Nov 11, 2010.

  1. Guest

    I work on a network that supports around 400 users. The network was
    set up with separate VLANs for each of 8 floors plus one for the
    server farm and another for wireless. A L3 switch does all the
    routing between subnets. While segmentation was probably needed 10
    years ago, I have been wondering if this continues to be the best
    design given that the VLAN assignment is arbitrary (based on location
    only) and since virtually every packet must cross VLANs to be
    delivered.

    I'm consideing putting everything (except for wireless) on the same /
    23 network. With modern non-blocking switches, isn't a "flat" network
    design just as valid (other than for security considerations)? So far
    as I can tell, the major benefit to a segmented L3 design is breaking
    up the broadcast domain but they are no longer a significant problem
    in our network.
    , Nov 11, 2010
    #1
    1. Advertising

  2. alexd Guest

    Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings,
    chose the tried and tested strategy of:

    > virtually every packet must cross VLANs to be delivered.


    What is performance like? If it ain't broke, don't fix it.

    > I'm consideing putting everything (except for wireless) on the same /
    > 23 network. With modern non-blocking switches, isn't a "flat" network
    > design just as valid


    A modern L3 switch should be able to route at wire speed.

    > (other than for security considerations)?


    It's not just active adversaries you have to worry about - what about that
    genius who accidentally gets the default gateway and the IP address the
    wrong way round when configuring his network card, knocking out the internet
    for everybody else?

    > So far as I can tell, the major benefit to a segmented L3 design is
    > breaking up the broadcast domain


    Broadcasts kill wireless performance. Keep wireless and the servers on a
    separate VLAN at least.

    > but they are no longer a significant problem in our network.


    Yeah...until they are! Unless you've got serious performance issues with
    your segmented network and can't afford the requisite hardware, don't try
    and fix it.

    --
    <http://ale.cx/> (AIM:troffasky) ()
    20:22:13 up 10 days, 23:52, 6 users, load average: 0.16, 1.10, 0.65
    "I am utterly appalled at how I have been treated like a criminal"
    -- Andrew Crossley, ACS:Law, 13 August 2010
    alexd, Nov 11, 2010
    #2
    1. Advertising

  3. Guest

    > > virtually every packet must cross VLANs to be delivered.
    >
    > What is performance like? If it ain't broke, don't fix it.


    Performance is fine now on all wired segments (but some APs get
    overloaded at times.) The motivation for changing the design is a
    desire for increased simplicity.

    > > So far as I can tell, the major benefit to a segmented L3 design is
    > > breaking up the broadcast domain

    >
    > Broadcasts kill wireless performance. Keep wireless and the servers on a
    > separate VLAN at least.


    I will certainly keep wireless separate. Why do you recommend
    separating the servers from the clients? This seems counterproductive.
    , Nov 11, 2010
    #3
  4. bod43 Guest

    On Nov 11, 9:02 pm, ""
    <> wrote:
    > > > virtually every packet must cross VLANs to be delivered.

    >
    > > What is performance like? If it ain't broke, don't fix it.

    >
    > Performance is fine now on all wired segments (but some APs get
    > overloaded at times.)  The motivation for changing the design is a
    > desire for increased simplicity.
    >
    > > > So far as I can tell, the major benefit to a segmented L3 design is
    > > > breaking up the broadcast domain

    >
    > > Broadcasts kill wireless performance. Keep wireless and the servers on a
    > > separate VLAN at least.

    >
    > I will certainly keep wireless separate.  Why do you recommend
    > separating the servers from the clients?  This seems counterproductive.


    Funnily enough Mr. Bob I hold exactly the opposite view.

    Since we have hardware IP routing there is no reason to make
    subnets other than very small.

    Why not exactly one PC per network?

    At the end of the day, PC's are now so fast that
    it will be pretty much impossible to everwhelm
    then but I fancy sticking to a hundred or so per subnet.
    It is free. Why have more?

    400 sounds way to many for me if using Windows due
    to the broadcast traffic.
    bod43, Nov 11, 2010
    #4
  5. Rob Guest

    bod43 <> wrote:
    > On Nov 11, 9:02 pm, ""
    > <> wrote:
    >> > > virtually every packet must cross VLANs to be delivered.

    >>
    >> > What is performance like? If it ain't broke, don't fix it.

    >>
    >> Performance is fine now on all wired segments (but some APs get
    >> overloaded at times.)  The motivation for changing the design is a
    >> desire for increased simplicity.
    >>
    >> > > So far as I can tell, the major benefit to a segmented L3 design is
    >> > > breaking up the broadcast domain

    >>
    >> > Broadcasts kill wireless performance. Keep wireless and the servers on a
    >> > separate VLAN at least.

    >>
    >> I will certainly keep wireless separate.  Why do you recommend
    >> separating the servers from the clients?  This seems counterproductive.

    >
    > Funnily enough Mr. Bob I hold exactly the opposite view.
    >
    > Since we have hardware IP routing there is no reason to make
    > subnets other than very small.
    >
    > Why not exactly one PC per network?


    Often those IP routing switches have an artificial limit on the
    number of VLANs that you can create, sometimes changable by buying
    an extra license (hence artificial).

    So the switch may be capable of routing between 10 or 16 different
    VLANs, for example.
    Rob, Nov 12, 2010
    #5
  6. Guest

    On Nov 11, 5:43 pm, bod43 <> wrote:
    > Funnily enough Mr. Bob I hold exactly the opposite view.
    >
    > Since we have hardware IP routing there is no reason to make
    > subnets other than very small.
    >
    > Why not exactly one PC per network?


    Thank you for your comments, BOD43. You presented an interesting
    perspective. While microsegmentation makes perfect sense to me at L2,
    I am not yet convinced that this logic extends to L3. However, since
    the latency penalty of routing has now been eliminated, maybe so.

    > 400 sounds way to many for me if using Windows due
    > to the broadcast traffic.


    Are you referring to NetBIOS name query broadcasts? Although these
    used to be a problem in Microsoft networks, I believe that they have
    been pretty much replaced with DNS unicasts. Although I haven't
    checked this out myself, I've been told that broadcasts are not a
    significant problem any more. Is your experience different?
    , Nov 12, 2010
    #6
  7. Rob Guest

    <> wrote:
    >> 400 sounds way to many for me if using Windows due
    >> to the broadcast traffic.

    >
    > Are you referring to NetBIOS name query broadcasts? Although these
    > used to be a problem in Microsoft networks, I believe that they have
    > been pretty much replaced with DNS unicasts. Although I haven't
    > checked this out myself, I've been told that broadcasts are not a
    > significant problem any more. Is your experience different?


    You are right, there is no noticable broadcast traffic in a reasonably
    configured MS network.

    The ARP traffic is about it.
    Rob, Nov 12, 2010
    #7
  8. alexd Guest

    Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings,
    chose the tried and tested strategy of:

    >> Keep wireless and the servers on a separate VLAN at least.
    >>

    > I will certainly keep wireless separate. Why do you recommend
    > separating the servers from the clients? This seems counterproductive.


    For the same reason; anyone can give their PC the same IP address as one of
    your servers and knock everybody else offline.

    As an example, I know someone with a 192.168.0.0/16. He has about 500
    desktops, 20 servers, 30 switches, etc all in that subnet. His main servers
    are 192.168.0.1 2 and 3. Unfortunately 192.168.0.0/24 is a common default
    for some domestic routers, so when users bring hibernated laptops in from
    home, and plug them in, pandemonium will reign while many users get
    disconnected from Exchange, roaming profiles, etc.

    This isn't even to mention the damage someone with malicious intent can do
    if you make it easy for them.

    --
    <http://ale.cx/> (AIM:troffasky) ()
    21:39:43 up 12 days, 1:10, 6 users, load average: 0.20, 0.15, 0.06
    "I am utterly appalled at how I have been treated like a criminal"
    -- Andrew Crossley, ACS:Law, 13 August 2010
    alexd, Nov 12, 2010
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. qazaka
    Replies:
    0
    Views:
    365
    qazaka
    Sep 24, 2003
  2. TomTom
    Replies:
    2
    Views:
    799
    TomTom
    Oct 9, 2004
  3. Replies:
    2
    Views:
    1,038
  4. cse

    Loadsharing in a Flat MPLS Network

    cse, Feb 6, 2008, in forum: The Lounge
    Replies:
    0
    Views:
    1,852
  5. Replies:
    5
    Views:
    390
    Baloo
    Feb 16, 2008
Loading...

Share This Page