2 Domains, 1 Subnet

Discussion in 'MCSE' started by TBone, Apr 3, 2009.

  1. TBone

    TBone Guest

    After I wrote that I realized *what else* it might seem like...

    Yet I'm hoping to get a serious answer...

    I am simplifying our network, but I have an ongoing argument with the
    owner of the company (who admits to knowing nothing about networking)
    that our production domain and test domain should be on separate subnets
    (ie. 10.1.1.x and and 10.1.2.x). He says that he wants the management of
    the network to be simplified and therefore we should run both domains in
    the same subnet. We have about 100 workstations and 10 servers, so this
    is not a big network by any means.

    I know it can be done either way. The reason I'm posting is to hopefully
    call on the collective experience of the froup about the advantages of
    doing this one way or the other.

    Only caveat is users in the production domain will need to be able to
    connect and work with servers in the test domain.
    TBone, Apr 3, 2009
    1. Advertisements

  2. TBone

    James Guest

    Personally, I would split them up and only allow the access that is
    necessary to perform testing. You could use ACLs to block access to
    resources if needed during development, and then open them back up for

    It is more work, but there are benefits. Then again, as long as you
    have explained the pros and cons to management, it is their problem at
    that point, and their responsibility. If the owner of a company wants
    to do something against the recommendations of his trusted staff, at
    some point you have to just comply.

    Good luck,

    James, Apr 3, 2009
    1. Advertisements

  3. This latter point is exactly the reason why they must be in the same subnet.

    Or else, you'll need to install and maintain some sort of router
    functionality so that traffic can get from subnet 'A' to subnet 'B'.

    Truth be told, what you have here is two different network topologies, that
    each should be evaluated independent of one another.

    Domains are security boundaries for users and resources. If users in the
    production domain need to connect and work with servers in the test domain,
    then the test domain is going to have to trust the production domain. At
    this point, it begs the question of what the value of a separate domain
    actually becomes.

    IP Subnets are logical (broadcast) boundaries to control network-level
    traffic. If members of group 'a' routinely need to access resources in group
    'b', and both groups are on the same *physical* LAN infrastructure, then the
    complication of separate subnets most likely outweighs any perceived
    disadvantage of having them all on one network.

    The *only* reason I could justifiably see creating multiple subnets on the
    same physical LAN is if one or the other group has more than 250 devices...
    but even then, it's trivial to use CIDR masking and create a subnet with
    Without more information, I'm hard pressed to see the justification for
    either a separate domain =or= a separate IP Subnet, and if your primary
    objective is to simplify the network, then take a lesson from the earliest
    "Active Directory Domain Services" training literature way back in 1999
    which stated simply (and paraphrased): Unless you have a justifiable need
    for more than one domain, ONE domain is what you should configure.

    What you need for your test network is a separate =OU=. :)

    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)

    MS WSUS Website: http://www.microsoft.com/wsus
    My Websites: http://www.onsitechsolutions.com;
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    Lawrence Garvin [MVP], Apr 4, 2009
  4. TBone

    Gabe Guest

    In a small network its not likely going to be a performance problem. There
    may be security issues related to your coworkers seeing things that have not
    yet been released, perhaps even using things that are not ready to be used

    Will your test environment be "poluted" by being connected to the same
    subnet as the production environment? If so, your argument could be that it
    would invalidate your testing.
    Gabe, Apr 7, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.