Best Practices for Subnetting

We currently have between 120 and 140 Windows XP or Server 2003 machines
on a 192.168.1.x / 255.255.255.0 style network. I have the computer
browser service disabled on all machines as well as Netbios over TCP
disabled on all machines (we use DNS for all name resolution). So when
I run a sniffer and look at only broadcast traffic there is a relatively
low amount of it. The network is growing and I will need more than 254
addresses at some point in the near future. I was thinking of just
changing our existing subnet mask to 255.255.240.0 to all for more
192.168.?.x ip addresses. I obviously also have the option of creating
adjacent subnets using the 255.255.255.0 subnet mask. My question is,
at what point is a good best practice to use separate physical segments?
If I have a relatively low amount of broadcast traffic is there
anything wrong with having say 250-300 machines on the same subnet?

Ethernet degrades after 250-300 hosts. Stay with the /24 subnet of 254
Hosts.

Just buy a simple LAN Router or Layer3 Switch (Switch and Router in same
device) and add an additional /24bit 254 Host segment,..giving you a total
of 508 Hosts

Using DNS for resolution does not negate the need of Netbios Over TCP/IP and
the use of the browser service. Everybody using Active Directory is already
using DNS for resolution so that doesn't really mean anything.

Sooner or later you will run across Applications that require those things
to function,...it is not *just* about Windows,...it is about all the
gazillions of Applications foating around out there that has those
requirements. Even most versions of Outlook require it to work properly and
dependably with Exchange.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Irwin Fletcher" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> We currently have between 120 and 140 Windows XP or Server 2003 machines
> on a 192.168.1.x / 255.255.255.0 style network. I have the computer
> browser service disabled on all machines as well as Netbios over TCP
> disabled on all machines (we use DNS for all name resolution). So when I
> run a sniffer and look at only broadcast traffic there is a relatively low
> amount of it. The network is growing and I will need more than 254
> addresses at some point in the near future. I was thinking of just
> changing our existing subnet mask to 255.255.240.0 to all for more
> 192.168.?.x ip addresses. I obviously also have the option of creating
> adjacent subnets using the 255.255.255.0 subnet mask. My question is, at
> what point is a good best practice to use separate physical segments? If I
> have a relatively low amount of broadcast traffic is there anything wrong
> with having say 250-300 machines on the same subnet?

I'm assuming that the degradation after 250-300 hosts comes from
excessive arp requests? If not then from where?

It seems like the only drawbacks to using a router or layer 3 switch is
that I loose the ability to broadcast between subnets and isn't there a
performance hit when you go across the router as opposed to staying
local on your subnet? Are there any others that I should be aware of?

Phillip Windell wrote:
> Ethernet degrades after 250-300 hosts. Stay with the /24 subnet of 254
> Hosts.
>
> Just buy a simple LAN Router or Layer3 Switch (Switch and Router in same
> device) and add an additional /24bit 254 Host segment,..giving you a total
> of 508 Hosts
>
> Using DNS for resolution does not negate the need of Netbios Over TCP/IP and
> the use of the browser service. Everybody using Active Directory is already
> using DNS for resolution so that doesn't really mean anything.
>
> Sooner or later you will run across Applications that require those things
> to function,...it is not *just* about Windows,...it is about all the
> gazillions of Applications foating around out there that has those
> requirements. Even most versions of Outlook require it to work properly and
> dependably with Exchange.
>
>

Losing network-wide broadcasts is an advantage, not a disability, even if
you are using Netbios name resolution. You simply install WINS and make all
machines WINS clients.

I doubt that you would ever notice or be able to measure the difference
in access time between direct access and access over one router hop.

"Irwin Fletcher" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> I'm assuming that the degradation after 250-300 hosts comes from excessive
> arp requests? If not then from where?
>
> It seems like the only drawbacks to using a router or layer 3 switch is
> that I loose the ability to broadcast between subnets and isn't there a
> performance hit when you go across the router as opposed to staying local
> on your subnet? Are there any others that I should be aware of?
>
> Phillip Windell wrote:
>> Ethernet degrades after 250-300 hosts. Stay with the /24 subnet of 254
>> Hosts.
>>
>> Just buy a simple LAN Router or Layer3 Switch (Switch and Router in same
>> device) and add an additional /24bit 254 Host segment,..giving you a
>> total of 508 Hosts
>>
>> Using DNS for resolution does not negate the need of Netbios Over TCP/IP
>> and the use of the browser service. Everybody using Active Directory is
>> already using DNS for resolution so that doesn't really mean anything.
>>
>> Sooner or later you will run across Applications that require those
>> things to function,...it is not *just* about Windows,...it is about all
>> the gazillions of Applications foating around out there that has those
>> requirements. Even most versions of Outlook require it to work properly
>> and dependably with Exchange.
>>

"Irwin Fletcher" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> I'm assuming that the degradation after 250-300 hosts comes from excessive
> arp requests? If not then from where?
>
> It seems like the only drawbacks to using a router or layer 3 switch is
> that I loose the ability to broadcast between subnets

It is not a drawback,..it is a benefit.
For Netbios over the subnets you would use WINS,...when WINS is used Netbios
is "directed" instead of "broadcasted" because the Netbios queries are send
directly to the WINS Server listed in the TCP/IP Specs instead of being
"blindly" broadcasted.

> and isn't there a performance hit when you go across the router as opposed
> to staying local on your subnet?

You are not going to create a "router processing lag" with such a small
network with a single "hop" [router] between the subnets. The benefit of
busting up the Broadcast Domain into smaller pieces creates more performance
then "router lag" would ever take away.

I know Bill said the same thing,..but I just wanted to backup what he said.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/p...s/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/e...epartners.mspx
-----------------------------------------------------

Hello Phillip (and Bill and Irwin if you're reading).

What would be the advantage of using netbios over router hops with WINS?

I was a pc tech for a network that had multiple sites (active directory
sites connected via P2P T-1s), each running 192.168.x.x/24 (8 sites with
IPs192.168.1.0-192.168.8.0). When we first set up the network we were
running WINS but, since we were already running active directory ingegrated
DNS, there wasn't any real need (that we could think of) for WINS so we
removed WINS from the network. After doing so, we didn't notice any change
in network operations or performance.

The origional reason I had WINS set up was so that Symantec Antivirus
Corporate could browse for other servers across the network routers. But
since we were using TCP/IP and knew the IPs of the servers, WINS was not
necessary and just added more overhead to our network.

In Irwin's situation, I wonder what would be his advantage of running WINS
across his two (soon to be two) netoworks. Can you (Phillip or Bill) give
me some insight?

Thanks,
Jim



"Phillip Windell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "Irwin Fletcher" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> I'm assuming that the degradation after 250-300 hosts comes from
>> excessive arp requests? If not then from where?
>>
>> It seems like the only drawbacks to using a router or layer 3 switch is
>> that I loose the ability to broadcast between subnets
>
> It is not a drawback,..it is a benefit.
> For Netbios over the subnets you would use WINS,...when WINS is used
> Netbios is "directed" instead of "broadcasted" because the Netbios queries
> are send directly to the WINS Server listed in the TCP/IP Specs instead of
> being "blindly" broadcasted.
>
>> and isn't there a performance hit when you go across the router as
>> opposed to staying local on your subnet?
>
> You are not going to create a "router processing lag" with such a small
> network with a single "hop" [router] between the subnets. The benefit of
> busting up the Broadcast Domain into smaller pieces creates more
> performance then "router lag" would ever take away.
>
> I know Bill said the same thing,..but I just wanted to backup what he
> said.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Troubleshooting Client Authentication on Access Rules in ISA Server 2004
> http://download.microsoft.com/downlo...7/ts_rules.doc
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/p...s/default.mspx
>
> Microsoft ISA Server Partners: Partner Hardware Solutions
> http://www.microsoft.com/forefront/e...epartners.mspx
> -----------------------------------------------------
>

"Jim in Arizona" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello Phillip (and Bill and Irwin if you're reading).
>
> What would be the advantage of using netbios over router hops with WINS?

Hi Jim,
That's easy. With WINS it works over routers. Without WINS it does not
work.
But I don't suppose that was what you meant by asking :-)

> I was a pc tech for a network that had multiple sites (active directory
> sites connected via P2P T-1s), each running 192.168.x.x/24 (8 sites with
> IPs192.168.1.0-192.168.8.0). When we first set up the network we were
> running WINS but, since we were already running active directory
> ingegrated DNS, there wasn't any real need (that we could think of) for
> WINS so we removed WINS from the network. After doing so, we didn't notice
> any change in network operations or performance.

It isn't about network performance, it is about functionality with
Applications that still live in the "dark ages" that require Netbios
resolution.

> The origional reason I had WINS set up was so that Symantec Antivirus
> Corporate could browse for other servers across the network routers.

That is an example what I am talking about.

> since we were using TCP/IP and knew the IPs of the servers, WINS was not
> necessary and just added more overhead to our network.

Not everyone wants to use the IP#s. The WINS overhead is next to nothing
when compared to the big picture.

> In Irwin's situation, I wonder what would be his advantage of running WINS
> across his two (soon to be two) netoworks. Can you (Phillip or Bill) give
> me some insight?

I'm not saying that he has to, I'm only recommending that he does. I don't
think there is any real prformance loss worth mentioning and it will save
hassles if he ends up with "problem" Applications. But if all of his
applications are doing fine then he can go with out it. However he needs to
keep the things we mentioned in mind in the event problems related to this
pop up in the future (sort of a "you've been warned" thing).

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Phillip Windell" <(E-Mail Removed)> wrote in message
news:el%(E-Mail Removed)...
> "Jim in Arizona" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>> since we were using TCP/IP and knew the IPs of the servers, WINS was not
>> necessary and just added more overhead to our network.
>
> Not everyone wants to use the IP#s. The WINS overhead is next to nothing
> when compared to the big picture.
>
> --
> Phillip Windell
> www.wandtv.com
>

The only overhead that we had where I last worked was additional servers at
each site. We were running DHCP and WINS on one box with AD and DNS on
another. Once we were able to remove WINS, we moved DHCP over to the AD box
(which we could have done anyway) and were then able to get rid of a server
at each site. I was told by another pro in the field that running WINS and
DNS on the same machine isn't a good idea so that's why we had WINS
installed on its own machine at each site. Although not much of an overhead,
sure, but still an additional 4 or 6 computers (and expensive windows
licenses) that weren't needed and/or could be used elsewhere in the
organization.

Thanks Phillip.

Jim

Believe it or not, I've been able to keep any of the apps that seem to
want / need netbios off the network or happy in some other way. So
there are literally no netbios broadcasts on my network. So I'm less
concerned with netbios and more concerned with other apps that need to
use broadcasting to operate. We have several internal apps that need to
be able to broad cast to find things. Many of them use a proprietary
method but some use rendezvous. I worried about my users coming to me
saying, can you put me on such and such subnet? I know that people
(even me in the past) typically cut off subnets at say 100 hosts but
given that there is little to no broadcast traffic, I haven't really
heard a good reason why. I guess I could see excessive arp traffic
being a possibility.

And regarding router hop performace, if you assume that the whole
network is currently gigabit switched, I know it won't be much of a
performance hit to go across a router but would it be large enough to be
noticeable? Or is that more of a question of how good / fast the
hardware is?

Bill Grant wrote:
> Losing network-wide broadcasts is an advantage, not a disability, even
> if you are using Netbios name resolution. You simply install WINS and
> make all machines WINS clients.
>
> I doubt that you would ever notice or be able to measure the
> difference in access time between direct access and access over one
> router hop.
>
> "Irwin Fletcher" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> I'm assuming that the degradation after 250-300 hosts comes from
>> excessive arp requests? If not then from where?
>>
>> It seems like the only drawbacks to using a router or layer 3 switch
>> is that I loose the ability to broadcast between subnets and isn't
>> there a performance hit when you go across the router as opposed to
>> staying local on your subnet? Are there any others that I should be
>> aware of?
>>
>> Phillip Windell wrote:
>>> Ethernet degrades after 250-300 hosts. Stay with the /24 subnet of
>>> 254 Hosts.
>>>
>>> Just buy a simple LAN Router or Layer3 Switch (Switch and Router in
>>> same device) and add an additional /24bit 254 Host segment,..giving
>>> you a total of 508 Hosts
>>>
>>> Using DNS for resolution does not negate the need of Netbios Over
>>> TCP/IP and the use of the browser service. Everybody using Active
>>> Directory is already using DNS for resolution so that doesn't really
>>> mean anything.
>>>
>>> Sooner or later you will run across Applications that require those
>>> things to function,...it is not *just* about Windows,...it is about
>>> all the gazillions of Applications foating around out there that has
>>> those requirements. Even most versions of Outlook require it to work
>>> properly and dependably with Exchange.
>>>

"Irwin Fletcher" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> concerned with netbios and more concerned with other apps that need to use
> broadcasting to operate. We have several internal apps that need to be
> able to broad cast to find things.

I can't think of any that do that. But some need Netbios. Netbios does not
equal broadcasting. It also has to do with how Applications may expect to
have machine names presented to them

> (even me in the past) typically cut off subnets at say 100 hosts but

Not 100. 254.

> given that there is little to no broadcast traffic,

You better think again.
DHCP Discovery, ARP, STP, CDP just to name a few.
When you have multiple routers there is the potential for RIP, OSPF, GRP,
IGRP, etc.
Some may not be 100% broadcast but may broadcast for part of their
functionality

You better run Netmon or your favorite packet sniffer and look at all the
packets with a destination of ff-ff-ff-ff-ff-ff-ff-ff. Not everything has
anything to do with TCP/IP or UDP/IP.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------