multiple subnets

we are running a private class C network with a few servers and
about 60-100 hosts. By now we use several fast ethernet switches
and a few gigabit switches to connect all hosts directly.

Is it a problem, to run an other subnet in parallel on the same
switches? If both subnets use distinct netmasks and broadcast patterns,
they should not affect each other, right? Someone else tells me,
this is not possible without using VLAN capable switches.

Must all traffic between both networks be routed thru a router?
We will get a router soon, but it is fast ethernet only. So I can't
establish a gigabit connection between hosts of different subnets
any more, even if they are connected to the same gigabit switch?

Dieter.

(E-Mail Removed) wrote:
> we are running a private class C network with a few servers and
> about 60-100 hosts. By now we use several fast ethernet switches
> and a few gigabit switches to connect all hosts directly.
>
> Is it a problem, to run an other subnet in parallel on the same
> switches? If both subnets use distinct netmasks and broadcast patterns,
> they should not affect each other, right? Someone else tells me,
> this is not possible without using VLAN capable switches.
>
> Must all traffic between both networks be routed thru a router?
> We will get a router soon, but it is fast ethernet only. So I can't
> establish a gigabit connection between hosts of different subnets
> any more, even if they are connected to the same gigabit switch?

You don't need VLANs, but VLANs would make a lot of sense.
You will not be able to communicate between the address ranges without
something that has an interface on each one and can forward packets,
like a router.

(E-Mail Removed) wrote:
> we are running a private class C network with a few servers and
> about 60-100 hosts. By now we use several fast ethernet switches
> and a few gigabit switches to connect all hosts directly.
>
> Is it a problem, to run an other subnet in parallel on the same
> switches? If both subnets use distinct netmasks and broadcast patterns,
> they should not affect each other, right? Someone else tells me,
> this is not possible without using VLAN capable switches.
>
> Must all traffic between both networks be routed thru a router?
> We will get a router soon, but it is fast ethernet only. So I can't
> establish a gigabit connection between hosts of different subnets
> any more, even if they are connected to the same gigabit switch?
>
> Dieter.
>

Running 2 subnets works just fine on the same unmanaged switch, but
there's really no advantage as far as traffic goes, and it's a weak
security measure at best. VLANs create separate "broadcast domains"
(Cisco-speak), and you would generally put different subnets on
different VLANs so you could route between them. That way, traffic for
local subnets stay on one VLAN and traffic between subnets passes
through the router, but broadcast/multicast traffic stays in the VLAN
where it originates. Regardless of whether you use VLANs or not, you'll
need a router to forward traffic between subnets. Note that without
VLANs, this actually INcreases traffic, rather than decreasing it as you
want. You can also use a layer-3 switch somewhere in the mix, which
generally handles switching, VLANs and can handle all the routing, too.
But they cost WAY more. With just two small subnets I'd look at managed
layer-2 switches and a decent router (Switch about $600 - $800 and
router around $300 US).

....kurt

(E-Mail Removed) wrote:

> we are running a private class C network with a few servers and
> about 60-100 hosts. By now we use several fast ethernet switches
> and a few gigabit switches to connect all hosts directly.

> Is it a problem, to run an other subnet in parallel on the same
> switches? If both subnets use distinct netmasks and broadcast patterns,
> they should not affect each other, right? Someone else tells me,
> this is not possible without using VLAN capable switches.

It will work, but most likely you will ultimately regret it. Unless you
plan on placing several machines in both subnets, I would try to keep
them logically separate. VLANs are one way to do this. I would strongly
urge that non-VLAN switches be dedicated to a single subnet unless the
switch can be partitioned, in which case each partition should be
dedicated to a single subnet.

There are a variety of reasons why you are likely to eventually regret
running separate networks over the same switches (without separating
them into VLANs or otherwise paritioning them).

One reason is security. Someone who comromises a machine will
compromise all the machines on all the networks. Gateway hijacking is a
serious problem.

Another reason is limiting the damage due to accidental bad behavior.
This includes things like broadcast storms.

There are a variety of other reasons you are likely to regret
overlapping your networks this way. The only time you won't regret it
is in a very small application (for example, overlapping a NATed home
network in private IP space with a routable office network in a
home/office type setup).

> Must all traffic between both networks be routed thru a router?

Essentially, yes.

> We will get a router soon, but it is fast ethernet only. So I can't
> establish a gigabit connection between hosts of different subnets
> any more, even if they are connected to the same gigabit switch?

Nope, that's not what switches do.

DS

(E-Mail Removed) said:
>we are running a private class C network with a few servers and
>about 60-100 hosts. By now we use several fast ethernet switches
>and a few gigabit switches to connect all hosts directly.
>
>Is it a problem, to run an other subnet in parallel on the same
>switches? If both subnets use distinct netmasks and broadcast patterns,
>they should not affect each other, right? Someone else tells me,
>this is not possible without using VLAN capable switches.

As others have told you, VLAN-capable switches are not required,
but do make sense.

>Must all traffic between both networks be routed thru a router?

Mmm.. not necessarily. You could (perhaps depending on the OS)
configure your system to just output packets destined to a given
network through a given interface, even when the interface has
address that is not within the destination network. So, f.ex.
the host has an interface with an address 192.168.1.1, and still
it is possible to add a route for 10.0.0.0/8 on that interface.
OF course, the destination machine at 10.x.x.x has to know how
to route packets back to 192.168.1.1. But then, if you do this,
then it must be asked, what was the purpose of the separate
network address space?

>We will get a router soon, but it is fast ethernet only. So I can't
>establish a gigabit connection between hosts of different subnets
>any more, even if they are connected to the same gigabit switch?

Well, is there a reason to pass a gigabit through the router?


I think you should (unless you have done so already), create a network
plan, starting with the roles of the machines in the network. Find
out which machines need to communicate with each other; which machines
could be considered as a workstation network; and so on. Consider
possible needs to limit traffic somewhere. These points will at some
point lead to some kind of picture, which will f.ex. show what would
be the correct places for routers, and you'll be able to estimate
bandwidth need for the routers, and so on.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Juha Laiho said:
> As others have told you, VLAN-capable switches are not required,
> but do make sense.

no doubt., but we have a network working since years without any
problem.

The plan is, to migrate our current network to become part of a larger
WAN. So I have to assign new IP numbers for all my hosts. During a
first
test i want to try that this for a few hosts only, to see if it works,
before I start to disassemble my currently working local network.
During this phase, I may use the router, to bridge between the
old and the new network, until all hosts/servers are migrated.

To realize the WAN, we use the router to perform the routing to the
external parts of the new network. However, once we get this router,
we are supposed to introduce subnetting of our internal network, too.

Thus we will get subnets for our servers, for the workstations and for
our printers. But for this second step I can't see the big advantage.

> I think you should (unless you have done so already), create a network
> plan, starting with the roles of the machines in the network. Find
> out which machines need to communicate with each other; which machines
> could be considered as a workstation network; and so on. Consider
> possible needs to limit traffic somewhere. These points will at some
> point lead to some kind of picture, which will f.ex. show what would
> be the correct places for routers, and you'll be able to estimate
> bandwidth need for the routers, and so on.

Until now, all connected hosts/devices can talk to each other directly
(GB-switched).
The main traffic will be between the servers and the workstations. I
don't expect any
big traffic between the the workstations. I also don't expect my
printers to transfer
big data volumes among each other. If I introduce subnetting, I force
all traffic
through the router. Some advantage is, to deduce from the IP number if
it is a
printer/server or workstation. I also may "control" the communication
between
my internal subnets, but I can't see any reason to do so (by now).
I might reduce the broadcast traffic a bit, but I don't observe any
broadcast problem.
Thus I solve a problem I don't have by a solution, that reduces my
network performance?

My idea is, to introduce several class-A subnets, but to get them
aligned, to be able to
use a common subnet mask for all of them. Thus all members may talk
directly to each
other, excluding the router.

If I once have to introduce a separate subnet which has to be insulated
from the rest
for any security reason (as we have i.e. for our DMZ), I will
definitely put it behind the
router, physically separated.

does this make sense?

Dieter.