I’m in the middle of designing two brand-new networks from scratch, one for a stadium and another for an ~80k sq ft country club, and I’m using this as a chance to clean up some of the design decisions that caused pain in our older environments, mostly surrounding subnet scopes being too small, and poorly planned for expansions.
I’m planning to use the 10.40.0.0/16 range for LAN addressing and mostly segment on the third octet.
Guest networks will live in the 192.168.0.0/16 space, one wireless network, and another wired for conferences and events.
Where I’m getting hung up is subnet size versus security.
My question is are there any real security benefits to carving networks smaller than /24s (like /26s or /27s) if VLAN separation and firewall policies are already doing the heavy lifting?
Smaller subnets feel like they add a lot of operational and planning complexity, especially when trying to keep VLAN IDs clean and intuitive, and I’m struggling to see where the practical security gains outweigh that cost even for management or infrastructure networks.
I think I need more information. What is it that you are trying to protect? The only really benefit for segmenting is to prevent lateral movement if compromised. If you have concerns about that, then segment. Also remember that if you have a device that is concerning and it is sitting on a big network with a ton of other devices then no firewall will save you from devices within the broadcast domain (same subnet).
So I’m pretty sure I have an answer on this, effectively I’m over complicating things.. basically we’re just standing up a couple of new networks and I want to be sure i’m not over allocating when for example my server lan only needs maybe 30 addresses, that being said idk how effective assigning smaller networks is in the grand scheme considering that our org will never need more than say 20 subnets, it’s less about security and more about manageability at this point.
Good question, I agree it’s good to find the balance between complexity and sensible risk mitigation. I am no networking expert, but could you consider supernetting? This might meet your need for segmening devices at broadcast level, but simplify routing / firewall complexity.
For example, set devices to have a 192.168.1.0/24 config, other devices to have 192.168.2.0/24 config and so forth, but then at firewall / route level, manage it as 192.168.0.0/16. This should limit broadcasting and the blast-radius of any subnet-based compromise, but keeps the management complexity lower (while still being flexible if you need to lock down a specific /24 subnet).
I would use /24s for any networks with hosts on them to keep it simple. It makes it easy to match your third octet to the VLAN ID. If you have point-to-point links, such as between routers, /30 or /31 is common to see. The only time I used anything smaller than a /24 was when I was hosting applications for customers in my data center or cloud. For customers on prem networks I almost always used /24s.