Flat vs Segmented Network Design

Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings, snipped-for-privacy@yahoo.com chose the tried and tested strategy of:

What is performance like? If it ain't broke, don't fix it.

A modern L3 switch should be able to route at wire speed.

It's not just active adversaries you have to worry about - what about that genius who accidentally gets the default gateway and the IP address the wrong way round when configuring his network card, knocking out the internet for everybody else?

Broadcasts kill wireless performance. Keep wireless and the servers on a separate VLAN at least.

Yeah...until they are! Unless you've got serious performance issues with your segmented network and can't afford the requisite hardware, don't try and fix it.

Performance is fine now on all wired segments (but some APs get overloaded at times.) The motivation for changing the design is a desire for increased simplicity.

I will certainly keep wireless separate. Why do you recommend separating the servers from the clients? This seems counterproductive.

Funnily enough Mr. Bob I hold exactly the opposite view.

Since we have hardware IP routing there is no reason to make subnets other than very small.

Why not exactly one PC per network?

At the end of the day, PC's are now so fast that it will be pretty much impossible to everwhelm then but I fancy sticking to a hundred or so per subnet. It is free. Why have more?

Often those IP routing switches have an artificial limit on the number of VLANs that you can create, sometimes changable by buying an extra license (hence artificial).

So the switch may be capable of routing between 10 or 16 different VLANs, for example.

Thank you for your comments, BOD43. You presented an interesting perspective. While microsegmentation makes perfect sense to me at L2, I am not yet convinced that this logic extends to L3. However, since the latency penalty of routing has now been eliminated, maybe so.

Are you referring to NetBIOS name query broadcasts? Although these used to be a problem in Microsoft networks, I believe that they have been pretty much replaced with DNS unicasts. Although I haven't checked this out myself, I've been told that broadcasts are not a significant problem any more. Is your experience different?

You are right, there is no noticable broadcast traffic in a reasonably configured MS network.

The ARP traffic is about it.

Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings, snipped-for-privacy@yahoo.com chose the tried and tested strategy of:

For the same reason; anyone can give their PC the same IP address as one of your servers and knock everybody else offline.

As an example, I know someone with a 192.168.0.0/16. He has about 500 desktops, 20 servers, 30 switches, etc all in that subnet. His main servers are 192.168.0.1 2 and 3. Unfortunately 192.168.0.0/24 is a common default for some domestic routers, so when users bring hibernated laptops in from home, and plug them in, pandemonium will reign while many users get disconnected from Exchange, roaming profiles, etc.

This isn't even to mention the damage someone with malicious intent can do if you make it easy for them.