VLSM Segmentation

I often hear that it is advisable when segmenting a network (VLSM) to have subnets that have a number of IPs that is as close as possible to the number of real machines.

I understand the usefulness of segmenting a network into subnets but why do you have to adjust their size? What is the problem of using a /24 mask for only 10 machines when it is a private network?

I think it is for security reasons (defense in depth) but are there other reasons?

Thanks a lot :)

This sort of vague advice is based on the idea that IP addresses are a limited (and potentially costly) resource, so one should be as efficient as possible.

This doesn't really apply to private (RFC1918) addresses, since there are usually enough to go around.

You also have to balance this against the administrative cost of managing networks of different sizes, especially if the size has to change. Having lots of different subnet sizes is difficult to manage and troubleshoot. It's far easier to sacrifice a little efficiency for ease of management and ease of troubleshooting problems.

There are no security issues that come to mind.

I often hear that it is advisable when segmenting a network (VLSM) to have subnets that have a number of IPs that is as close as possible to the number of real machines.

I've never heard or read that. Can you cite any documentation that states as much?

What is the problem of using a /24 mask for only 10 machines when it is a private network?

There is no problem. Use a /24 if that's what you want to use.

I think it is for security reasons (defense in depth) but are there other reasons?

I don't see how the subnet size is related to security. Can you cite any documentation that states as much?