Home > Security Appliances > Site-to-site VPN > Subnetting large-scale Z1 deployments for route summarization

Subnetting large-scale Z1 deployments for route summarization

Table of contents
No headers

When several Z1 Teleworker Gateways are deployed to establish Site-to-site VPN tunnels to an MX in Concentrator Mode, a static route for each VPN connection needs to be configured on the MX's default gateway. However, configuring one static route per device is inconvenient for large-scale Z1 deployments. Using Route Summarization, this task can be accomplished with one route if configured correctly. 

 

1. Configure the MX as a VPN Concentrator.

 

2. Configure the Class B summarized route. Use a Class B (or /16 in CIDR notation) network when configuring the static route to the VPN Concentrator on your third-party default gateway. This can be done with any private Class B subnet such as 172.16.0.0/16.

Note: The subnets suggested in this example are not required for proper Route Summarization. Other subnetting methodologies such as VLSM (variable length subnet mask addressing) can appropriately achieve similar deployment goals. 

 


Figure 1. Sample configuration of the route needed on a Cisco Router. Where 10.10.10.1 is the default gateway of the corp network

 


 

Figure 2. Configuring the local subent on the Z1 for VPN route summarization. 


 

3. Subnet each Z1 within the range of the summarized route. When deploying each Z1, go to Configure > Addressing & VLANs and configure the device’s Local Subnet in the same range as the 172.16.0.0/16 route. Each Z1 will be in a /24 addressing scheme that is part of the /16 route that you configured. Use a unique Class C subnet for each Z1 to avoid overlapping subnets. If there are overlapping subnets, traffic will not be able to route.



Figure 3. An example deployment with Z1s on separate  Class C subnets and the route on the corporate gateway pointing to the Class B subnet.

The Z1s are subnetted in the same Class B network (/16) and on a distinct subnet range from the datacenter. This separation allows Route Summarization to work because all VPN traffic is destined for one large subnet that encompasses many smaller Z1 networks.  

You must to post a comment.
Last modified
10:31, 27 Jul 2017

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 1449

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case