Subnetting Large-scale Teleworker Gateway Deployments for Route Summarization
When several Z-series Teleworker Gateways are deployed to establish site-to-site VPN tunnels to an MX in VPN Concentrator Mode, a static route for each VPN connection needs to be configured on the MX's default gateway. However, configuring one static route per device is cumbersome for large-scale Teleworker Gateway deployments. Using Route Summarization, this task can be accomplished with one route if configured correctly.
1. Configure the MX as a VPN Concentrator.
2. Configure the Class B summarized route. Use a Class B (or /16 in CIDR notation) network when configuring the static route to the VPN Concentrator on your third-party default gateway. This can be done with any private Class B subnet such as 172.16.0.0/16.
The subnets suggested in this example are not required for proper Route Summarization. Other subnetting methodologies such as VLSM (variable length subnet mask addressing) can appropriately achieve similar deployment goals.
Figure 1. Sample configuration of the route needed on a Cisco Router, where 10.10.10.1 is the IP address of the MX VPN Concentrator.
Figure 2. Configuring the local subnet on the Teleworker Gateway for VPN Route Summarization.
3. Subnet each Teleworker Gateway within the range of the summarized route. When deploying each Teleworker Gateway, go to Teleworker gateway > Configure > Addressing & VLANs and configure the device’s LAN Config Subnet in the same range as the 172.16.0.0/16 route. Each Teleworker Gateway will be in a /24 addressing scheme that is part of the /16 route that you configured. Use a unique Class C subnet for each Teleworker Gateway to avoid overlapping subnets. If there are overlapping subnets, traffic will not be able to route.
Figure 3. An example deployment with Teleworker Gateways on separate Class C subnets and the route on the Cisco router pointing to the MX VPN Concentrator IP.
The Teleworker Gateways are subnetted in the same Class B network (/16) and on distinct subnet ranges from the datacenter. This separation allows Route Summarization to work because all VPN traffic is destined for one large subnet that encompasses many smaller Teleworker Gateway networks.